Adware.DealDropper.A (AdAware)Behaviour: PUP, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b4f6b6a713d3f1e3d80edf566e6137af
SHA1: 37c05f2b176aac0e20a53dc2e36e482e45aef0af
SHA256: 9ed4a64a3c4d367a4a32cc689afa3e7567932e85c94205a4f0def79f1e5317ad
SSDeep: 24576:ktaa80KkBQBfFUgk6msA10/8IkeSnLpC3YKIudmdn0cOY7fFJYcyqzF:kJNKkBQBfFgNOBkeSnLpCoKIomdnQEfR
Size: 1211056 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Smart Apps
Created at: 2012-02-19 17:01:49
Analyzed on: WindowsAda SP3 32-bit
Summary: Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients. Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The program creates the following process(es):
net1.exe:1692
FrameworkEngine.exe:3632
storageedit.exe:4076
net.exe:1932
gpedit.exe:3428
Updater.exe:1368
regsvr32.exe:548
regsvr32.exe:2216
regsvr32.exe:2228
%original file name%.exe:3848
cscript.exe:2964
cscript.exe:1224
cscript.exe:600
cscript.exe:1188
cscript.exe:1080
cscript.exe:4004
cscript.exe:1364
cscript.exe:2180
cscript.exe:492
updater.exe:1200
updater.exe:208
updater.exe:2796
updater.exe:232
msfeedssync.exe:2192
The program injects its code into the following process(es):No processes have been created.
File activity
The process gpedit.exe:3428 makes changes in the file system.
The program creates and/or writes to the following file(s):
%System%\GroupPolicy\gpt.ini (315 bytes)
%System%\GroupPolicy\Machine\Registry.pol (1192 bytes)
The process Updater.exe:1368 makes changes in the file system.
The program creates and/or writes to the following file(s):
%WinDir%\Tasks\bench-sys.job (328 bytes)
The process %original file name%.exe:3848 makes changes in the file system.
The program creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\contentNotificationStyle.tmpl (3 bytes)
%Program Files%\Deal-Dropper\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\notifications.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\timer.js (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ping.js (382 bytes)
%Program Files%\Deal-Dropper\framework\storage.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\SoftwareDetector.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\browser_button.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\common.js (12 bytes)
%Program Files%\Deal-Dropper\framework\initialize.js (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\migrate.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_settings.js (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns33.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst28.tmp (74961 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\uninstall.exe (3471 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\icon.ico (784 bytes)
%Program Files%\Deal-Dropper\icons\icon128.png (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files%\Bench\Updater\updater.exe (2392 bytes)
%Program Files%\Bench\NmHost\manifest.json (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\projectInstaller.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\storage.js (6 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_bg.js (2 bytes)
%Program Files%\Deal-Dropper\FrameworkBHO64.dll (16944 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox_installer.js (6 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files%\Deal-Dropper\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2B.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\browser.js (12 bytes)
%Program Files%\Deal-Dropper\AppFramework\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\console.js (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\options.js (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\contentNotification.tmpl (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2C.tmp (278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\bootstrap.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\notification.html (6 bytes)
%Program Files%\Deal-Dropper\FrameworkEngine.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon128.png (3 bytes)
%Program Files%\Deal-Dropper\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_common.js (9 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\webrequest.js (4 bytes)
%Program Files%\Deal-Dropper\framework-ui\ui_base.js (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files%\Deal-Dropper\background.html (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_bg.js (2 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\registry.js (908 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files%\Bench\BService\bhelper.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\ui_base.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\io.js (976 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\utils.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\framework_api.js (1 bytes)
%Program Files%\Deal-Dropper\icons\icon48.png (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\middle-right.png (234 bytes)
%Program Files%\Deal-Dropper\framework\timer.js (409 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\base.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\middle-left.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\sqlite3.exe (33888 bytes)
%Program Files%\Deal-Dropper\framework\i18n.js (1 bytes)
%Program Files%\Deal-Dropper\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_webrequest.js (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2A.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns30.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\lang.js (1 bytes)
%Program Files%\Deal-Dropper\framework\messaging.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\webrequest.js (5 bytes)
%Program Files%\Deal-Dropper\framework\base.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\lang.js (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\notifications.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\chrome_gp_update.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\main_installer.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\extension_info.json (1 bytes)
%Program Files%\Deal-Dropper\framework\global.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\invoke_async.js (2 bytes)
%Program Files%\Deal-Dropper\framework\invoke_async.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsExec.dll (8 bytes)
%Program Files%\Deal-Dropper\framework-ui\context_menu.js (738 bytes)
%Program Files%\Deal-Dropper\framework\console.js (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns31.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\legacy.js (1 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_webrequest.js (138 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-top.png (315 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-left.png (310 bytes)
%Program Files%\Deal-Dropper\framework\xhr.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\info.xml (351 bytes)
%Program Files%\Deal-Dropper\framework-ui\browser_button.js (5 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\xhr.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\framework.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\gpedit.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns32.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\message_target.js (854 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\legacy.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\chrome_installer.js (5 bytes)
%Program Files%\Deal-Dropper\framework\io.js (1 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\canvasscript_engine.js (437 bytes)
%Program Files%\Deal-Dropper\config.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\background.html (157 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_common.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\content_notifications.js (9 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\md5.js (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-middle.png (240 bytes)
%Program Files%\Bench\NmHost\nmhost.exe (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\content_proxy.js (502 bytes)
%Program Files%\Deal-Dropper\framework\updater.js (2 bytes)
%Program Files%\Deal-Dropper\icons\icon32.png (1 bytes)
%Program Files%\Deal-Dropper\framework\utils.js (2 bytes)
%Program Files%\Deal-Dropper\extension_info.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess2.dll (1552 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_settings.js (83 bytes)
%Program Files%\Deal-Dropper\framework\browser.js (11 bytes)
%Program Files%\Bench\BService\bservice.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns34.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\md5.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\framework_api.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\i18n.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2E.tmp (8 bytes)
%Program Files%\Deal-Dropper\FrameworkBHO.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\canvasscript_engine.js (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2F.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (6 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-right.png (304 bytes)
%Program Files%\Bench\Wd\wd.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\uninstall.js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\chrome.manifest (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\chrome_windows.js (2 bytes)
%Program Files%\Deal-Dropper\framework\message_target.js (854 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-left.png (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns35.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\json2.js (2 bytes)
%Program Files%\Deal-Dropper\icons\button.png (602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\messaging.js (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\context_menu_item_handler.html (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon48.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\context_menu.js (2 bytes)
%Program Files%\Deal-Dropper\framework\framework.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2D.tmp (603 bytes)
%Program Files%\Deal-Dropper\framework-ui\options.js (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\ie_installer.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\button.png (602 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-right.png (311 bytes)
%Program Files%\Bench\Updater\1.7.0.0\updater.exe (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\registry.js (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\storageedit.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\installer.js (774 bytes)
The program deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns35.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\pz_info (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns30.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ping.js (0 bytes)
The process cscript.exe:600 makes changes in the file system.
The program creates and/or writes to the following file(s):
%Program Files%\Deal-Dropper\extension_info.json (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair_data.json (4 bytes)
The process cscript.exe:1188 makes changes in the file system.
The program creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon48.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\legacy.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\background.html (157 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\button.png (602 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\extension_info.json (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\xhr.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon128.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\content_proxy.js (502 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_settings.js (83 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\framework.js (4 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_bg.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\browser.js (12 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\framework_api.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions.json (4 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\timer.js (977 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotification.tmpl (836 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\webrequest.js (5 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\storage.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\registry.js (796 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\content_notifications.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\options.js (934 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvasscript_engine.js (437 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair_data.json (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\extension_info.json (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\utils.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon32.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\i18n.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\chrome_windows.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\lang.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotificationStyle.tmpl (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\messaging.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\chrome.manifest (57 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\context_menu.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\md5.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\invoke_async.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\uninstall.js (73 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\bootstrap.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\io.js (976 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\notifications.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\browser_button.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\ui_base.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\console.js (540 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_browseraction.js (799 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\base.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\message_target.js (854 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_common.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_webrequest.js (138 bytes)
The process cscript.exe:1080 makes changes in the file system.
The program creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\pz_info (386 bytes)
The process cscript.exe:1364 makes changes in the file system.
The program creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (106 bytes)
%Program Files%\Bench\NmHost\manifest.json (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair_data.json (1 bytes)
%Program Files%\Bench\NmHost\data\installer\epjpfmkiegfpfhiaohimeiamofnpdkgj (955 bytes)
%System%\drivers\etc\hosts (781 bytes)
The process updater.exe:1200 makes changes in the file system.
The program creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\BenchUpdater\products.xml (497 bytes)
The program deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\info.xml (0 bytes)
The process updater.exe:208 makes changes in the file system.
The program creates and/or writes to the following file(s):
%Program Files%\Bench\Updater\products.xml (435 bytes)
The program deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2D.tmp (0 bytes)
The process updater.exe:2796 makes changes in the file system.
The program creates and/or writes to the following file(s):
%WinDir%\Tasks\bench-S-1-5-21-1844237615-1960408961-1801674531-1003.job (326 bytes)
The process updater.exe:232 makes changes in the file system.
The program creates and/or writes to the following file(s):
%WinDir%\Tasks\bench-S-1-5-21-1844237615-1960408961-1801674531-1003.job (328 bytes)
The process msfeedssync.exe:2192 makes changes in the file system.
The program creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (3114 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
%WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes)
Registry activity
The process net1.exe:1692 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C A8 FD 0D 32 2F F9 04 31 59 5F CA CD 12 28 84"
The process FrameworkEngine.exe:3632 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 5A 62 CB F8 4F C9 C0 39 FE 14 79 B0 5A 2B B2"
[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\TypeLib]
"(Default)" = "{15DF158E-43BC-45E4-BDBA-42C8D61067E1}"
[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}]
"(Default)" = "Deal-Dropper"
[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"AppPath" = "%Program Files%\Deal-Dropper\"
[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\0\win32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkEngine.exe"
[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\LocalServer32]
"ServerExecutable" = "%Program Files%\Deal-Dropper\FrameworkEngine.exe"
[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0]
"(Default)" = "EngineLib"
[HKCR\TypeLib\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Deal-Dropper"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15DF158E-43BC-45E4-BDBA-42C8D61067E1}]
"AppName" = "FrameworkEngine.exe"
"Policy" = "3"
[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}]
"(Default)" = "IKangoEngine"
[HKCR\Interface\{AFADC76E-308C-4150-BEBF-14C4FDE58259}\TypeLib]
"(Default)" = "{15DF158E-43BC-45E4-BDBA-42C8D61067E1}"
[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\LocalServer32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkEngine.exe"
[HKCR\CLSID\{AF8EC7CC-303A-41EF-B1F7-56C4F5E5DE59}\Version]
"(Default)" = "1.0"
The process storageedit.exe:4076 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 87 9D 03 73 97 AF 1B 4C 18 82 58 B0 9C 31 EB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
The process net.exe:1932 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 69 81 AE AF A2 5E 18 C4 3A 74 63 FB 83 60 B1"
The process gpedit.exe:3428 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 A1 F5 B5 AF 60 51 A9 E2 21 91 B4 39 5C 69 CA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
"1" = "epjpfmkiegfpfhiaohimeiamofnpdkgj;http://epjpfmkiegfpfhiaohimeiamofnpdkgj/check/.eJwNyUEOgCAMAMG_9EyMXvmMIVKkQCmBakyMf5fjzr6gbmSwcMQujGDgxj5I6qRtWWdTHepKwQ5W-4UG8NGd_PzYUgucCc_QQiQnkRjJsYTafD4TfD_fXyE-.m60tajgmPM8_2vDqWW4qUCE_47Q"
The program deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}User]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{66E54CD6-C1AA-4A9C-A91F-E91817D715AA}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
The process Updater.exe:1368 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 0D E7 66 53 8A 32 CC AE 9D 19 CE E9 49 74 3E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process regsvr32.exe:548 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A CC 88 17 7D 60 34 A7 F6 E5 01 A9 82 8E ED F0"
The process regsvr32.exe:2216 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\InprocServer32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkBHO.dll"
[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}]
"(Default)" = "Deal-Dropper BHO"
[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}]
"(Default)" = "IKangoToolbar"
[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0]
"(Default)" = "Framework 1.0 Type Library"
[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"
[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\0\win32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkBHO.dll"
[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"
[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}]
"(Default)" = "Deal-Dropper"
[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\TypeLib]
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"
[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}]
"(Default)" = "IKangoBHO"
[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7F3A1B6B-BF72-46F6-81BC-891F6744D124}" = "Deal-Dropper"
[HKCR\CLSID\{41708E47-E97E-4051-A609-B88B398BCC94}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\Version]
"(Default)" = "1.0"
[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD C3 CD 54 9A 15 AE 0A A2 2C 72 1E 58 9B BE 9F"
[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\TypeLib]
"Version" = "1.0"
"(Default)" = "{04D1BE17-3CB3-4981-815D-547300B40C45}"
[HKCR\Interface\{7F201B57-BF61-467F-B689-D01FB7443924}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{7F3A1B6B-BF72-46F6-81BC-891F6744D124}\InprocServer32]
"(Default)" = "%Program Files%\Deal-Dropper\FrameworkBHO.dll"
[HKCR\Interface\{41E78E1D-E950-40CF-8498-4C8BE88BEA94}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{04D1BE17-3CB3-4981-815D-547300B40C45}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Deal-Dropper"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{41708E47-E97E-4051-A609-B88B398BCC94}]
"(Default)" = "Deal-Dropper BHO"
"NoExplorer" = "1"
The process regsvr32.exe:2228 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B D1 6C C6 34 5E 52 19 99 C2 01 3E F4 CB 1B A3"
The process %original file name%.exe:3848 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "10000"
[HKLM\SOFTWARE]
"38902" = "Deal-Dropper"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj29.tmp\nsProcess.dll,"
[HKLM\SOFTWARE\Bench\NmHost]
"(Default)" = "%Program Files%\Bench\NmHost\nmhost.exe"
[HKLM\SOFTWARE\AdvertisingSupport]
"Seen" = "1"
[HKLM\SOFTWARE\Deal-Dropper]
"ZoneId" = "446810"
[HKLM\SOFTWARE\Bench\Updater\38902]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"NoRepair" = "1"
[HKLM\SOFTWARE\Deal-Dropper]
"InstallTime" = "1400924522"
[HKLM\SOFTWARE\Bench\NmHost\38902]
"(Default)" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Bench\BService\38902]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper/icon.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Deal-Dropper]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"DisplayName" = "Deal-Dropper"
"InstallLocation" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper"
[HKLM\SOFTWARE\Bench\Updater]
"Path" = "%Program Files%\Bench\Updater\updater.exe"
[HKLM\SOFTWARE\Deal-Dropper]
"SeenDate" = "1400913722"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "10000"
[HKLM\SOFTWARE\Deal-Dropper]
"CDN" = "contentcache-a.akamaihd.net"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"DisplayVersion" = "1.0"
"Publisher" = "Smart Apps"
[HKLM\SOFTWARE\Deal-Dropper]
"UTCInstallTime" = "1400913722"
[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.bench.nmhost]
"(Default)" = "%Program Files%\Bench\NmHost\manifest.json"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 75 A0 1D 15 EC 61 44 70 3E 6D 80 01 30 AD 4F"
[HKLM\SOFTWARE\Deal-Dropper]
"SystemId" = "4433e0bcf600ea79ca332930e87765a0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\AdvertisingSupport]
"SeenDate" = "1400913722"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Deal-Dropper]
"PID" = "1779"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38902_Deal-Dropper]
"NoModify" = "1"
[HKLM\SOFTWARE\Deal-Dropper]
"Seen" = "1"
To automatically run itself each time Windows is booted, the program adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files%\Bench\BService\bservice.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper-repairJob" = "wscript.exe %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair.js Deal-Dropper-repairJob"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files%\Bench\Wd\wd.exe"
The program deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Deal-Dropper]
"Seen"
[HKLM\SOFTWARE\AdvertisingSupport]
"Seen"
The program disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Deal-Dropper-repairJob"
The process cscript.exe:2964 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D C0 6D 50 A4 46 D8 87 AC 0D C2 4D DE 16 19 BC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"
The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The program modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The program deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process cscript.exe:1224 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB AF D1 7A 62 6C 30 7C FB 7E A3 5F A4 A9 38 A0"
[HKLM\SOFTWARE\Bench\InstalledExtensions]
"38902" = ""
The process cscript.exe:600 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 33 03 03 AD EF 64 BB 92 17 31 CE B4 08 9A 45"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{41708E47-E97E-4051-A609-B88B398BCC94}]
"Flags" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{41708E47-E97E-4051-A609-B88B398BCC94}" = "1"
The program deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7F3A1B6B-BF72-46F6-81BC-891F6744D124}"
The process cscript.exe:1188 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 3E 11 8D 51 C9 BF D0 75 57 43 C3 8B 0F A4 64"
The process cscript.exe:1080 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 89 E3 CF 2C E9 17 17 BB 28 FB A4 F2 C6 D0 8C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 01 00 00 00 00 00 00 00"
The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The program modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The program deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process cscript.exe:4004 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 AB 75 7D 26 11 E4 42 B7 FB D7 AA E3 A5 1A FC"
[HKLM\SOFTWARE\Deal-Dropper]
"czoneid" = "12199"
The process cscript.exe:1364 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 0A 6D E2 92 D0 DB FC C4 AF 34 2A 62 3C 86 D6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The program modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The program deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process cscript.exe:2180 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 41 A4 10 B3 C6 75 40 86 81 49 17 3E 51 A0 61"
The process cscript.exe:492 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 A2 40 A7 22 7C 29 B7 75 3E CA D8 1F 59 B9 9F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 01 00 00 00 00 00 00 00"
The program modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The program modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The program modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The program deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process updater.exe:1200 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 C9 C7 90 10 A4 F6 7D 8D 18 2D AC 4E DD C7 6F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process updater.exe:208 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 8A C1 2E 7B 9D E2 57 8E 50 9A 8B 21 5E A2 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process updater.exe:2796 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 97 61 13 2B 41 5A 29 B7 A8 0D 34 73 7A 0E 76"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process updater.exe:232 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 06 FF 8A C5 8E 55 80 02 AD C4 CA 16 FE 58 8F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
The process msfeedssync.exe:2192 makes changes in the system registry.
The program creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 8F 0F D5 52 52 62 35 C0 7D C6 FA 15 0C F6 0E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Internet Explorer\Suggested Sites]
"DeletePending" = "0"
"UploadDiagInfo" = "1C 5C 00 00 71 17 00 08 80 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
Dropped PE files
| MD5 | File path |
|---|---|
| da94d940c994714a8be8361d3469b3a2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\SoftwareDetector.exe |
| 150e5904c772ce4ad3c2d81b18aed6cb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\gpedit.exe |
| 82771129b12517cf5c6e2244d14e8360 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\sqlite3.exe |
| e1b66274f8a51758e25bb285864a444f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\storageedit.exe |
| fc522beb39d25b66ebf5c40c301f83c1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\Deal-Dropper\uninstall.exe |
| 05450face243b3a7472407b999b03a72 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj29.tmp\nsProcess.dll |
| 72b1a3d56f812839ae5ba3420a5ed812 | c:\Program Files\Bench\BService\bhelper.dll |
| 07ee628bdcdb9a09988febdd15e2196c | c:\Program Files\Bench\BService\bservice.exe |
| 89bb8b1dc6e5849bfc2c8f7396da4f5b | c:\Program Files\Bench\NmHost\nmhost.exe |
| 34203663acf7b6a074b4ee892fea1398 | c:\Program Files\Bench\Updater\1.7.0.0\updater.exe |
| 83f9fd1fd4b72219901cd9004ad06804 | c:\Program Files\Bench\Updater\updater.exe |
| a366d38c2d5c1879a9d5b3fe6794b33e | c:\Program Files\Bench\Wd\wd.exe |
| 953f35a6fb42ed3c9780ec34c009f159 | c:\Program Files\Deal-Dropper\FrameworkBHO.dll |
| b297099289b4b59e9868d22324e4e927 | c:\Program Files\Deal-Dropper\FrameworkBHO64.dll |
| c6382e297af7f249be51152f539e441d | c:\Program Files\Deal-Dropper\FrameworkEngine.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
net1.exe:1692
FrameworkEngine.exe:3632
storageedit.exe:4076
net.exe:1932
gpedit.exe:3428
Updater.exe:1368
regsvr32.exe:548
regsvr32.exe:2216
regsvr32.exe:2228
%original file name%.exe:3848
cscript.exe:2964
cscript.exe:1224
cscript.exe:600
cscript.exe:1188
cscript.exe:1080
cscript.exe:4004
cscript.exe:1364
cscript.exe:2180
cscript.exe:492
updater.exe:1200
updater.exe:208
updater.exe:2796
updater.exe:232
msfeedssync.exe:2192 - Delete the original program file.
- Delete or disinfect the following files created/modified by the program:
%System%\GroupPolicy\gpt.ini (315 bytes)
%System%\GroupPolicy\Machine\Registry.pol (1192 bytes)
%WinDir%\Tasks\bench-sys.job (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\contentNotificationStyle.tmpl (3 bytes)
%Program Files%\Deal-Dropper\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\notifications.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\timer.js (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ping.js (382 bytes)
%Program Files%\Deal-Dropper\framework\storage.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\SoftwareDetector.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\browser_button.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\common.js (12 bytes)
%Program Files%\Deal-Dropper\framework\initialize.js (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\migrate.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_settings.js (83 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns33.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst28.tmp (74961 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\uninstall.exe (3471 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\icon.ico (784 bytes)
%Program Files%\Deal-Dropper\icons\icon128.png (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files%\Bench\Updater\updater.exe (2392 bytes)
%Program Files%\Bench\NmHost\manifest.json (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\projectInstaller.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\storage.js (6 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_bg.js (2 bytes)
%Program Files%\Deal-Dropper\FrameworkBHO64.dll (16944 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox_installer.js (6 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files%\Deal-Dropper\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2B.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\browser.js (12 bytes)
%Program Files%\Deal-Dropper\AppFramework\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\console.js (540 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\options.js (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\contentNotification.tmpl (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2C.tmp (278 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\bootstrap.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\notification.html (6 bytes)
%Program Files%\Deal-Dropper\FrameworkEngine.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon128.png (3 bytes)
%Program Files%\Deal-Dropper\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_common.js (9 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\webrequest.js (4 bytes)
%Program Files%\Deal-Dropper\framework-ui\ui_base.js (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files%\Deal-Dropper\background.html (157 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_bg.js (2 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\registry.js (908 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_browseraction.js (799 bytes)
%Program Files%\Bench\BService\bhelper.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\ui_base.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\io.js (976 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\utils.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\framework_api.js (1 bytes)
%Program Files%\Deal-Dropper\icons\icon48.png (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\middle-right.png (234 bytes)
%Program Files%\Deal-Dropper\framework\timer.js (409 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\base.js (2 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\middle-left.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\sqlite3.exe (33888 bytes)
%Program Files%\Deal-Dropper\framework\i18n.js (1 bytes)
%Program Files%\Deal-Dropper\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\appAPI_webrequest.js (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2A.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns30.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\lang.js (1 bytes)
%Program Files%\Deal-Dropper\framework\messaging.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\webrequest.js (5 bytes)
%Program Files%\Deal-Dropper\framework\base.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\lang.js (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\notifications.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\chrome_gp_update.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\main_installer.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\extension_info.json (1 bytes)
%Program Files%\Deal-Dropper\framework\global.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\AppFramework\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\invoke_async.js (2 bytes)
%Program Files%\Deal-Dropper\framework\invoke_async.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsExec.dll (8 bytes)
%Program Files%\Deal-Dropper\framework-ui\context_menu.js (738 bytes)
%Program Files%\Deal-Dropper\framework\console.js (489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns31.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\legacy.js (1 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_webrequest.js (138 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-top.png (315 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-left.png (310 bytes)
%Program Files%\Deal-Dropper\framework\xhr.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\info.xml (351 bytes)
%Program Files%\Deal-Dropper\framework-ui\browser_button.js (5 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\xhr.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\framework.js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\gpedit.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns32.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\message_target.js (854 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\legacy.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\chrome_installer.js (5 bytes)
%Program Files%\Deal-Dropper\framework\io.js (1 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\canvasscript_engine.js (437 bytes)
%Program Files%\Deal-Dropper\config.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\background.html (157 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_common.js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\content_notifications.js (9 bytes)
%Program Files%\Deal-Dropper\CanvasFramework\md5.js (3 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\top-middle.png (240 bytes)
%Program Files%\Bench\NmHost\nmhost.exe (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\content_proxy.js (502 bytes)
%Program Files%\Deal-Dropper\framework\updater.js (2 bytes)
%Program Files%\Deal-Dropper\icons\icon32.png (1 bytes)
%Program Files%\Deal-Dropper\framework\utils.js (2 bytes)
%Program Files%\Deal-Dropper\extension_info.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess2.dll (1552 bytes)
%Program Files%\Deal-Dropper\AppFramework\appAPI_settings.js (83 bytes)
%Program Files%\Deal-Dropper\framework\browser.js (11 bytes)
%Program Files%\Bench\BService\bservice.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns34.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\md5.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\framework_api.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\i18n.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2E.tmp (8 bytes)
%Program Files%\Deal-Dropper\FrameworkBHO.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\canvasscript_engine.js (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns2F.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon32.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\md5dll.dll (6 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-right.png (304 bytes)
%Program Files%\Bench\Wd\wd.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\uninstall.js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\chrome.manifest (57 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\chrome_windows.js (2 bytes)
%Program Files%\Deal-Dropper\framework\message_target.js (854 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-left.png (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\ns35.tmp (8 bytes)
%Program Files%\Deal-Dropper\framework\json2.js (2 bytes)
%Program Files%\Deal-Dropper\icons\button.png (602 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework\messaging.js (1 bytes)
%Program Files%\Deal-Dropper\framework-ui\context_menu_item_handler.html (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\icon48.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\framework-ui\context_menu.js (2 bytes)
%Program Files%\Deal-Dropper\framework\framework.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2D.tmp (603 bytes)
%Program Files%\Deal-Dropper\framework-ui\options.js (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\ie_installer.js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\icons\button.png (602 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
%Program Files%\Deal-Dropper\framework-ui\theme\bubble\bottom-right.png (311 bytes)
%Program Files%\Bench\Updater\1.7.0.0\updater.exe (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\firefox\CanvasFramework\registry.js (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\storageedit.exe (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\installer.js (774 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair_data.json (4 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon48.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\legacy.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\background.html (157 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\button.png (602 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\xhr.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvas_bg.js (5 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon128.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\content_proxy.js (502 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\backgroundscript_engine.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_settings.js (83 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\framework.js (4 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_bg.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\browser.js (12 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\framework_api.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions.json (4 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\timer.js (977 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotification.tmpl (836 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\webrequest.js (5 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\storage.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\registry.js (796 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\content_notifications.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\options.js (934 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\canvasscript_engine.js (437 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_content.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\extension_info.json (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\utils.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_client.js (310 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon32.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\i18n.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\chrome_windows.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\lang.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\contentNotificationStyle.tmpl (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\messaging.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\chrome.manifest (57 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\context_menu.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\CanvasFramework\md5.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\invoke_async.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\icons\icon100.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\uninstall.js (73 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\bootstrap.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\io.js (976 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\notifications.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\browser_button.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework-ui\ui_base.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\userscript_engine.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\install.rdf (1 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\console.js (540 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_browseraction.js (799 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\base.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\framework\message_target.js (854 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_common.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\Mozilla\Firefox\Profiles\rsxjpslc.default\extensions\{4F9F5CA8-465F-5780-E78C-480CE5DF3A69}\AppFramework\appAPI_webrequest.js (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj29.tmp\pz_info (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (106 bytes)
%Program Files%\Bench\NmHost\data\installer\epjpfmkiegfpfhiaohimeiamofnpdkgj (955 bytes)
%System%\drivers\etc\hosts (781 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\BenchUpdater\products.xml (497 bytes)
%Program Files%\Bench\Updater\products.xml (435 bytes)
%WinDir%\Tasks\bench-S-1-5-21-1844237615-1960408961-1801674531-1003.job (326 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (3114 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
%WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files%\Bench\BService\bservice.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Deal-Dropper-repairJob" = "wscript.exe %Documents and Settings%\%current user%\Local Settings\Application Data\Deal-Dropper\repair.js Deal-Dropper-repairJob"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files%\Bench\Wd\wd.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name: Smart Apps
Product Name: Deal-Dropper
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral
Company Name: Smart AppsProduct Name: Deal-DropperProduct Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: Language Neutral
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 34884 | 35328 | 4.14077 | 49b0a05e59cfe2eb146863465a7f35bb |
| .data | 40960 | 140 | 512 | 0.818128 | df0ef3a0da7e22c790a62c5869d70520 |
| .rdata | 45056 | 9108 | 9216 | 4.08895 | 91271e59f4470886a512444b74613d7b |
| .bss | 57344 | 109520 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 167936 | 4868 | 5120 | 3.63012 | 5f39890d9696ebf98517ebe318287e41 |
| .ndata | 176128 | 73728 | 1024 | 0 | 0f343b0931126a20f133d67c2b018a3b |
| .rsrc | 249856 | 35200 | 35328 | 3.19635 | 2394746b531639903751050a9dbd5de8 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 9
e69abe473b2d53fa926523b8ac8c13d4
b447ea8d07bd37f7adf1b18a49a28dcf
b0bd1cc9cb26b028c593d9a98d0979f8
4f14310ea6fd79372b6efdc599270ecb
5049c1ff8862c19e0eda2f1016082740
84610b9d362cec452e827f53017082ce
d57f220ab3644c660b28813f37d05c79
0c97ec9189030a038e6a5a56c5cb078f
27a3f0e00ca535a39d08501922ce65f1
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://d2rx3wo6u6259k.cloudfront.net/installer-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87765a0/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/tbi-ping/4433e0bcf600ea79ca332930e87765a0/5cc36c09d3851c4f9c6368cf0331e90b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 | |
| hxxp://www.installping5.info/tbi-ping/4433e0bcf600ea79ca332930e87765a0/5cc36c09d3851c4f9c6368cf0331e90b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 | 54.230.200.5 |
| hxxp://www.installping5.info/installer-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87765a0/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 | 54.230.200.5 |
| time.windows.com | 65.55.56.206 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /tbi-ping/4433e0bcf600ea79ca332930e87765a0/5cc36c09d3851c4f9c6368cf0331e90b/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.installping5.info
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: keep-alive
Server: nginx/1.4.5
Date: Sat, 24 May 2014 06:42:12 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sat, 24 May 2014 06:42:12 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 f96185b1d69d6f85635bc2b5554da639.cloudfront.net (CloudFront)
X-Amz-Cf-Id: wVA018OHhrkU8n9Y3TddN8Bs4yB4OqfQV-QIpUVq5vYwbxV1l97e2w==
HTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Content-Length: 0..Connection: keep-alive..Server: nginx/1.4.5..Date: Sat, 24 May 2014 06:42:12 GMT..X-Powered-By: PHP/5.3.3..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-Modified: Sat, 24 May 2014 06:42:12 GMT..Cache-Control: no-store, no-cache, must-revalidate..Cache-Control: post-check=0, pre-check=0..Pragma: no-cache..X-Cache: Miss from cloudfront..Via: 1.1 f96185b1d69d6f85635bc2b5554da639.cloudfront.net (CloudFront)..X-Amz-Cf-Id: wVA018OHhrkU8n9Y3TddN8Bs4yB4OqfQV-QIpUVq5vYwbxV1l97e2w==..
GET /installer-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87765a0/xriderexe/446810/?pid=38902&sub_id=default&uzid=446810&subid=&pid=1779 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: VVV.installping5.info
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=iso-8859-1
Content-Length: 386
Connection: keep-alive
Server: nginx/1.4.5
Date: Sat, 24 May 2014 06:42:03 GMT
X-Cache: Error from cloudfront
Via: 1.1 e4438a14707a01f6102dc21875d75080.cloudfront.net (CloudFront)
X-Amz-Cf-Id: EyswnoY8I1J9gAEvWxNr0AQr3huYvWmBBXe2efMxvMeduQqaQcn7wg==
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /installer-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87765a0/xriderexe/446810/ was not found on this server.</p>.<hr>.<address>Apache/2.2.3 (CentOS) Server at gameplaylabs.com Port 80</address>.</body></html>.HTTP/1.1 404 Not Found..Content-Type: text/html; charset=iso-8859-1..Content-Length: 386..Connection: keep-alive..Server: nginx/1.4.5..Date: Sat, 24 May 2014 06:42:03 GMT..X-Cache: Error from cloudfront..Via: 1.1 e4438a14707a01f6102dc21875d75080.cloudfront.net (CloudFront)..X-Amz-Cf-Id: EyswnoY8I1J9gAEvWxNr0AQr3huYvWmBBXe2efMxvMeduQqaQcn7wg==..<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>404 Not Found</title>.</head><body>.<h1>Not Found</h1>.<p>The requested URL /installer-run/4433e0bcf600ea79ca332930e87765a0/pc2985725:4433e0bcf600ea79ca332930e87765a0/xriderexe/446810/ was not found on this server.</p>.<hr>.<address>Apache/2.2.3 (CentOS) Server at gameplaylabs.com Port 80</address>.</body></html>...
<<
<<< skipped >>>
Map
The program connects to the servers at the folowing location(s):
Strings from Dumps
wuauclt.exe_2068:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
wuauclt.pdb
wuauclt.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
_wcmdln
_wcmdln
_amsg_exit
_amsg_exit
msvcrt.dll
msvcrt.dll
ntdll.dll
ntdll.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
USER32.dll
USER32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
zcÁ
zcÁ
version="6.0.0.0"
version="6.0.0.0"
name="Microsoft.Windows.windowsupdate.wuauclt"
name="Microsoft.Windows.windowsupdate.wuauclt"
<windowsSettings></windowsSettings>
<windowsSettings></windowsSettings>
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel><pre>wuaueng.dll</pre><pre>Error: 0xx. wuauclt handler: failed to spawn COM server</pre><pre>Error: 0xx. wuauclt handler: failed to load wuaueng</pre><pre>/ReportNow</pre><pre>/ShowWindowsUpdate</pre><pre>/CloseWindowsUpdate</pre><pre>wuauclt.exe failed to get proc address for UI export object with error %#lx</pre><pre>Failed to load %s with error %X</pre><pre>wucltui.dll</pre><pre>wucltux.dll</pre><pre>call RunAUClientUI on wucltui.dll/wucltux.dll</pre><pre>Ntdll.dll</pre><pre>WuSqm %ls session datapoint (id:%d) is incremented with dword %d.</pre><pre>wuauclt.exe is exiting with code 0xX</pre><pre>wuauclt.exe launched with command line %s</pre><pre>kernel32.dll</pre><pre>WUWeb</pre><pre>Report</pre><pre>7.6.7600.256</pre><pre>Global\WindowsUpdateTracingMutex</pre><pre>WindowsUpdate.log</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Trace</pre><pre>Windows</pre><pre>shell32.dll</pre><pre>%s: %s [</pre><pre>%s: %s</pre><pre>%s\%s</pre><pre>= Module: %s</pre><pre>= Module: <failed with %d></failed></pre><pre>= Process: %s</pre><pre>= Process: <failed with %d></failed></pre><pre>=========== Logging initialized (build: %s, tz: %s) ===========</pre><pre>wups2.dll</pre><pre>wups.dll</pre><pre>Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Setup\ServiceStartup\</pre><pre>%hs %ls page "%ls", hr=%X</pre><pre>Microsoft.WindowsUpdate</pre><pre>wupdmgr.exe</pre><pre>Failed to cocreate IShellWindows, error = 0xlX</pre><pre>Failed to obtain window doc for window %d, error = 0xlX</pre><pre>Failed to obtain folder view for window %d, error = 0xlX</pre><pre>Failed to obtain folder IPersist for window %d, error = 0xlX</pre><pre>Window %d is NOT a WU window</pre><pre>Done enumerating windows</pre><pre>Quit for window %d failed: 0xlX</pre><pre>Window %d is a WU window. Attempting to close</pre><pre>Failed to obtain class ID for window %d, error = 0xlX</pre><pre>Got NULL disp interface for window %d</pre><pre>Got %d instead of VT_DISPATCH for window %d</pre><pre>Failed to obtain IWebBrowserApp for window %d, error = 0xlX</pre><pre>Failed to enumerate window %d, error = 0xlX</pre><pre>Found %d explorer windows</pre><pre>Closing WU explorer windows</pre><pre>Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\VolatileData</pre><pre>WUAppNotificationWindows</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired\Mandatory</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\PostRebootReporting</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Services\Pending\</pre><pre>%chdhd</pre><pre>hd-hd-hd%chd:hd:hd:hd</pre><pre>%WinDir%</pre><pre>Windows Update</pre><pre>7.6.7600.256 (winmain_wtr_wsus3sp2(oobla).120602-1459)</pre><pre>wuauclt.exe</pre><pre>Windows</pre><pre>Operating System</pre><b>bservice.exe_2108:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>D:\WORK\mercurial\50onred\misc\ChromeHook\Release\bservice.pdb</pre><pre>KERNEL32.dll</pre><pre>SetWindowsHookExW</pre><pre>UnhookWindowsHookEx</pre><pre>USER32.dll</pre><pre>SHLWAPI.dll</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre>0 0$0(0,0004080<0</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>KERNEL32.DLL</pre><pre>WUSER32.DLL</pre><pre>bhelper.dll</pre><pre>kGlobal\{4B5DC379-ED06-4552-A736-414A1570C24F}_bhelper_mutex0</pre><pre>%Program Files%\Bench\BService\bservice.exe</pre><b>wd.exe_3132:</b><pre>.text</pre><pre>`.rdata</pre><pre>@.data</pre><pre>.rsrc</pre><pre>@.reloc</pre><pre>operator</pre><pre>GetProcessWindowStation</pre><pre>D:\WORK\mercurial\50onred\misc\Watchdog\Release\wd.pdb</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>ShellExecuteW</pre><pre>SHELL32.dll</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></pre><pre>1*2024282<2</pre><pre>> >$>(>,>0></pre><pre>kernel32.dll</pre><pre>%d.%d.%d%s %s</pre><pre>%PROGRAMFILES%\Bench\BService\bservice.exe</pre><pre>bservice.exe</pre><pre>Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_watchdog_mutex0</pre><pre>KERNEL32.DLL</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>WUSER32.DLL</pre><pre>%Program Files%\Bench\Wd\wd.exe</pre></requestedExecutionLevel>