Skip to main content

Gen.Application.Parj.1_b9f47b2839


not-a-virus:AdWare.Win32.CrossRider.aaev (Kaspersky), Gen:Application.Parj.1 (AdAware), Trojan.NSIS.StartPage.FD, SearchProtectToolbar.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b9f47b283948665602f800dd2b310ff5

SHA1: e4afe9bf79873999d44fd7778da8221eca35086b

SHA256: 9f61db8d2a9710c3254c9dfdbcd7d53d8942b5d47b4420a668d29a696568ab8a

SSDeep: 49152:T6Gs9QZ4o0/mJyOGqbOsxg5JAI9PRPA6Hf/wLlKFrOYJ/: LO4o mEmtxM9hR74MT

Size: 2060267 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-12-04 15:55:02

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1192
Au_.exe:1376

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1192 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~nsu.tmp\Au_.exe (15019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp (13742 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)

The process Au_.exe:1376 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (13742 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso3.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1192 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 A5 08 E9 17 64 43 06 B3 AB 2A 2E 04 4D 2F 24"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp\Au_.exe,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Au_.exe:1376 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 29 77 8B BC F5 63 1F 1B B1 15 A9 62 A9 35 FD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1192
    Au_.exe:1376

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\~nsu.tmp\Au_.exe (15019 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp (13742 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (13742 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Cinema PlusV24.06
Product Name: CinemaPlus-3.2cV24.06
Product Version:
Legal Copyright: Copyright Cinema PlusV24.06
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.36.01.22
File Description: CinemaPlus-3.2cV24.06 Installer
Comments:
Language: English

Company Name: Cinema PlusV24.06Product Name: CinemaPlus-3.2cV24.06Product Version: Legal Copyright: Copyright Cinema PlusV24.06Legal Trademarks: Original Filename: Internal Name: File Version: 1.36.01.22File Description: CinemaPlus-3.2cV24.06 InstallerComments: Language: English

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409634880353284.13209c061a4f004f4d6347691f4655fa02103
.data409601405120.818128a5a710a52d844b19513b2cab5693dbc3
.rdata45056910892164.0908004265d16597098398ce8e06897dcd29
.bss5734425288000d41d8cd98f00b204e9800998ecf8427e
.idata311296486851203.6475620f692042b54593897a705a64d67ce50
.ndata31948822355968819200829f71740aab1ab98b33eae21dee122
.rsrc2267545628704291843.7787216a7ca548bcd8b5d5116716c2b3ee33d

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 6
f0ec6966e49ccdf5675d0460cd9daf89
6b6e4aee8f4dc2540a48501791bcf85e
f847ac3d25ce36c67be65688f44fd60f
e366c83224101f5a91ab049edda84f9d
45e85d507a4f8005ec613bd165794ec9
4bd186bb0da0a901378eccc39cad0edf

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

Au_.exe_1376:

.text

.text

0`.data

0`.data

.rdata

.rdata

0@.bss

0@.bss

.idata

.idata

.ndata

.ndata

.rsrc

.rsrc

unpacking data: %d%%

unpacking data: %d%%

verifying installer: %d%%

verifying installer: %d%%

... %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

*?|/":

*?|/":

%s=%s

%s=%s

RegDeleteKeyExA

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

msg>I

msg>I

.rSO1

.rSO1

SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI

SOFTWARE\Classes\AVG SafeGuard toolbar.BrowserWndAPI

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar

\Yontoo Layers\*.*

\Yontoo Layers\*.*

\Yontoo\*.*

\Yontoo\*.*

\qualitink\*.*

\qualitink\*.*

\SecretSauce\*.*

\SecretSauce\*.*

\GrabRez\*.*

\GrabRez\*.*

\PCTechHotline\*.*

\PCTechHotline\*.*

\System Optimizer Pro\*.*

\System Optimizer Pro\*.*

\PCFixSpeed\*.*

\PCFixSpeed\*.*

\InstallConverter\*.*

\InstallConverter\*.*

\Optimizer Pro\*.*

\Optimizer Pro\*.*

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GrabRez

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GrabRez

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacFunction

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacFunction

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallConverter

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallConverter

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Optimizer Pro

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Optimizer Pro

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0B0DA25-DD15-4739-92A3-62D3424F043A}_is1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0B0DA25-DD15-4739-92A3-62D3424F043A}_is1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B34B38-02A6-44D5-B8CC-06EB3B8ACFC9}_is1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B34B38-02A6-44D5-B8CC-06EB3B8ACFC9}_is1

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT2700842

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT2700842

\Mozilla\Firefox\Profiles

\Mozilla\Firefox\Profiles

{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\*.*

\Google\Chrome\User Data\Default\Extensions\gighmmpiobklfepjocnamgkkbiglidom\*.*

\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\*.*

\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\*.*

\Google\Chrome\User Data\Default\Extensions\ocifcklkibdehekfnmflempfgjhbedch\*.*

\Google\Chrome\User Data\Default\Extensions\ocifcklkibdehekfnmflempfgjhbedch\*.*

\Google\Chrome\User Data\Profile

\Google\Chrome\User Data\Profile

\Extensions\gighmmpiobklfepjocnamgkkbiglidom\*.*

\Extensions\gighmmpiobklfepjocnamgkkbiglidom\*.*

\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\*.*

\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb\*.*

\Extensions\ocifcklkibdehekfnmflempfgjhbedch\*.*

\Extensions\ocifcklkibdehekfnmflempfgjhbedch\*.*

\Google\Chrome\User Data\Default\Extensions\bmagokdooijbeehmkpknfglimnifench\*.*

\Google\Chrome\User Data\Default\Extensions\bmagokdooijbeehmkpknfglimnifench\*.*

\Extensions\bmagokdooijbeehmkpknfglimnifench\*.*

\Extensions\bmagokdooijbeehmkpknfglimnifench\*.*

Software\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Companion

Software\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Companion

Software\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Slider

Software\Microsoft\Windows\CurrentVersion\Uninstall\Coupon Slider

Software\Microsoft\Windows\CurrentVersion\Uninstall\CouponDropDown

Software\Microsoft\Windows\CurrentVersion\Uninstall\CouponDropDown

Software\Microsoft\Windows\CurrentVersion\Uninstall\Deal Boat

Software\Microsoft\Windows\CurrentVersion\Uninstall\Deal Boat

Software\Microsoft\Windows\CurrentVersion\Uninstall\Deal Slider

Software\Microsoft\Windows\CurrentVersion\Uninstall\Deal Slider

Software\Microsoft\Windows\CurrentVersion\Uninstall\DealCola

Software\Microsoft\Windows\CurrentVersion\Uninstall\DealCola

Software\Microsoft\Windows\CurrentVersion\Uninstall\DealDropDown

Software\Microsoft\Windows\CurrentVersion\Uninstall\DealDropDown

Software\Microsoft\Windows\CurrentVersion\Uninstall\Deals Plugin

Software\Microsoft\Windows\CurrentVersion\Uninstall\Deals Plugin

Software\Microsoft\Windows\CurrentVersion\Uninstall\DropinSavings

Software\Microsoft\Windows\CurrentVersion\Uninstall\DropinSavings

Software\Microsoft\Windows\CurrentVersion\Uninstall\Giant Savings

Software\Microsoft\Windows\CurrentVersion\Uninstall\Giant Savings

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 2

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 2

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 3

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 3

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 4

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 4

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 5

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 5

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 6

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This 6

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This Premium

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This Premium

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This Suite

Software\Microsoft\Windows\CurrentVersion\Uninstall\I Want This Suite

Software\Microsoft\Windows\CurrentVersion\Uninstall\Instant Savings App

Software\Microsoft\Windows\CurrentVersion\Uninstall\Instant Savings App

Software\Microsoft\Windows\CurrentVersion\Uninstall\Just In Time Savings

Software\Microsoft\Windows\CurrentVersion\Uninstall\Just In Time Savings

Software\Microsoft\Windows\CurrentVersion\Uninstall\Monster Savings

Software\Microsoft\Windows\CurrentVersion\Uninstall\Monster Savings

Software\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcade

Software\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcade

Software\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcadeSuite

Software\Microsoft\Windows\CurrentVersion\Uninstall\RewardsArcadeSuite

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings App

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings App

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings App Pro

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings App Pro

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Plugin

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Plugin

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Sidekick

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Sidekick

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Slider

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Slider

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Wave

Software\Microsoft\Windows\CurrentVersion\Uninstall\Savings Wave

Software\Microsoft\Windows\CurrentVersion\Uninstall\SavingsApp

Software\Microsoft\Windows\CurrentVersion\Uninstall\SavingsApp

Software\Microsoft\Windows\CurrentVersion\Uninstall\Shopping Sidekick

Software\Microsoft\Windows\CurrentVersion\Uninstall\Shopping Sidekick

Software\Microsoft\Windows\CurrentVersion\Uninstall\Surf and Save

Software\Microsoft\Windows\CurrentVersion\Uninstall\Surf and Save

Software\Microsoft\Windows\CurrentVersion\Uninstall\TextEnhance

Software\Microsoft\Windows\CurrentVersion\Uninstall\TextEnhance

Software\Microsoft\Windows\CurrentVersion\Uninstall\Vid-Saver

Software\Microsoft\Windows\CurrentVersion\Uninstall\Vid-Saver

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bee Coupons

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bee Coupons

Software\AdvertisingSupport

Software\AdvertisingSupport

87dfd1ac-4f39-4588-8688-6e7c058a3699

87dfd1ac-4f39-4588-8688-6e7c058a3699

87dfd1ac-4f39-4588-8688-6e7c058a3699.exe

87dfd1ac-4f39-4588-8688-6e7c058a3699.exe

8661392d-d3a6-445b-a06f-c9aed5175b12

8661392d-d3a6-445b-a06f-c9aed5175b12

8661392d-d3a6-445b-a06f-c9aed5175b12.exe

8661392d-d3a6-445b-a06f-c9aed5175b12.exe

\Mozilla Firefox\wsock32.dll

\Mozilla Firefox\wsock32.dll

\Mozilla Firefox\params.txt

\Mozilla Firefox\params.txt

err_extrating_firefox_agent

err_extrating_firefox_agent

err_unmixing_firefox_agent_

err_unmixing_firefox_agent_

\FirefoxUninstaller72893.exe

\FirefoxUninstaller72893.exe

err_copying_firefox_agent&lsterr=

err_copying_firefox_agent&lsterr=

/installerversion=1_36_01_22 /installerfullversion=1.36.01.22 /installationtime=

/installerversion=1_36_01_22 /installerfullversion=1.36.01.22 /installationtime=

/statsdomain=hXXp://stats.buffernavpose.com /errorsdomain=hXXp://errors.buffernavpose.com /waitforbrowser=300 /extensionid=d4db60df25f14dae9dd18@185c395f9e794c9ab86be3eb.com /extensionversion=0.95 /prefsbranch=ad4db60df25f14dae9dd18185c395f9e794c9ab86be3ebcom72893 /defbro=

/statsdomain=hXXp://stats.buffernavpose.com /errorsdomain=hXXp://errors.buffernavpose.com /waitforbrowser=300 /extensionid=d4db60df25f14dae9dd18@185c395f9e794c9ab86be3eb.com /extensionversion=0.95 /prefsbranch=ad4db60df25f14dae9dd18185c395f9e794c9ab86be3ebcom72893 /defbro=

518a705e-34db-4d1f-9c71-f84a88d4b653-4

518a705e-34db-4d1f-9c71-f84a88d4b653-4

518a705e-34db-4d1f-9c71-f84a88d4b653-4.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-4.exe

\FirefoxUninstaller72893.exe /rawdata=

\FirefoxUninstaller72893.exe /rawdata=

\kkfqyk.dll

\kkfqyk.dll

518a705e-34db-4d1f-9c71-f84a88d4b653-3

518a705e-34db-4d1f-9c71-f84a88d4b653-3

518a705e-34db-4d1f-9c71-f84a88d4b653-3.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-3.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-11

518a705e-34db-4d1f-9c71-f84a88d4b653-11

518a705e-34db-4d1f-9c71-f84a88d4b653-11.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-11.exe

err_extrating_chrome_agent

err_extrating_chrome_agent

err_unmixing_chrome_agent_

err_unmixing_chrome_agent_

\58285bb5-9bb8-4041-8d6e-41527e964588-uninstaller.exe

\58285bb5-9bb8-4041-8d6e-41527e964588-uninstaller.exe

err_copying_chrome_agent&lsterr=

err_copying_chrome_agent&lsterr=

/statsdomain=hXXp://stats.buffernavpose.com /errorsdomain=hXXp://errors.buffernavpose.com /waitforbrowser=300 /defbro=

/statsdomain=hXXp://stats.buffernavpose.com /errorsdomain=hXXp://errors.buffernavpose.com /waitforbrowser=300 /defbro=

/extensionid=papbadoldddalgcjcicnikcfenodpghp /extensionversion=1.26.85 /sid=

/extensionid=papbadoldddalgcjcicnikcfenodpghp /extensionversion=1.26.85 /sid=

/maxextid={16b4fc89-d196-4cc8-951c-cf86fc769fa4}

/maxextid={16b4fc89-d196-4cc8-951c-cf86fc769fa4}

/maxextfilename='1293297481.mxaddon'

/maxextfilename='1293297481.mxaddon'

\58285bb5-9bb8-4041-8d6e-41527e964588-uninstaller.exe /rawdata=

\58285bb5-9bb8-4041-8d6e-41527e964588-uninstaller.exe /rawdata=

518a705e-34db-4d1f-9c71-f84a88d4b653-6

518a705e-34db-4d1f-9c71-f84a88d4b653-6

518a705e-34db-4d1f-9c71-f84a88d4b653-6.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-6.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-64.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-64.exe

\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\22a27727-cda4-455f-8669-d775e3b56da6.dll

\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\22a27727-cda4-455f-8669-d775e3b56da6.dll

\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\e8f41166-57f3-4dbf-879c-b912e33c7fc4.dll

\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\e8f41166-57f3-4dbf-879c-b912e33c7fc4.dll

\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\

\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a\

518a705e-34db-4d1f-9c71-f84a88d4b653-7

518a705e-34db-4d1f-9c71-f84a88d4b653-7

518a705e-34db-4d1f-9c71-f84a88d4b653-7.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-7.exe

hXXp://stats.buffernavpose.com/apps.gif?action=uninstall&browser=chrome&browserver=

hXXp://stats.buffernavpose.com/apps.gif?action=uninstall&browser=chrome&browserver=

518a705e-34db-4d1f-9c71-f84a88d4b653-1-6

518a705e-34db-4d1f-9c71-f84a88d4b653-1-6

518a705e-34db-4d1f-9c71-f84a88d4b653-1-6.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-1-6.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-1-7

518a705e-34db-4d1f-9c71-f84a88d4b653-1-7

518a705e-34db-4d1f-9c71-f84a88d4b653-1-7.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-1-7.exe

hXXp://stats.buffernavpose.com/apps.gif?action=uninstall&browser=ie&browserver=

hXXp://stats.buffernavpose.com/apps.gif?action=uninstall&browser=ie&browserver=

518a705e-34db-4d1f-9c71-f84a88d4b653-10_user

518a705e-34db-4d1f-9c71-f84a88d4b653-10_user

518a705e-34db-4d1f-9c71-f84a88d4b653-10.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-10.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-5

518a705e-34db-4d1f-9c71-f84a88d4b653-5

518a705e-34db-4d1f-9c71-f84a88d4b653-5_user

518a705e-34db-4d1f-9c71-f84a88d4b653-5_user

518a705e-34db-4d1f-9c71-f84a88d4b653-5.exe

518a705e-34db-4d1f-9c71-f84a88d4b653-5.exe

Software\globalUpdate\Update\Clients\{7f442311-045e-4d30-b7dd-62681bc52771}

Software\globalUpdate\Update\Clients\{7f442311-045e-4d30-b7dd-62681bc52771}

{430FD4D0-B729-4F61-AA34-91526481799D}

{430FD4D0-B729-4F61-AA34-91526481799D}

nomsgboxinsilentuninstall

nomsgboxinsilentuninstall

\jaxsmyhxc.dll

\jaxsmyhxc.dll

\fkpur.dll

\fkpur.dll

Software\CinemaPlus-3.2cV24.06\Chrome

Software\CinemaPlus-3.2cV24.06\Chrome

\Software\CinemaPlus-3.2cV24.06\Chrome

\Software\CinemaPlus-3.2cV24.06\Chrome

Software\CinemaPlus-3.2cV24.06\Firefox

Software\CinemaPlus-3.2cV24.06\Firefox

\CinemaPlus-3.2cV24.06\Firefox

\CinemaPlus-3.2cV24.06\Firefox

BundledFirefox

BundledFirefox

1.26.85

1.26.85

BundledChromePolicy

BundledChromePolicy

Software\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-3.2cV24.06

Software\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-3.2cV24.06

\Software\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-3.2cV24.06

\Software\Microsoft\Windows\CurrentVersion\Uninstall\CinemaPlus-3.2cV24.06

\CinemaPlus-3.2cV24.06.lnk

\CinemaPlus-3.2cV24.06.lnk

Software\518a705e-34db-4d1f-9c71-f84a88d4b653

Software\518a705e-34db-4d1f-9c71-f84a88d4b653

Software\58285bb5-9bb8-4041-8d6e-41527e964588

Software\58285bb5-9bb8-4041-8d6e-41527e964588

Software\1bc902e9-874c-43a3-940f-bf05e3bbf344

Software\1bc902e9-874c-43a3-940f-bf05e3bbf344

Software\ee15e17c-33f9-48e9-aeb8-78f4590f401b

Software\ee15e17c-33f9-48e9-aeb8-78f4590f401b

Software\22a27727-cda4-455f-8669-d775e3b56da6

Software\22a27727-cda4-455f-8669-d775e3b56da6

Software\e8f41166-57f3-4dbf-879c-b912e33c7fc4

Software\e8f41166-57f3-4dbf-879c-b912e33c7fc4

Software\6e4256e2-c981-4516-be02-3a897c1a61c5

Software\6e4256e2-c981-4516-be02-3a897c1a61c5

Software\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a

Software\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a

\Software\518a705e-34db-4d1f-9c71-f84a88d4b653

\Software\518a705e-34db-4d1f-9c71-f84a88d4b653

\Software\58285bb5-9bb8-4041-8d6e-41527e964588

\Software\58285bb5-9bb8-4041-8d6e-41527e964588

\Software\1bc902e9-874c-43a3-940f-bf05e3bbf344

\Software\1bc902e9-874c-43a3-940f-bf05e3bbf344

\Software\ee15e17c-33f9-48e9-aeb8-78f4590f401b

\Software\ee15e17c-33f9-48e9-aeb8-78f4590f401b

\Software\22a27727-cda4-455f-8669-d775e3b56da6

\Software\22a27727-cda4-455f-8669-d775e3b56da6

\Software\e8f41166-57f3-4dbf-879c-b912e33c7fc4

\Software\e8f41166-57f3-4dbf-879c-b912e33c7fc4

\Software\6e4256e2-c981-4516-be02-3a897c1a61c5

\Software\6e4256e2-c981-4516-be02-3a897c1a61c5

\Software\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a

\Software\0218c2d2-03f2-4c34-a965-57e2b2b5ea5a

hXXp://logs.buffernavpose.com/monetization.gif?event=5&ibic=

hXXp://logs.buffernavpose.com/monetization.gif?event=5&ibic=

Software\Microsoft\Windows\CurrentVersion\Uninstall\Information

Software\Microsoft\Windows\CurrentVersion\Uninstall\Information

\Software\Microsoft\Windows\CurrentVersion\Uninstall\Information

\Software\Microsoft\Windows\CurrentVersion\Uninstall\Information

u_.exe

u_.exe

u_.exe"

u_.exe"

$$\wininit.ini

$$\wininit.ini

`.rdata

`.rdata

@.data

@.data

.reloc

.reloc

r.exe

r.exe

aol.exe

aol.exe

BaiduBrowser.exe

BaiduBrowser.exe

\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

\Software\Classes\http\shell\open\command\

\Software\Classes\http\shell\open\command\

http\shell\open\command

http\shell\open\command

268435456

268435456

67108864

67108864

33554432

33554432

134217728

134217728

536870912

536870912

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

1048576

1048576

16777216

16777216

360Chrome

360Chrome

1073741824

1073741824

2147483648

2147483648

Google Chrome

Google Chrome

Google Chrome SxS

Google Chrome SxS

SeaMonkey

SeaMonkey

2097152

2097152

Firefox Developer Edition

Firefox Developer Edition

Web Bar

Web Bar

8388608

8388608

Dr.Web Anti-virus for Windows

Dr.Web Anti-virus for Windows

4194304

4194304

lbar for Chrome

lbar for Chrome

\Microsoft Visual Studio 9.0\*.*

\Microsoft Visual Studio 9.0\*.*

\Microsoft Visual Studio 10.0\*.*

\Microsoft Visual Studio 10.0\*.*

\Microsoft Visual Studio 11.0\*.*

\Microsoft Visual Studio 11.0\*.*

\Microsoft Visual Studio 12.0\*.*

\Microsoft Visual Studio 12.0\*.*

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

\Ebon\ebon.exe

\Ebon\ebon.exe

"\Ebon\ebon.exe

"\Ebon\ebon.exe

\UnicoBrowser\Application\unicobrowser.exe

\UnicoBrowser\Application\unicobrowser.exe

\WebBar\*.*

\WebBar\*.*

"\WebBar\*.*

"\WebBar\*.*

Software\WebBar

Software\WebBar

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2

{95B7759C-8C7F-4BF1-B163-7

{95B7759C-8C7F-4BF1-B163-7

RegCloseKey

RegCloseKey

RegCreateKeyExA

RegCreateKeyExA

RegDeleteKeyA

RegDeleteKeyA

RegEnumKeyA

RegEnumKeyA

RegOpenKeyExA

RegOpenKeyExA

GetWindowsDirectoryA

GetWindowsDirectoryA

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

ExitWindowsEx

ExitWindowsEx

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.DLL

COMCTL32.DLL

GDI32.dll

GDI32.dll

KERNEL32.dll

KERNEL32.dll

ole32.dll

ole32.dll

SHELL32.DLL

SHELL32.DLL

USER32.dll

USER32.dll

VERSION.dll

VERSION.dll

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp\Au_.exe"

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp\Au_.exe"

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp

Au_.exe

Au_.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp\Au_.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~nsu.tmp\Au_.exe

((((1112666:777?;;;@555=7776111,&&&"

((((1112666:777?;;;@555=7776111,&&&"

9&&&

9&&&

JJJ%XXX

JJJ%XXX

Gather yourselves together, and

Gather yourselves together, and

04090000

04090000

1.36.01.22

1.36.01.22