Trojan.Win32.Swrort.3_b4f6b6a713

by malwarelabrobot on June 24th, 2014 in Malware Descriptions.

Adware.DealDropper.A (AdAware), Trojan.Win32.Swrort.3.FD (Lavasoft MAS)
Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: b4f6b6a713d3f1e3d80edf566e6137af
SHA1: 37c05f2b176aac0e20a53dc2e36e482e45aef0af
SHA256: 9ed4a64a3c4d367a4a32cc689afa3e7567932e85c94205a4f0def79f1e5317ad
SSDeep: 24576:ktaa80KkBQBfFUgk6msA10/8IkeSnLpC3YKIudmdn0cOY7fFJYcyqzF:kJNKkBQBfFgNOBkeSnLpCoKIomdnQEfR
Size: 1211056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Smart Apps
Created at: 2012-02-19 17:01:49
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

TPAutoConnSvc.exe:1652
updater.exe:868
updater.exe:2872
updater.exe:2796
updater.exe:2804
cscript.exe:784
cscript.exe:2928
cscript.exe:988
cscript.exe:2600
cscript.exe:2472
cscript.exe:1124
cscript.exe:2840
cscript.exe:2796
Updater.exe:3032
gpedit.exe:252
regsvr32.exe:2916
regsvr32.exe:2764
%original file name%.exe:1128
FrameworkEngine.exe:2152
bservice.exe:560

The Trojan injects its code into the following process(es):

python.exe:2520

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process updater.exe:868 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\bench-S-1-5-21-2858020935-2156992550-3658131804-1003.job (340 bytes)

The process updater.exe:2872 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Bench\Updater\products.xml (441 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz7005.tmp (0 bytes)

The process updater.exe:2796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\bench-S-1-5-21-2858020935-2156992550-3658131804-1003.job (338 bytes)

The process updater.exe:2804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\BenchUpdater\products.xml (497 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\info.xml (0 bytes)

The process cscript.exe:2928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\repair_data.json (4 bytes)
%Program Files% (x86)\Deal-Dropper\FrameworkEngine.exe (299 bytes)
%Program Files% (x86)\Deal-Dropper\extension_info.json (2 bytes)

The process cscript.exe:2600 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Bench\NmHost\manifest.json (221 bytes)
%Program Files% (x86)\Bench\NmHost\data\installer\epjpfmkiegfpfhiaohimeiamofnpdkgj (961 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\repair_data.json (1 bytes)
C:\Windows\System32\drivers\etc\hosts (911 bytes)

The process cscript.exe:2472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\storageedit.exe (77 bytes)

The process cscript.exe:2840 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_bg.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\invoke_async.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\storage.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\uninstall.js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\bootstrap.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_webrequest.js (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotification.tmpl (836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\notifications.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\button.png (602 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon100.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\content_proxy.js (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\content_notifications.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\io.js (976 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\timer.js (977 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\message_target.js (854 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\repair_data.json (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_browseraction.js (799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\registry.js (796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\lang.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotificationStyle.tmpl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\utils.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_engine.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_settings.js (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\options.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\legacy.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\browser.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_common.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\webrequest.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvas_bg.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvasscript_engine.js (437 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\jquery.min.js (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\ui_base.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\console.js (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\framework.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\i18n.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_client.js (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\base.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon128.png (3 bytes)

The process Updater.exe:3032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Tasks\bench-sys.job (340 bytes)

The process gpedit.exe:252 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\SysWOW64\GroupPolicy\gpt.ini (29 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (220 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (1208 bytes)

The process %original file name%.exe:1128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Deal-Dropper\framework\backgroundscript_engine.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\userscript_client.js (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\contentNotificationStyle.tmpl (3 bytes)
%Program Files% (x86)\Bench\BService\bhelper.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\uninstall.exe (3471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\extension_info.json (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\tail-left.png (307 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\storageedit.exe (2392 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\top-left.png (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\framework_api.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_webrequest.js (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\ui_base.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\lang.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\userscript_engine.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\notifications.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\browser_button.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_common.js (9 bytes)
%Program Files% (x86)\Deal-Dropper\framework\initialize.js (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_bg.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\framework\invoke_async.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\migrate.js (4 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\bottom-left.png (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\userscript_client.js (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\timer.js (977 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\content_proxy.js (502 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\middle-left.png (235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\bootstrap.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\contentNotification.tmpl (836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_content.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\canvasscript_engine.js (437 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\browser.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\sqlite3.exe (33888 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\SoftwareDetector.exe (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\legacy.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\icon.ico (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsProcess.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\registry.js (796 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\framework_api.js (1 bytes)
%Program Files% (x86)\Bench\NmHost\nmhost.exe (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\ie_installer.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6652.tmp (74961 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\main_installer.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\config.xml (2 bytes)
%Program Files% (x86)\Deal-Dropper\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\storage.js (6 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\canvas_bg.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\icon100.png (2 bytes)
%Program Files% (x86)\Deal-Dropper\FrameworkEngine.exe (11048 bytes)
%Program Files% (x86)\Deal-Dropper\icons\icon48.png (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\bottom-right.png (311 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\io.js (976 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\base.js (2 bytes)
%Program Files% (x86)\Bench\BService\bservice.exe (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\message_target.js (854 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\utils.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\System.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\options.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\jquery.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\button.png (602 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_content.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\FrameworkBHO.dll (13584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\invoke_async.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\framework.js (4 bytes)
%Program Files% (x86)\Deal-Dropper\framework\timer.js (409 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\notifications.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\icons\button.png (602 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\context_menu.js (738 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\tail-right.png (304 bytes)
%Program Files% (x86)\Bench\Wd\wd.exe (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\webrequest.js (5 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\md5.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\icons\icon128.png (3 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_common.js (9 bytes)
%Program Files% (x86)\Deal-Dropper\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\md5.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\FrameworkBHO64.dll (16944 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\ui_base.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\xhr.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\gpedit.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsExec.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\common.js (12 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\notification.html (6 bytes)
%Program Files% (x86)\Deal-Dropper\icons\icon100.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\installer.js (774 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\canvas_bg.js (5 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\top-middle.png (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files% (x86)\Bench\Updater\1.7.0.0\updater.exe (14605 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\repair.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\content_notifications.js (9 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\canvasscript_engine.js (437 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\ping.js (382 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\icon32.png (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\message_target.js (854 bytes)
%Program Files% (x86)\Deal-Dropper\framework\json2.js (2 bytes)
%Program Files% (x86)\Bench\NmHost\manifest.json (117 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\context_menu_item_handler.html (225 bytes)
%Program Files% (x86)\Deal-Dropper\framework\i18n.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\info.xml (351 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\background.html (157 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_settings.js (83 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\webrequest.js (4 bytes)
%Program Files% (x86)\Deal-Dropper\framework\base.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\projectInstaller.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\jquery.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox_installer.js (6 bytes)
%Program Files% (x86)\Deal-Dropper\framework\updater.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\framework\storage.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\framework\console.js (489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\uninstall.js (73 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\middle-right.png (234 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\chrome_gp_update.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\extension_info.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_settings.js (83 bytes)
%Program Files% (x86)\Deal-Dropper\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz7005.tmp (615 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files% (x86)\Deal-Dropper\framework\messaging.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsProcess2.dll (1588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\chrome_installer.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\lang.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\icon128.png (3 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Program Files% (x86)\Bench\Updater\updater.exe (2461 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_bg.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\framework\utils.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\chrome.manifest (57 bytes)
%Program Files% (x86)\Deal-Dropper\framework\framework.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\framework\legacy.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\global.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\tail-top.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_webrequest.js (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\userscript_engine.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\i18n.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\console.js (540 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\options.js (660 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\registry.js (908 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz7004.tmp (278 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\md5dll.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz6641.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\ping.js (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\pz_info (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsProcess.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsProcess2.dll (0 bytes)

The process python.exe:2520 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\Desktop\SystemSurvey.db (21273 bytes)
C:\Users\"%CurrentUserName%"\Desktop\SystemSurvey.db-journal (125716 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\Desktop\SystemSurvey.db-journal (0 bytes)

The process bservice.exe:560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files% (x86)\Bench\BService\bhelper.dll (53 bytes)

Registry activity

The process TPAutoConnSvc.exe:1652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:2]
"FormData" = "1,2159,2794,LetterÃ‚Â¶40,40,2086,2712, 5,2159,3556,LegalÃ‚Â¶40,40,2086,3474, 9,2100,2970,A4Ã‚Â¶39,39,2032,2890, 7,1842,2667,ExecutiveÃ‚Â¶40,40,1761,2585, 258,2159,3302,8.5 x 13 (custom)Ã‚Â¶40,40,2086,3220, 11,1480,2100,A5Ã‚Â¶39,39,1408,2020, 70,1050,1480,A6Ã‚Â¶39,39,975,1399, 13,1820,2570,B5 (JIS)Ã‚Â¶39,39,1747,2490, 264,1950,2700,16K 195x270Ã‚Â¶39,39,1882,2620, 263,1840,2600,16K 184x260Ã‚Â¶39,39,1761,2520, 257,1970,2730,16K 197x273Ã‚Â¶39,39,1896,2650, 43,1000,1480,Japanese PostcardÃ‚Â¶39,39,921,1399, 82,1480,2000,Double Japan Postcard RotatedÃ‚Â¶39,39,1408,1919, 20,1046,2413,Envelope #10Ã‚Â¶40,40,975,2331, 37,983,1905,Envelope MonarchÃ‚Â¶40,40,907,1823, 34,1760,2500,Envelope B5Ã‚Â¶39,39,1693,2420, 28,1620,2290,Envelope C5Ã‚Â¶39,39,1544,2209, 27,1100,2200,Envelope DLÃ‚Â¶39,39,1029,2120"
"TrayData" = "2,Tray 3, 3,Tray 2, 1,Tray 1, 4,Manual Feed, 7,Auto Select"

[HKU\.DEFAULT\Printers\DevModes2]
"HP LaserJet Professional M1212nf MFP#:2" = "48 00 50 00 20 00 4C 00 61 00 73 00 65 00 72 00"

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:2]
"DelAfterCreate" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\ThinPrint\TPPrnUI\HP LaserJet Professional M1212nf MFP#:2]

The process cscript.exe:784 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
"WpadDetectedUrl" = ""
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "F6 BE A0 13 AE 80 CF 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process cscript.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{41708E47-E97E-4051-A609-B88B398BCC94}]
"Flags" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{41708E47-E97E-4051-A609-B88B398BCC94}" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{7F3A1B6B-BF72-46F6-81BC-891F6744D124}"

The process cscript.exe:988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
"WpadDetectedUrl" = ""
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 39 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "F6 BE A0 13 AE 80 CF 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process cscript.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
"WpadDetectedUrl" = ""
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "F6 BE A0 13 AE 80 CF 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process cscript.exe:2472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Deal-Dropper]
"czoneid" = "12199"

The process cscript.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"
"WpadDetectedUrl" = ""
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "F6 BE A0 13 AE 80 CF 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

The process cscript.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Bench\InstalledExtensions]
"38902" = ""

The process gpedit.exe:252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}User\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"LogonHoursAction" = "2"
"DontDisplayLogonHoursWarnings" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
"1" = "epjpfmkiegfpfhiaohimeiamofnpdkgj;http://epjpfmkiegfpfhiaohimeiamofnpdkgj/check/.eJwNyUEOgCAMAMG_9EyMXvmMIVKkQCmBakyMf5fjzr6gbmSwcMQujGDgxj5I6qRtWWdTHepKwQ5W-4UG8NGd_PzYUgucCc_QQiQnkRjJsYTafD4TfD_fXyE-.m60tajgmPM8_2vDqWW4qUCE_47Q"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}User\Software\Microsoft\Windows\CurrentVersion]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}User\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}User\Software\Microsoft]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}User\Software\Microsoft\Windows]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}User\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1AD701B6-58BE-453D-BF4A-5FC42D608DE5}User\Software\Microsoft\Windows\CurrentVersion\Policies\System]

The process regsvr32.exe:2916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Deal-Dropper\FrameworkBHO64.dll"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7F3A1B6B-BF72-46F6-81BC-891F6744D124}" = "Deal-Dropper"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\0\win64]
"(Default)" = "%Program Files% (x86)\Deal-Dropper\FrameworkBHO64.dll"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}]
"(Default)" = "Deal-Dropper"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Deal-Dropper\FrameworkBHO64.dll"

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}]
"(Default)" = "Deal-Dropper BHO"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41708E47-E97E-4051-A609-B88B398BCC94}]
"NoExplorer" = "1"

"(Default)" = "Deal-Dropper BHO"

The process regsvr32.exe:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}]
"(Default)" = "IKangoToolbar"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{41708E47-E97E-4051-A609-B88B398BCC94}]
"NoExplorer" = "1"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0]
"(Default)" = "Framework 1.0 Type Library"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Wow6432Node\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}]
"(Default)" = "Deal-Dropper BHO"

[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Deal-Dropper\FrameworkBHO.dll"

[HKCR\Wow6432Node\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar]
"{7F3A1B6B-BF72-46F6-81BC-891F6744D124}" = "Deal-Dropper"

[HKCR\Wow6432Node\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}]
"(Default)" = "Deal-Dropper"

[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\TypeLib]
"Version" = "1.0"
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\Wow6432Node\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Deal-Dropper\FrameworkBHO.dll"

[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}]
"(Default)" = "IKangoBHO"

[HKCR\Wow6432Node\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}]
"(Default)" = "IKangoToolbar"

[HKCR\Wow6432Node\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{41708E47-E97E-4051-A609-B88B398BCC94}]
"(Default)" = "Deal-Dropper BHO"

[HKCR\Wow6432Node\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\Version]
"(Default)" = "1.0"

[HKCR\Wow6432Node\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\Wow6432Node\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\TypeLib]
"Version" = "1.0"
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\Wow6432Node\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\Wow6432Node\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}]
"(Default)" = "IKangoBHO"

[HKCR\Wow6432Node\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"

[HKCR\Wow6432Node\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\InprocServer32]
"(Default)" = "%Program Files% (x86)\Deal-Dropper\FrameworkBHO.dll"

[HKCR\Wow6432Node\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Deal-Dropper"

The process %original file name%.exe:1128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\b748c639\ez_setup.py, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\b748c639\python-2.7.7.msi, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\b748c639\pywin32-219.win32-py2.7.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\b748c639\Sigcheck\Eula.txt, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\b748c639\Sigcheck\sigcheck.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\b748c639\Sigcheck, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\b748c639\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\a74af67f\ez_setup.py, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\a74af67f\python-2.7.7.msi, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\a74af67f\pywin32-219.win32-py2.7.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\a74af67f\Sigcheck\Eula.txt, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\a74af67f\Sigcheck\sigcheck.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\a74af67f\Sigcheck, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\VMwareDnD\a74af67f\, , \??\C:\Users\"%CurrentUserName%"\AppData\Lf"

[HKLM\SOFTWARE\Wow6432Node\AdvertisingSupport]
"Seen" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"DisplayName" = "Deal-Dropper"

[HKLM\SOFTWARE\Wow6432Node\Deal-Dropper]
"CDN" = "contentcache-a.akamaihd.net"

"ZoneId" = "446810"

[HKLM\SOFTWARE\Wow6432Node\Bench\Updater]
"Path" = "%Program Files% (x86)\Bench\Updater\updater.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"Publisher" = "Smart Apps"
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper/icon.ico"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "10000"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"NoModify" = "1"

[HKLM\SOFTWARE\Wow6432Node\Deal-Dropper]
"SystemId" = "1f6b249d2ab7fecc492054f53e5b72e2"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "10000"

[HKLM\SOFTWARE\Wow6432Node]
"38902" = "Deal-Dropper"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"NoRepair" = "1"

[HKLM\SOFTWARE\Wow6432Node\AdvertisingSupport]
"SeenDate" = "1403530118"

[HKLM\SOFTWARE\Wow6432Node\Bench\NmHost\38902]
"(Default)" = ""

[HKLM\SOFTWARE\Wow6432Node\Bench\Updater\38902]
"(Default)" = ""

[HKLM\SOFTWARE\Wow6432Node\Google\Chrome\NativeMessagingHosts\com.bench.nmhost]
"(Default)" = "%Program Files% (x86)\Bench\NmHost\manifest.json"

[HKLM\SOFTWARE\Wow6432Node\Deal-Dropper]
"Seen" = "1"

[HKLM\SOFTWARE\Wow6432Node\Bench\BService\38902]
"(Default)" = ""

[HKLM\SOFTWARE\Wow6432Node\Deal-Dropper]
"SeenDate" = "1403530118"

[HKLM\SOFTWARE\Wow6432Node\Bench\NmHost]
"(Default)" = "%Program Files% (x86)\Bench\NmHost\nmhost.exe"

[HKLM\SOFTWARE\Wow6432Node\Deal-Dropper]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper"
"UTCInstallTime" = "1403530118"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper"
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\uninstall.exe"

[HKLM\SOFTWARE\Wow6432Node\Deal-Dropper]
"PID" = "1779"
"InstallTime" = "1403540918"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files% (x86)\Bench\Wd\wd.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper-repairJob" = "wscript.exe C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\repair.js Deal-Dropper-repairJob"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files% (x86)\Bench\BService\bservice.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper" = ""

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Deal-Dropper]
"Seen"

[HKLM\SOFTWARE\Wow6432Node\AdvertisingSupport]
"Seen"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Deal-Dropper-repairJob"

The process FrameworkEngine.exe:2152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Wow6432Node\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\TypeLib]
"(Default)" = "{15DF158E-43BC-45E4-BDBA-42C8D61067E1}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"AppPath" = "%Program Files% (x86)\Deal-Dropper\"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"Policy" = "3"

[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0]
"(Default)" = "EngineLib"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"AppName" = "FrameworkEngine.exe"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}]
"(Default)" = "IKangoEngine"

[HKCR\Wow6432Node\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\TypeLib]
"(Default)" = "{15DF158E-43BC-45E4-BDBA-42C8D61067E1}"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"AppName" = "FrameworkEngine.exe"

[HKCR\Wow6432Node\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\Deal-Dropper"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"Policy" = "3"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}]
"(Default)" = "Deal-Dropper"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\TypeLib]
"Version" = "1.0"

[HKCR\Wow6432Node\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Wow6432Node\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\LocalServer32]
"(Default)" = "%Program Files% (x86)\Deal-Dropper\FrameworkEngine.exe"

[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Wow6432Node\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}]
"(Default)" = "IKangoEngine"

[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\Deal-Dropper\FrameworkEngine.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"AppPath" = "%Program Files% (x86)\Deal-Dropper\"

[HKCR\Wow6432Node\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\Version]
"(Default)" = "1.0"

[HKCR\Wow6432Node\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\LocalServer32]
"ServerExecutable" = "%Program Files% (x86)\Deal-Dropper\FrameworkEngine.exe"

[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\TypeLib]
"(Default)" = "{15DF158E-43BC-45E4-BDBA-42C8D61067E1}"

Dropped PE files

MD5	File path
72b1a3d56f812839ae5ba3420a5ed812	c:\Program Files (x86)\Bench\BService\bhelper.dll
07ee628bdcdb9a09988febdd15e2196c	c:\Program Files (x86)\Bench\BService\bservice.exe
89bb8b1dc6e5849bfc2c8f7396da4f5b	c:\Program Files (x86)\Bench\NmHost\nmhost.exe
34203663acf7b6a074b4ee892fea1398	c:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
83f9fd1fd4b72219901cd9004ad06804	c:\Program Files (x86)\Bench\Updater\updater.exe
a366d38c2d5c1879a9d5b3fe6794b33e	c:\Program Files (x86)\Bench\Wd\wd.exe
953f35a6fb42ed3c9780ec34c009f159	c:\Program Files (x86)\Deal-Dropper\FrameworkBHO.dll
b297099289b4b59e9868d22324e4e927	c:\Program Files (x86)\Deal-Dropper\FrameworkBHO64.dll
c6382e297af7f249be51152f539e441d	c:\Program Files (x86)\Deal-Dropper\FrameworkEngine.exe
da94d940c994714a8be8361d3469b3a2	c:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\SoftwareDetector.exe
150e5904c772ce4ad3c2d81b18aed6cb	c:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\gpedit.exe
82771129b12517cf5c6e2244d14e8360	c:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\sqlite3.exe
e1b66274f8a51758e25bb285864a444f	c:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\storageedit.exe
fc522beb39d25b66ebf5c40c301f83c1	c:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\uninstall.exe
05450face243b3a7472407b999b03a72	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsProcess.dll

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 911 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Smart Apps
Product Name: Deal-Dropper
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	34884	35328	4.14077	49b0a05e59cfe2eb146863465a7f35bb
.data	40960	140	512	0.818128	df0ef3a0da7e22c790a62c5869d70520
.rdata	45056	9108	9216	4.08895	91271e59f4470886a512444b74613d7b
.bss	57344	109520	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	167936	4868	5120	3.63012	5f39890d9696ebf98517ebe318287e41
.ndata	176128	73728	1024	0	0f343b0931126a20f133d67c2b018a3b
.rsrc	249856	35200	35328	3.19635	2394746b531639903751050a9dbd5de8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 12
e69abe473b2d53fa926523b8ac8c13d4
33282d0c8cb0838feb14c67888a4f17d
fd88cb82e479647e757633ff7e573c84
6261b15ad9807e87d3888d946d533ff0
b447ea8d07bd37f7adf1b18a49a28dcf
b0bd1cc9cb26b028c593d9a98d0979f8
4f14310ea6fd79372b6efdc599270ecb
5049c1ff8862c19e0eda2f1016082740
84610b9d362cec452e827f53017082ce
d57f220ab3644c660b28813f37d05c79
0c97ec9189030a038e6a5a56c5cb078f
27a3f0e00ca535a39d08501922ce65f1

URLs

URL	IP
hxxp://d2rx3wo6u6259k.cloudfront.net/installer-run/1f6b249d2ab7fecc492054f53e5b72e2/92b7ce1f5053a7d3c37b0e0c4174045b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779
hxxp://d2rx3wo6u6259k.cloudfront.net/tbi-ping/1f6b249d2ab7fecc492054f53e5b72e2/92b7ce1f5053a7d3c37b0e0c4174045b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779
hxxp://www.installping5.info/installer-run/1f6b249d2ab7fecc492054f53e5b72e2/92b7ce1f5053a7d3c37b0e0c4174045b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779	54.239.168.99
hxxp://www.installping5.info/tbi-ping/1f6b249d2ab7fecc492054f53e5b72e2/92b7ce1f5053a7d3c37b0e0c4174045b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779	54.239.168.99

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /tbi-ping/1f6b249d2ab7fecc492054f53e5b72e2/92b7ce1f5053a7d3c37b0e0c4174045b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.installping5.info

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: keep-alive

Server: nginx/1.6.0

Date: Mon, 23 Jun 2014 13:28:45 GMT

X-Powered-By: PHP/5.3.3

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Mon, 23 Jun 2014 13:28:45 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

X-Cache: Miss from cloudfront

Via: 1.1 de7a549023f0ea5ae15f58d27aeb67c7.cloudfront.net (Cl

GET /installer-run/1f6b249d2ab7fecc492054f53e5b72e2/92b7ce1f5053a7d3c37b0e0c4174045b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)

Host: VVV.installping5.info

Connection: Keep-Alive


HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: keep-alive

Server: nginx/1.6.0

Date: Mon, 23 Jun 2014 13:28:39 GMT

X-Powered-By: PHP/5.3.3

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Mon, 23 Jun 2014 13:28:39 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Pragma: no-cache

X-Cache: Miss from cloudfront

Via: 1.1 a1f7dccda76e63b2a1a4c1c034019a4b.cloudfront.net (CloudFront)

X-Amz-Cf-Id: fERECTZrz2uySvxy3tilnFy269PQJS5SCv64HZ8b24noGw-K_H-Vvw==

The Trojan connects to the servers at the folowing location(s):

bservice.exe_560:

.text

`.rdata

@.data

.rsrc

@.reloc

operator

GetProcessWindowStation

D:\WORK\mercurial\50onred\misc\ChromeHook\Release\bservice.pdb

KERNEL32.dll

SetWindowsHookExW

UnhookWindowsHookEx

USER32.dll

SHLWAPI.dll

GetProcessHeap

GetCPInfo

0 0$0(0,0004080<0

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

KERNEL32.DLL

WUSER32.DLL

bhelper.dll

kGlobal\{4B5DC379-ED06-4552-A736-414A1570C24F}_bhelper_mutex0

%Program Files% (x86)\Bench\BService\bservice.exe

wd.exe_2140:

.text

`.rdata

@.data

.rsrc

@.reloc

operator

GetProcessWindowStation

D:\WORK\mercurial\50onred\misc\Watchdog\Release\wd.pdb

KERNEL32.dll

USER32.dll

ShellExecuteW

SHELL32.dll

GetProcessHeap

GetCPInfo

1*2024282<2

> >$>(>,>0>

kernel32.dll

%d.%d.%d%s %s

%PROGRAMFILES%\Bench\BService\bservice.exe

bservice.exe

Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_watchdog_mutex0

KERNEL32.DLL

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

%Program Files% (x86)\Bench\Wd\wd.exe

python.exe_2520:

.text

`.rdata

@.data

.rsrc

C:\build27\cpython\PCbuild\python.pdb

python27.dll

_amsg_exit

MSVCR90.dll

_crt_debugger_hook

KERNEL32.dll

;0.-,,,/;

2..--,;;,

11..-,;;

11/..-,,

2211/..-,,  ,;

22211..--,   /

222211..--,

<022211/..-,,

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

TPAutoConnSvc.exe:1652
updater.exe:868
updater.exe:2872
updater.exe:2796
updater.exe:2804
cscript.exe:784
cscript.exe:2928
cscript.exe:988
cscript.exe:2600
cscript.exe:2472
cscript.exe:1124
cscript.exe:2840
cscript.exe:2796
Updater.exe:3032
gpedit.exe:252
regsvr32.exe:2916
regsvr32.exe:2764
%original file name%.exe:1128
FrameworkEngine.exe:2152
bservice.exe:560
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Windows\Tasks\bench-S-1-5-21-2858020935-2156992550-3658131804-1003.job (340 bytes)
%Program Files% (x86)\Bench\Updater\products.xml (441 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\BenchUpdater\products.xml (497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\repair_data.json (4 bytes)
%Program Files% (x86)\Deal-Dropper\FrameworkEngine.exe (299 bytes)
%Program Files% (x86)\Deal-Dropper\extension_info.json (2 bytes)
%Program Files% (x86)\Bench\NmHost\manifest.json (221 bytes)
%Program Files% (x86)\Bench\NmHost\data\installer\epjpfmkiegfpfhiaohimeiamofnpdkgj (961 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (4 bytes)
C:\Windows\System32\drivers\etc\hosts (911 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\storageedit.exe (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_bg.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\invoke_async.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\storage.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\uninstall.js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\bootstrap.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_webrequest.js (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotification.tmpl (836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\notifications.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\button.png (602 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon100.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\content_proxy.js (502 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\content_notifications.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\io.js (976 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\timer.js (977 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\message_target.js (854 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_browseraction.js (799 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\registry.js (796 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\lang.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotificationStyle.tmpl (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\utils.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_engine.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_settings.js (83 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\options.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\legacy.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\browser.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_common.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\webrequest.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvas_bg.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvasscript_engine.js (437 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\jquery.min.js (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\ui_base.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\console.js (540 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\framework.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\i18n.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_client.js (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\base.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\zwvbr04l.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon128.png (3 bytes)
C:\Windows\Tasks\bench-sys.job (340 bytes)
C:\Windows\SysWOW64\GroupPolicy\gpt.ini (29 bytes)
C:\Windows\System32\GroupPolicy\gpt.ini (220 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (1208 bytes)
%Program Files% (x86)\Deal-Dropper\framework\backgroundscript_engine.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\userscript_client.js (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\contentNotificationStyle.tmpl (3 bytes)
%Program Files% (x86)\Bench\BService\bhelper.dll (1856 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\uninstall.exe (3471 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\top-left.png (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\framework_api.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_webrequest.js (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\ui_base.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\lang.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\userscript_engine.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\notifications.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\browser_button.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_common.js (9 bytes)
%Program Files% (x86)\Deal-Dropper\framework\initialize.js (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_bg.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\framework\invoke_async.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\migrate.js (4 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\bottom-left.png (316 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\userscript_client.js (310 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\timer.js (977 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\content_proxy.js (502 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\middle-left.png (235 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\bootstrap.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\contentNotification.tmpl (836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_content.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\canvasscript_engine.js (437 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\browser.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\sqlite3.exe (33888 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\SoftwareDetector.exe (2392 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\legacy.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\icon.ico (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsProcess.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\registry.js (796 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\framework_api.js (1 bytes)
%Program Files% (x86)\Bench\NmHost\nmhost.exe (6360 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\ie_installer.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsp6652.tmp (74961 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\main_installer.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\config.xml (2 bytes)
%Program Files% (x86)\Deal-Dropper\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\storage.js (6 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\canvas_bg.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\icon100.png (2 bytes)
%Program Files% (x86)\Deal-Dropper\icons\icon48.png (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\bottom-right.png (311 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\io.js (976 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\base.js (2 bytes)
%Program Files% (x86)\Bench\BService\bservice.exe (1909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\message_target.js (854 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\utils.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\System.dll (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\options.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\jquery.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\button.png (602 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_content.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\FrameworkBHO.dll (13584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\invoke_async.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\framework.js (4 bytes)
%Program Files% (x86)\Deal-Dropper\framework\timer.js (409 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\notifications.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\icons\button.png (602 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\context_menu.js (738 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\tail-right.png (304 bytes)
%Program Files% (x86)\Bench\Wd\wd.exe (1921 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\webrequest.js (5 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\md5.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\icons\icon128.png (3 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_common.js (9 bytes)
%Program Files% (x86)\Deal-Dropper\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\md5.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\FrameworkBHO64.dll (16944 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\ui_base.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\xhr.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\gpedit.exe (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsExec.dll (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\common.js (12 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\notification.html (6 bytes)
%Program Files% (x86)\Deal-Dropper\icons\icon100.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\installer.js (774 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\canvas_bg.js (5 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\top-middle.png (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files% (x86)\Bench\Updater\1.7.0.0\updater.exe (14605 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\repair.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\content_notifications.js (9 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\CanvasFramework\canvasscript_engine.js (437 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\ping.js (382 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\icon32.png (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\message_target.js (854 bytes)
%Program Files% (x86)\Deal-Dropper\framework\json2.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\context_menu_item_handler.html (225 bytes)
%Program Files% (x86)\Deal-Dropper\framework\i18n.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\info.xml (351 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\background.html (157 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_settings.js (83 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\webrequest.js (4 bytes)
%Program Files% (x86)\Deal-Dropper\framework\base.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\projectInstaller.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\jquery.min.js (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox_installer.js (6 bytes)
%Program Files% (x86)\Deal-Dropper\framework\updater.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\framework\storage.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\framework\console.js (489 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\uninstall.js (73 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\middle-right.png (234 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\chrome_gp_update.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_settings.js (83 bytes)
%Program Files% (x86)\Deal-Dropper\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz7005.tmp (615 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files% (x86)\Deal-Dropper\framework\messaging.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nse6662.tmp\nsProcess2.dll (1588 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\chrome_installer.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\lang.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\icons\icon128.png (3 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Program Files% (x86)\Bench\Updater\updater.exe (2461 bytes)
%Program Files% (x86)\Deal-Dropper\AppFramework\appAPI_bg.js (2 bytes)
%Program Files% (x86)\Deal-Dropper\framework\utils.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\chrome.manifest (57 bytes)
%Program Files% (x86)\Deal-Dropper\framework\framework.js (3 bytes)
%Program Files% (x86)\Deal-Dropper\framework\legacy.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework\global.js (1 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\theme\bubble\tail-top.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\AppFramework\appAPI_webrequest.js (138 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\userscript_engine.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\i18n.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\firefox\framework\console.js (540 bytes)
%Program Files% (x86)\Deal-Dropper\framework-ui\options.js (660 bytes)
%Program Files% (x86)\Deal-Dropper\CanvasFramework\registry.js (908 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsz7004.tmp (278 bytes)
C:\Users\"%CurrentUserName%"\Desktop\SystemSurvey.db (21273 bytes)
C:\Users\"%CurrentUserName%"\Desktop\SystemSurvey.db-journal (125716 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files% (x86)\Bench\Wd\wd.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper-repairJob" = "wscript.exe C:\Users\"%CurrentUserName%"\AppData\Local\Deal-Dropper\repair.js Deal-Dropper-repairJob"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files% (x86)\Bench\BService\bservice.exe"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper" = ""
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.Win32.Swrort.3_b4f6b6a713

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.Win32.Swrort.3_b4f6b6a713

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet