not-a-virus:HEUR:AdWare.NSIS.TornTV.gen (Kaspersky), Adware.Win32.Downware.FD, Trojan.NSIS.StartPage.FD, AdwareDownware.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bcda08c86e7c5b521faeb642a952d8f3
SHA1: c5f7c6ce0687b84d12410f8ebd6a79f5a4374dbb
SHA256: a6c25a044c385418219fa2c52f0c73cfc483fcefd71f3effa2c28621b5dd409a
SSDeep: 3072:nQIURTXJ445 zjDaeHUlrHwktLCLDa10AsS6/KfyBj8eXqEdmF0RwBwbl1s97VbH:nsi1X2emDwZ3a1hsa65vXql0Nl8CT8
Size: 263112 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7 SP1 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):No processes have been created.The Adware injects its code into the following process(es):
%original file name%.exe:1916
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1916 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\decline.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\MainPackFA2703[1].htm (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept3.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFFD2.tmp (13125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\inetc3.dll (812 bytes)
The Adware deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFFB2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\gC0 (0 bytes)
Registry activity
The process %original file name%.exe:1916 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"
[HKCU\Software\1ClickDownload]
"LastInstall0" = "30556234"
[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "30 43 12 12 4A 40 D2 01"
"WpadNetworkName" = "Network 2"
[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\1ClickDownload]
"UID" = "284555269"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 43 12 12 4A 40 D2 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
c17103ae9072a06da581dec998343fc1 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\System.dll |
9d8ce05f532dc7b5742831ec8a63c2d8 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\inetc3.dll |
c10e04dd4ad4277d5adc951bb331c777 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\decline.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\MainPackFA2703[1].htm (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept3.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFFD2.tmp (13125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\inetc3.dll (812 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 372736 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 520192 | 16592 | 16896 | 4.13874 | 8091b1378d82973015f802c93eb88bab |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 228
69a0a458647b3436892cf9f2f126c252
33831038fbcae724b5cdab63795dc4a7
9b15fde0f0e8b023fbe6560e854f08cf
f833ae516506cffa9cb7d72837ed0bb9
ccb12d7dba1b2dab50e190025702d274
e6ae846017240d71394220885136a8e2
7e8fd872b0cbc660318d3c7c66f7c14e
73ea48cc30e24153ad65fb9109b085e8
490448e7ee049f03a1c8bac663fb38f0
424bbeb38cb1e9053b7dc8f407ce51c0
b10eab344b40ed9da9b6becc272765ab
a3d34f8727df8b032c7a7eff2ee6ad3a
c508f2a47840631aa7b008b674957003
d6bb4e899911be9bc3d76d10954fc4a1
0cceb43bf4bfbdc58f5a90bffb0d6012
28dcf471727a78755bf75fbe4f3e9521
0ed34b18c7bc8271e9eec2ee5837499a
1bbd5b7272e0348684edbbea962ee5f2
1561a9303536298eeaea4ab712749930
8494573d9cde8480e3342f57b3de1911
75098bd8427ac62d0d2935a1e9839d4c
c2f62500fc6c049cad54bfec31ab5d45
79296123cb3a983f2897ea58411de5e3
8ebc38cc84268e080308d72125e87f87
f221cfbb2bb8351b73de8c0cab165414
Network Activity
URLs
URL | IP |
---|---|
hxxp://files.download1click.ws/MainPackFA2703.exe | 64.70.19.203 |
data.downloadstarter.net | 146.148.42.217 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /MainPackFA2703.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: files.download1click.ws
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Wed, 16 Nov 2016 20:43:28 GMT
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 544
Connection: keep-alive
<html>.<head>..<title>WEBSITE.WS - Your Internet Address For Life™</title>.</head>.<frameset rows="100%,*" border="0" frameborder="0">..<frame src="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic" scrolling="auto">..<noframes>...<p> Your browser does not support frames. Continue to <a href="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic">hXXps://www.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic</a>.</p>..</noframes>.</frameset>.</html>HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Wed, 16 Nov 2016 20:43:28 GMT..Content-Type: text/html; charset=ISO-8859-1..Content-Length: 544..Connection: keep-alive..<html>.<head>..<title>WEBSITE.WS - Your Internet Address For Life™</title>.</head>.<frameset rows="100%,*" border="0" frameborder="0">..<frame src="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic" scrolling="auto">..<noframes>...<p> Your browser does not support frames. Continue to <a href="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic">hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic</a>.</p>..</noframes>.</frameset>.</html>..
<<< skipped >>>
Map
The Adware connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1916:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll
ers\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll
ach.exe,gr
ach.exe,gr
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp
F%X)$qj
F%X)$qj
Windows
Windows
tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s
tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s
iles\1ClickDownload\1ClickDownloader.exe
iles\1ClickDownload\1ClickDownloader.exe
.torrentreactor.net/download.php?id=123178,longman_exam_coach.exe,gr
.torrentreactor.net/download.php?id=123178,longman_exam_coach.exe,gr
284555269
284555269
r.net/download.php?id=123178
r.net/download.php?id=123178
d=123178,longman_exam_coach.exe,gr
d=123178,longman_exam_coach.exe,gr
\%original file name%.exe
\%original file name%.exe
ownload.php?id=123178,longman_exam_coach.exe,gr
ownload.php?id=123178,longman_exam_coach.exe,gr
2845552
2845552
59532869
59532869
302318654
302318654
ownload.sweetpacks.com/simsdm/bundle/
ownload.sweetpacks.com/simsdm/bundle/
d.torrent
d.torrent
or.net/download.php?id=123178
or.net/download.php?id=123178
ram Files\Internet Explorer\iexplore.exe
ram Files\Internet Explorer\iexplore.exe
.php?id=123178
.php?id=123178
601.17514
601.17514
c:\%original file name%.exe
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\Desktop
C:\Users\"%CurrentUserName%"\Desktop
%Program Files%\1ClickDownload
%Program Files%\1ClickDownload
nsd41.tmp
nsd41.tmp
%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nssFFB2.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nssFFB2.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
hXXp://files.download1click.ws/MainPackFA2703.exe
hXXp://files.download1click.ws/MainPackFA2703.exe
hXXp://files.download1click.ws/gzip2.exe
hXXp://files.download1click.ws/gzip2.exe
hXXp://data.downloadstarter.net/
hXXp://data.downloadstarter.net/
hXXp://files.download1click.ws/ARURUSetup.exe
hXXp://files.download1click.ws/ARURUSetup.exe
hXXp://files.download1click.ws/ARUARSetup.exe
hXXp://files.download1click.ws/ARUARSetup.exe
hXXp://files.download1click.ws/BTB0612.exe
hXXp://files.download1click.ws/BTB0612.exe
hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe
hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe
hXXp://files.download1click.ws/FmoodsV21.exe
hXXp://files.download1click.ws/FmoodsV21.exe
hXXp://files.download1click.ws/IminentSetup5.exe
hXXp://files.download1click.ws/IminentSetup5.exe
hXXp://files.download1click.ws/.exe
hXXp://files.download1click.ws/.exe
hXXp://files.download1click.ws/weatherbugsetup.msi
hXXp://files.download1click.ws/weatherbugsetup.msi
hXXp://files.download1click.ws/IWantThisSetupRS.exe
hXXp://files.download1click.ws/IWantThisSetupRS.exe
hXXp://files.download1click.ws/ciuvoSetup.exe
hXXp://files.download1click.ws/ciuvoSetup.exe
hXXp://files.download1click.ws/incredibar_install3.exe
hXXp://files.download1click.ws/incredibar_install3.exe
hXXp://download.sterkly.com/DropDownDeals-S-Setup_Suite1.exe
hXXp://download.sterkly.com/DropDownDeals-S-Setup_Suite1.exe
hXXp://download.sterkly.com/FreeTwitTube-S-Setup_Suite1.exe
hXXp://download.sterkly.com/FreeTwitTube-S-Setup_Suite1.exe
hXXp://download.sterkly.com/yontoo-b2.exe
hXXp://download.sterkly.com/yontoo-b2.exe
hXXp://download.sterkly.com/ezLooker-S-Setup_Suite1.exe
hXXp://download.sterkly.com/ezLooker-S-Setup_Suite1.exe
hXXp://download.sterkly.com/BestVideoDownloader-S-Setup_Suite2.exe
hXXp://download.sterkly.com/BestVideoDownloader-S-Setup_Suite2.exe
hXXp://files.download1click.ws/GophotoExtSetup.exe
hXXp://files.download1click.ws/GophotoExtSetup.exe
hXXp://files.download1click.ws/OneClickExt1_filter03.exe
hXXp://files.download1click.ws/OneClickExt1_filter03.exe
hXXp://files.download1click.ws/OneClickExt1_filter13.exe
hXXp://files.download1click.ws/OneClickExt1_filter13.exe
Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)
Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
218759841
218759841
3090437
3090437
ap180915,hXXp://dl7.torrentreactor.net/download.php?id=123178,longman_exam_coach.exe,gr
ap180915,hXXp://dl7.torrentreactor.net/download.php?id=123178,longman_exam_coach.exe,gr
ownload.php?id=123178
ownload.php?id=123178
hXXp://dl7.torrentreactor.net/download.php?id=123178
hXXp://dl7.torrentreactor.net/download.php?id=123178
ocmainpack.exe
ocmainpack.exe
319095878
319095878
319095884
319095884
285541449
285541449
453314345
453314345
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
302646790
302646790
118097131
118097131
319423563
319423563
201983218
201983218
118097133
118097133
235537459
235537459
436864558
436864558
1275725049
1275725049
671745274
671745274
-418774366
-418774366
1208616032
1208616032
longman_exam_coach.exe
longman_exam_coach.exe
30556234
30556234
VVV.oneclickdownloader.com
VVV.oneclickdownloader.com
sbiectrl.exe
sbiectrl.exe
vmtoolsd.exe
vmtoolsd.exe
prl_cc.exe
prl_cc.exe
coherence.exe
coherence.exe
VirtualBox.exe
VirtualBox.exe
VBoxSVC.exe
VBoxSVC.exe
DrWeb
DrWeb
%Program Files%\1ClickDownload\longman_exam_coach.magnet
%Program Files%\1ClickDownload\longman_exam_coach.magnet
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
%original file name%.exe_1916_rwx_10004000_00001000:
callback%d
callback%d