Virus.Win32.Sality_3ff9a5a6d3

by malwarelabrobot on October 5th, 2015 in Malware Descriptions.

not-a-virus:AdWare.NSIS.Yontoo.n (Kaspersky), Trojan.NSIS.StartPage.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, Adware, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3ff9a5a6d3e7281161104789fac8c663
SHA1: 67de30b06a47806bdfb58a35f3cdc8114d75b926
SHA256: da660e614c16727180cf4811bd027a184b2827486b7b1ebbfa249d81cb1243ef
SSDeep: 12288:AUYWn/0nQinxXSCy3suAMmpROhljAG8usLAtnDA Xd:lYQ8aCyMMmpMhFACm6nDdN
Size: 510328 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Virus creates the following process(es):
No processes have been created.
The Virus injects its code into the following process(es):

%original file name%.exe:1328
Explorer.EXE:1140

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1328 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\system.ini (70 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept3.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tuvo.exe (741 bytes)
C:\autorun.inf (309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F673_Rar\%original file name%.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\locate.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\x.bmp (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\skip.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\bmidt.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (32003 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\box.bmp (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007F53B_Rar\%original file name%.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\back.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0007ED0D_Rar\%original file name%.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\back_dis.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\load_2.bmp (626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\1clogo.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\decline.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\brcdt.txt (377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\dAg (168 bytes)
C:\geve.exe (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept0.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\close.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept_disabled.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept.bmp (784 bytes)
%Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\complist.txt (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\inetc3.dll (784 bytes)
%Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\System.dll (11 bytes)

The Virus deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\gCD (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\nold (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\complist.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tuvo.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\trninj.txt (0 bytes)

Registry activity

The process %original file name%.exe:1328 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Security Center]
"UacDisableNotify" = "1"

[HKCU\Software\Aas]
"a1_0" = "3299283285"

[HKCU\Software\Aas\695404737]
"35845605" = "509"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DoNotAllowExceptions" = "0"

[HKCR\AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}]
"id0" = "04102015"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"EnableLUA" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Aas\695404737]
"50183847" = "78674806A3861F72F7FBBF4459E2447BBB1A42BFC7AD3F9F8B6242699C86EB9DDA33E7F1CEC726A6BBFFC5F57712CCF7F1343FF5179C3FA5BE9D7D0CD1DB4A0B001DC22F1A3E3F9D40B2C10E1AAC3438B4AD546A932C794F41D6E3C5C12AC455E21F3013ED8634C8F551DD13DBE206D40FD35D5B18B779A77309D5F74D48F7FD"
"43014726" = "0E00687474703A2F2F626172616B616D6564696170726F64756374696F6E2E636F6D2F696D616765732F78732E6A706700687474703A2F2F61636375726F2E637A2F6C6F676F2E67696600687474703A2F2F6261792D6265652E636F2E756B2F696D616765732F78732E6A706700687474703A2F2F6D616E617965726E616A642E636F6D2F696D616765732F6C6F676F2E67696600687474703A2F2F6172746964696C2E6E65742F696D616765732F78732E6A706700687474703A2F2F666F726170726F6C6574617269616E70617274792E6F72672F6C6F676F662E67696600687474703A2F2F64657369676E7363617065756B2E636F6D2F78732E6A706700687474703A2F2F636F6E73656E736F2E636F6D2E62722F732E6A706700687474703A2F2F6B6172616B7572746C74642E636F6D2F696D672F78732E6A706700687474703A2F2F7777772E6A766D6F6E6C696E652E636F6D2F732E6A706700687474703A2F2F616C6963616E686F74656C2E636F6D2F696D616765732F6C6F676F662E67696600687474703A2F2F6C696D6B6F6B77696E672D746F6D6F72726F772E6F72672F696D616765732F732E6A706700687474703A2F2F36382E3136382E3232322E3230362F6C6F676F732E67696600687474703A2F2F61636164656D69636F766572736561732E6E65742F696D616765732F7873322E6A7067"

[HKCU\Software\1ClickDownload]
"LastInstall0" = "30473763"

[HKCU\Software\Aas]
"a3_0" = "17001001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallOverride" = "1"

[HKCU\Software\1ClickDownload]
"LastInstall3" = "30473763"

[HKCU\Software\Aas\695404737]
"14338242" = "0"
"7169121" = "131"

"21507363" = "0"
"28676484" = "35"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"UacDisableNotify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallOverride" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center]
"FirewallDisableNotify" = "1"

[HKCU\Software\1ClickDownload]
"UID" = "282948265"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C FE 11 7C 26 31 8D 32 D2 40 09 FF 38 AA DC 20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Aas]
"a2_0" = "9832"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"FirewallDisableNotify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = "1"

[HKCU\Software\Aas]
"a4_0" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Firewall notifications are disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = "1"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = "1"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "c:\%original file name%.exe:*:Enabled:ipsec"

Antivirus notifications are disabled:

[HKLM\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusDisableNotify" = "1"

A firewall is disabled:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = "0"

Task Manager is disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr" = "1"

The Virus deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
98370163dd976e864d8b0caf5581f99e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007ED0D_Rar\%original file name%.exe
98370163dd976e864d8b0caf5581f99e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F53B_Rar\%original file name%.exe
98370163dd976e864d8b0caf5581f99e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0007F673_Rar\%original file name%.exe
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj3.tmp\NSISdl.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj3.tmp\System.dll
9d8ce05f532dc7b5742831ec8a63c2d8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj3.tmp\inetc3.dll
7d3317f57c1a368480ace3c0ca804eeb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj3.tmp\locate.dll
c10e04dd4ad4277d5adc951bb331c777 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj3.tmp\nsDialogs.dll
18787250816d7410f55844697ef5ce7e c:\geve.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23130 23552 4.4632 28c65c1292bbe036c0cb956bdd89b9c7
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 110488 1024 3.26405 975304d6dd6c4a4f076b15511e2bbbc0
.ndata 147456 593920 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 741376 98304 96256 5.22312 b15cb871b18deb3e5251ddcd0b4bb52f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://torrntvz.com/ping.php?partner=TTV--def&product=TornTV&build=18_4 50.63.202.55
hxxp://torntvz.net/ping.php?partner=TTV--def&product=TornTV&build=18_4 54.246.120.161


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /ping.php?partner=TTV--def&product=TornTV&build=18_4 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: torntvz.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 503 Service Unavailable: Back-end server is at capacity
Content-Length: 0
Connection: keep-alive
HTTP/1.1 503 Service Unavailable: Back-end server is at capacity..Cont
ent-Length: 0..Connection: keep-alive..

The Virus connects to the servers at the folowing location(s):

%original file name%.exe_1328:

.text
.rdata
.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp\nsDialogs.dll
a\Firefox\profiles.ini
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp
d.bmp
lll777GGG<<<...PPPaaaZZZYYYVVVWWWZZZ^^^RRR<<<
%X>nl
.PX&"
.bG"j3
s.jlN:
9sFtP
k.exe
1104789fac8c663.exe
IRESH~1.EXE
Inetc3A (Mozilla; pm ; FW 4; WinNT 5.1|Microsoft Windows XP; wd 11022013; ge |w|6|v|4v|c|4c; sd 03610-03603; fl 1; ie 6; ch 0; ff 0; dbw ie|; hb c=-1=-1|f-1=-1=-1|e=16 &cnt=
5822354
-cdn.com/
1852472
c:\%original file name%.exe
%Documents and Settings%\%current user%\Desktop
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
654967443
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_PCTechHotline_new.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_DoNotTrackMe.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/playmtid_1.3.14.6_cn.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/BCSetup2.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/BXOBundle.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_ConsumerInput.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/CoISetup2.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_MoboGenie.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_MyPCBackup.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/innoAppSetup.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_SpywareClear.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_PowerGamesBar.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_RelevantKnowledge.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/InstallDaddy_Interstat.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/fm_setup.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/playid2_1.3.4.0_cn.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/whitesmoke_1.3.5.7_cn.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/gophotoit_1.3.9.1_cn.exe
940179634
-821427444
2097446
1507584
1769712
1543831951
1638718
1812595484
-1911946313
1393165366
1326056422
1024066480
-2146827618
1527383031
2097807623
470418351
1141507132
Download install and watch movies, tv shows, games and more with TornTV.com app
30473763
1114440
Inetc3A (Mozilla; pm ; FW 4; WinNT 5.1|Microsoft Windows XP; wd 11022013; ge |w|6|v|4v|c|4c; sd 03610-03603; fl 1; ie 6; ch 0; ff 0; dbw ie|; hb c=-1=-1|f-1=-1=-1|e=16 px 0 co L2 pm 1)
News.net
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
282948265
-1962277751
554304437
DrWeb
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\profiles\\
04102015
889521323
688194579
688193915
1048882
cdi.asp?st=
AppID\{C007DADD-132A-624C-088E-59EE6CF0711F}
03610-03603
3131649
hXXp://cdn.cacheartatwest.us/installers/Unipack_Installer.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/cr-single/torntv-v9.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/Only SearchTB.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/TornTV4SPack.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/FMSetup221g.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/MSDStubSetup.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/ChickI3.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/cr-single/gophoto-it.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/IminentSetup6121.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/IminentSetup633.exe
hXXp://data.infopackinst.com/
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/PHDSetup.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/SavingsAddon1.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/Setup_SES.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/WSSetup269.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/browsefox-e1.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/Ext2519UpdaterNewext.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/ild_mystartsearch.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/ild_istart123.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/ild_v9.exe
hXXp://cmpsmarter-downloader.maynemyltf.netdna-cdn.com/TornTVApp.exe
sbiectrl.exe
vmtoolsd.exe
prl_cc.exe
coherence.exe
VirtualBox.exe
VBoxSVC.exe
11022013
YontooIEClient.dll
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\profiles\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
Gbh%U
SHELL32.DLL
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\0007F673_Rar\%original file name%.exe
hXXp://barakamediaproduction.com/images/xs.jpg
hXXp://accuro.cz/logo.gif
hXXp://bay-bee.co.uk/images/xs.jpg
hXXp://manayernajd.com/images/logo.gif
hXXp://artidil.net/images/xs.jpg
hXXp://foraproletarianparty.org/logof.gif
hXXp://designscapeuk.com/xs.jpg
hXXp://consenso.com.br/s.jpg
hXXp://karakurtltd.com/img/xs.jpg
hXXp://VVV.jvmonline.com/s.jpg
hXXp://alicanhotel.com/images/logof.gif
hXXp://limkokwing-tomorrow.org/images/s.jpg
hXXp://68.168.222.206/logos.gif
hXXp://academicoverseas.net/images/xs2.jpg
uCo9%f
%F`;O
hXXp://89.11
.info/home.gifI
W.text
L32.dll
^p.At%
rnl.exe?
= =$=(=,=0=4=8=<=@
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
f3a.sysB
D6c.pBTab
drfig%s:*:
0}.T&?%x=
~UrlA'W
\'Web%
HTTP)s'PJ
o.ENHCD
KPCKwWEBWUPD
>*?456789:;<=
!"#$%&'()* ,-./01230 0
MSVCRT.dll
WS2_32.dll

%original file name%.exe_1328_rwx_003F0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_1140_rwx_00FF0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

%original file name%.exe_1328_rwx_004BB000_00011000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\0007F673_Rar\%original file name%.exe
%original file name%.exe
.rsrc
.text
c:\%original file name%.exe
hXXp://barakamediaproduction.com/images/xs.jpg
hXXp://accuro.cz/logo.gif
hXXp://bay-bee.co.uk/images/xs.jpg
hXXp://manayernajd.com/images/logo.gif
hXXp://artidil.net/images/xs.jpg
hXXp://foraproletarianparty.org/logof.gif
hXXp://designscapeuk.com/xs.jpg
hXXp://consenso.com.br/s.jpg
hXXp://karakurtltd.com/img/xs.jpg
hXXp://VVV.jvmonline.com/s.jpg
hXXp://alicanhotel.com/images/logof.gif
hXXp://limkokwing-tomorrow.org/images/s.jpg
hXXp://68.168.222.206/logos.gif
hXXp://academicoverseas.net/images/xs2.jpg
uCo9%f
%F`;O
hXXp://89.11
.info/home.gifI
W.text
L32.dll
^p.At%
rnl.exe?
= =$=(=,=0=4=8=<=@
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
f3a.sysB
D6c.pBTab
drfig%s:*:
0}.T&?%x=
~UrlA'W
\'Web%
HTTP)s'PJ
o.ENHCD
KPCKwWEBWUPD
>*?456789:;<=
!"#$%&'()* ,-./01230 0
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
USER32.dll
WS2_32.dll
RegCloseKey
SHFileOperationA

%original file name%.exe_1328_rwx_00AB0000_0108E000:

c:\windows
hXXp://barakamediaproduction.com/images/xs.jpg
hXXp://accuro.cz/logo.gif
hXXp://bay-bee.co.uk/images/xs.jpg
hXXp://manayernajd.com/images/logo.gif
hXXp://artidil.net/images/xs.jpg
hXXp://foraproletarianparty.org/logof.gif
hXXp://designscapeuk.com/xs.jpg
hXXp://consenso.com.br/s.jpg
hXXp://karakurtltd.com/img/xs.jpg
hXXp://VVV.jvmonline.com/s.jpg
hXXp://alicanhotel.com/images/logof.gif
hXXp://limkokwing-tomorrow.org/images/s.jpg
hXXp://68.168.222.206/logos.gif
hXXp://academicoverseas.net/images/xs2.jpg
%System%\drivers\jprjo.sys
5193596092
.rsrc
.text
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
hXXp://89.119.67.154/testo5/
hXXp://kukutrustnet777.info/home.gif
hXXp://kukutrustnet888.info/home.gif
hXXp://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
hXXp://VVV.klkjwre9fqwieluoi.info/
hXXp://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
hXXp://
ipfltdrv.sys
VVV.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
rnl.exe?
= =$=(=,=0=4=8=<=@
rv:1.9.2.3)
.NEtCLR
.klkjw:9fqwiBu
f3a.sysB
D6c.pBTab
drfig%s:*:
0}.T&?%x=
~UrlA'W
\'Web%
HTTP)s'PJ
o.ENHCD
KPCKwWEBWUPD
>*?456789:;<=
!"#$%&'()* ,-./01230 0
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll

%original file name%.exe_1328_rwx_02440000_00001000:

|%original file name%.exeM_1328_

%original file name%.exe_1328_rwx_10004000_00001000:

callback%d

Explorer.EXE_1140_rwx_01E00000_00001000:

|explorer.exeM_1140_


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %WinDir%\system.ini (70 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept1.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept3.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tuvo.exe (741 bytes)
    C:\autorun.inf (309 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F673_Rar\%original file name%.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\locate.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept2.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\x.bmp (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\skip.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\bmidt.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso2.tmp (32003 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\box.bmp (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007F53B_Rar\%original file name%.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\back.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0007ED0D_Rar\%original file name%.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\back_dis.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\load_2.bmp (626 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\1clogo.bmp (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\decline.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\brcdt.txt (377 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\dAg (168 bytes)
    C:\geve.exe (103 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept0.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\close.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept_disabled.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\accept.bmp (784 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader\Reader_sl.exe (840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\complist.txt (120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\inetc3.dll (784 bytes)
    %Program Files%\Common Files\Java\Java Update\jusched.exe (272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp\System.dll (11 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now