MemScan:Application.Bundler.Outbrowse.E (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0e450434c52831cdd8808a4217f6099f
SHA1: af53ab909a724b33b8f7cbc6e328dc3e6858fceb
SHA256: 59eeffd28655c418d0ff1e2e0922f3f6cd00d31e99329b91505c2522b2a3ea12
SSDeep: 24576: V484CsoZWCM5PAj7vrhbpODEN6kVYQnon08SFve:2L4hp rOoN6kVY o0rFm
Size: 943384 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
wmic.exe:488
The Trojan injects its code into the following process(es):
setup.exe:860
f.exe:388
%original file name%.exe:1908
6_Offer_10.exe:1492
File activity
The process setup.exe:860 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\modern-wizard.bmp (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\InstallOptions.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\components.ini (1218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\summary.ini (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\modern-header.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\options.ini (3918 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\shortcuts.ini (1782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\ioSpecial.ini (9996 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nssB5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp (0 bytes)
The process f.exe:388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\jquery-ui.min[1].js (5973 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\DynamicOfferScreen[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\jquery-ui[1].css (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BuzzIT2Checker11-6[1].exe (9673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_10.exe (1753642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\Firefox Setup 26.0[1].exe (2741579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery-ui-1.8.19.custom[1].css (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.min[1].js (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bodyImg[1].png (8072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\DynamicOfferScreen[1].htm (850 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (0 bytes)
The process wmic.exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)
The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsCalgk.dat (27433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB3.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nseB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB3.tmp (0 bytes)
The process 6_Offer_10.exe:1492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll (2435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\twitter.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll (34782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe (1145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.dic (6572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\blocklist.xml (1227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe (8326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll (1422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\omni.ja (70343 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe (2693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.exe (3414 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll (7187 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll (2666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe (2061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\setup.exe (6698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\omni.ja (37685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll (18141 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\amazondotcom.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\crashreporter-override.ini (783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\yahoo.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\webapprt.ini (487 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll (8532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll (28466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\bing.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\defaults\pref\channel-prefs.js (358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\wikipedia.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\omni.ja (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll (1676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\xul.dll (183544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\chrome.manifest (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\platform.ini (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\removed-files (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nss3.dll (14726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe (1832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll (3352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\components.manifest (34 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll (1110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\google.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.chk (899 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe (1753 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe (4203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\update-settings.ini (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\eBay.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\application.ini (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.aff (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\firefox.exe (2583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\precomplete (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dependentlibs.list (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll (3701 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll (844 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp (0 bytes)
Registry activity
The process setup.exe:860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 22 39 A4 39 53 08 26 88 16 D2 6C F3 78 58 2D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process f.exe:388 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014061220140613]
"CachePrefix" = ":2014061220140613:"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014061220140613]
"CacheOptions" = "11"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"
[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014061220140613]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014061220140613\"
[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\f.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216" = "My Computer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B E4 81 A8 DF 7E 5B E5 5A DD 60 63 CF 2C 55 A3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"
[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014061220140613]
"CacheRepair" = "0"
"CacheLimit" = "8192"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"netshell.dll,-1300"
"wshext.dll,-4802"
"wshext.dll,-4803"
"cryptext.dll,-6112"
"cryptext.dll,-6113"
"cryptext.dll,-6110"
"cdfview.dll,-4610"
"accwiz.exe,-16"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9918"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"wshext.dll,-4801"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9927"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9912"
"unregmp2.exe,-9913"
"unregmp2.exe,-9910"
"unregmp2.exe,-9911"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\PCHealth\HelpCtr\Binaries]
"msinfo.dll,-391"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\Movie Maker]
"wmm2res.dll,-63097"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9915"
"unregmp2.exe,-9916"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"RCBdyctl.dll,-150"
"msi.dll,-34"
"msi.dll,-35"
"cryptext.dll,-6111"
"pdh.dll,-10023"
"notepad.exe,-469"
"shscrap.dll,-258"
"wshext.dll,-4805"
"msxml3r.dll,-1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-190"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"scrobj.dll,-8192"
"msxml3r.dll,-2"
"shimgvw.dll,-301"
"PresentationHost.exe,-3306"
"shimgvw.dll,-303"
"shimgvw.dll,-302"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-209"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"shimgvw.dll,-304"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\Internet Explorer\Connection Wizard]
"icwres.dll,-20003"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"shimgvw.dll,-306"
"shimgvw.dll,-305"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9902"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"zipfldr.dll,-10195"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@""%Program Files%\Windows NT\Accessories]
"WORDPAD.EXE"",-208"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"cryptext.dll,-6109"
"cryptext.dll,-6108"
"wshext.dll,-4800"
"shimgvw.dll,-307"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"conf.exe,-12345"
"conf.exe,-12346"
"conf.exe,-12347"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"Procmon.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-22978"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9923"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9920"
"unregmp2.exe,-9909"
"unregmp2.exe,-9926"
"unregmp2.exe,-9925"
"unregmp2.exe,-9905"
"unregmp2.exe,-9904"
"unregmp2.exe,-9907"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"PresentationHost.exe,-3308"
"mmcbase.dll,-130"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9903"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"wshext.dll,-4804"
"icardres.dll.mui,-4162"
"SHELL32.dll,-8964"
"icardres.dll.mui,-4146"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%Program Files%\NetMeeting]
"nmwb.dll,-1234"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"setupapi.dll,-2000"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"cmd.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"sandbox_svc.exe"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"cryptext.dll,-6145"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shdoclc.dll,-880"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9914"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"PresentationHost.exe,-3300"
"SHELL32.dll,-9227"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"ntbackup.exe,-40"
"SHELL32.dll,-9217"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%WinDir%\inf]
"unregmp2.exe,-9908"
The process wmic.exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 3E 89 64 12 1C B4 27 9E 4B 38 15 E0 18 00 11"
The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 6C AC A1 8B 84 E2 B3 F0 9F 45 DB 35 EE DA DE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process 6_Offer_10.exe:1492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 7B 6A BE E3 3C 7B 46 B6 47 08 9E CF 8F FA 99"
Dropped PE files
| MD5 | File path |
|---|---|
| c5c5de801c3d3ee767574893a7df656d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6_Offer_10.exe |
| cf51b758916e5bf68ba8f0a6b3fb6bf1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll |
| 1c9b45e87528b8bb8cfa884ea0099a85 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll |
| 0cd085ca321c43cb4c1bcf99ab8ea080 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll |
| 666a76d8ed0a06c9404da0d546bf3627 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll |
| e17ee29b33661a5dfa55c8788adca28f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe |
| 1eea6c1b35191dc177ea83672b9c3fc0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\firefox.exe |
| 8439cd841764fc1d7b1059a21021bdca | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll |
| 1fd37aec631eef547ff6c93151c21a5b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll |
| 9440e99ff69d095896660a166bf74866 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll |
| a24534258c89c992d3e03729e3c42ab3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll |
| 3b9398e0146855b1dc0e3d9769c80f01 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe |
| b5b3e07dd04eaa1ffceb37ef9f7849fc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe |
| 454830b2ff549241e4b09cd291f4b59d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll |
| ab7ebfd1d7fe626612d1e815fe4e6df4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll |
| 8a6087b231b529ef6186cd0179b16032 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll |
| 03e9314004f504a14a61c3d364b62f66 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll |
| 67ec459e42d3081dd8fd34356f7cafc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll |
| 2545f8fa1ba4417308df63b952d66fa1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nss3.dll |
| cf618ddc43b1f48959275961d0142615 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll |
| 689a9eff35da52f70849fdb25034174f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll |
| 0dd74786d22edff0ce5b8e1b1e398618 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe |
| 51bb4983ba8b8f4c712ae7ebb5577cd8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe |
| a6f5aa4bd602cda7b0a375a6a48d715d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll |
| 5b61c11223e59c1aca4adae6fdd2a775 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe |
| 63e98c05d504e9f30dae364dce50e0f5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\updater.exe |
| 4f5cac0d371454e97d1bd918489792f6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe |
| abcc2fbcca63a5f6309485ca3ef18e7c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe |
| de2345b8cbcc6366e20848ec22278cb6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\core\xul.dll |
| 01944475fa7b6c1f30f931013cf61d1e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7zSB4.tmp\setup.exe |
| c416bcf6a1bfc274c22c243da87c0f33 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\f.exe |
| 67d8f4d5acdb722e9cb7a99570b3ded1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsyB6.tmp\InstallOptions.dll |
| 959ea64598b9a3e494c00e8fa793be7e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsyB6.tmp\System.dll |
| c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nszB3.tmp\System.dll |
| b8b654dd30c249e00c79f1508a2736e5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BuzzIT2Checker11-6[1].exe |
| c5c5de801c3d3ee767574893a7df656d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\Firefox Setup 26.0[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Static Analysis
VersionInfo
Company Name:
Product Name: Firefox
Product Version: 3.0
Legal Copyright: Firefox
Legal Trademarks: Firefox
Original Filename:
Internal Name:
File Version:
File Description: Firefox
Comments: setup Installer
Language: English (United States)
Company Name: Product Name: FirefoxProduct Version: 3.0Legal Copyright: FirefoxLegal Trademarks: FirefoxOriginal Filename: Internal Name: File Version: File Description: FirefoxComments: setup InstallerLanguage: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
| .rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
| .data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
| .ndata | 192512 | 94208 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 286720 | 3176 | 3584 | 2.75375 | 61886786c758d78857d0529764e4c7bd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 302
9075f446add5ec41257f58f8dc344511
96049b81afcba5504ac62535d479eab7
77dd15c80aac892183e3dde5748a9f49
b56792ed40bb0db7771f6e7939421318
765f5f1c6229b04162a0162331f395ca
70f3bb94946976b1293321e6684e7bf2
aad5e867c90d4c5fc8036bd76b39a58a
814bad5197e5c451acc62ddc3a138763
67f2cbf99077e3c26ec61df01142a716
dc87813f281207364e4e48179c7884f1
e3d6d1ea384286b90831d0e7aaff53c4
3e0b2b217b9c2b941b63ea070d50dc6d
63074c2018e70b11c09c0c7892335203
99b5f1f9a52fb70d005137305774329e
8fe86a72d17609de654b483c37fdf3ad
1405f5ca5702a284b3700ecc9a97d4e1
b8ea9c27cb2d2f506278a11e4772c9b9
6b6722f4fe9272ac9b6a09855d9b2d4a
ea455abe2050f4e9fc51b8930d96fbfd
b630002058b8fbe3b2941cd63bf22582
303b15f485629d901ee7e9b61aed47c3
3c1da23df01e08be65e1614f625e9e0b
5a193f82262c4afbe3d0083128796d4f
dbac4a71f08aabab3589351661b3c90d
2845fc7fddbe0840c1a161a4afb1daa7
31630bea534c17545e895babaec86f9e
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0 | |
| hxxp://e1005.g.akamaiedge.net/pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/Buzzit2/BuzzIT2Checker11-6.exe | |
| hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0& | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css | |
| hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js | |
| hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css | |
| hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/topLine.jpg | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/topComp.png | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bgImg.jpg | |
| hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=107257330&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=10&downloadduration=10609&installduration=109 | |
| hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png | |
| hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png | |
| hxxp://smartinstaller.elasticbeanstalk.com/Installer/TrackFinish?reqid=107257330&x=y&clickid=-1 | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bottomLine.jpg | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/bodyImg.png | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/nextCase.jpg | |
| hxxp://www.postdownload.net/portal/redirect.php?id=fnpelrdlp85oj5d9pn41hv2n0r8mh682kfpt98iiip171r6bv781-4ffcd8ddd688b7c46c78c75273d1df4a&d=ez-download.com&p=Firefox&pid=3 | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/button_over.png | |
| hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/offers/images/Theme11/button.png | |
| hxxp://thankyou.postdownload.net/thankyou1.php?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1402551131&id=fnpelrdlp85oj5d9pn41hv2n0r8mh682kfpt98iiip171r6bv781-4ffcd8ddd688b7c46c78c75273d1df4a | |
| hxxp://thankyou.postdownload.net/css/thanks1.css | |
| hxxp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00 | |
| hxxp://ez-download.com/track/typ/?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1402551131&id=fnpelrdlp85oj5d9pn41hv2n0r8mh682kfpt98iiip171r6bv781-4ffcd8ddd688b7c46c78c75273d1df4a | |
| hxxp://a1834.g1.akamai.net/images/addons/icons/0-creatives/23821/Asap-UK-RON-ALL-300-Table-UK-Clean-AA195_fc.gif | |
| hxxp://dualstack.counter-817696455.us-east-1.elb.amazonaws.com/blank.gif?t=141592501254&h=a023e0f902a095d8b136fb5b66956e00&cids=n8d | |
| hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png | |
| hxxp://static.revenyou.com/offers/images/Theme11/topComp.png | |
| hxxp://www.ez-download.com/track/typ/?pd=1&d=ZXotZG93bmxvYWQuY29tL3RyYWNrL3R5cC8=&type=Firefox&ts=1402551131&id=fnpelrdlp85oj5d9pn41hv2n0r8mh682kfpt98iiip171r6bv781-4ffcd8ddd688b7c46c78c75273d1df4a | |
| hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css | |
| hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css | |
| hxxp://cdn.delivery49.com/images/addons/icons/0-creatives/23821/Asap-UK-RON-ALL-300-Table-UK-Clean-AA195_fc.gif | |
| hxxp://static.revenyou.com/offers/images/Theme11/button.png | |
| hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js | |
| hxxp://installer.apps-track.com/Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0 | |
| hxxp://cdn.download4desktop.com/Installer/Buzzit2/BuzzIT2Checker11-6.exe | |
| hxxp://installer.apps-track.com/Installer/TrackFinish?reqid=107257330&x=y&clickid=-1 | |
| hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js | |
| hxxp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0& | |
| hxxp://static.revenyou.com/offers/images/Theme11/bodyImg.png | |
| hxxp://static.revenyou.com/offers/images/Theme11/bgImg.jpg | |
| hxxp://static.revenyou.com/offers/images/Theme11/bottomLine.jpg | |
| hxxp://static.revenyou.com/offers/images/Theme11/nextCase.jpg | |
| hxxp://download-installer.cdn.mozilla.net/pub/firefox/releases/26.0/win32/en-US/Firefox Setup 26.0.exe | |
| hxxp://static.revenyou.com/offers/images/Theme11/topLine.jpg | |
| hxxp://counter.d.delivery49.com/blank.gif?t=141592501254&h=a023e0f902a095d8b136fb5b66956e00&cids=n8d | |
| hxxp://static.revenyou.com/offers/images/Theme11/button_over.png | |
| hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png | |
| hxxp://installer.apps-track.com/Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=107257330&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=10&downloadduration=10609&installduration=109 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /Installer/Flow?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&version=4.0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: installer.apps-track.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Thu, 12 Jun 2014 05:25:59 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 13171
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8 $.Fmkcsez_oajgRvjdo"8.*(, ./!("P`_F^w.4!DKCTW>NPO?MP_SN=M.Ql`ssap`TWLc^lbdPpjl`\rFHS., M]bDcv03.: CC@R]@OQNELOWPLCO.RkfrrYm^ZYMd]racHmhrb]sENR.$.KcmiqpN_h].3 P_`ncfKjjmc`nHJT '.KkmaobpIB.2-,.-&!=lu\qnHdc_q.:.'.DlU^csBopDfnm_if!61*.=s^SOF!6"folk3-,^k-.bjoilcopdn1,^gh(Gkms]lj`j*Lc^lbdPpjl`\rD_marg^'N^_o]gLrmo]^mEbhdnia/K`msm(dte '.>hkj[m`Lgi].3 ,LDC=GIL.(AQCC9CR. -,642!("Ma^`kSOF!6"folk3-,iebepn[m^ck(`lpq(lmZahm-_ok*'j_dblr DwiYhbaL`earQ^j`^l<iebepd\8 00 onobp[obb:,2,0$_anmga72.06!d`Zbm74-85![jnlqlxed;2)!lwp\hp=1-.__`:*Û;-.'.P^nd.: ,$.:bacseol\d?Zr^.9."*.9imgscqqscnJ``Ibsr.: .$.I_vitp"8()'.Cc`d_tgq].3 .&!LrmhgobmkL`pe 5%,% Acr_rckYi\wO[sa"8()'.Qi_dlAdo]mBlpn`hl 5(x%y.JnotCs].3 .&!Lrc@p`.8.. .CmhhjgcknSupc.2 % JimetguYobmkNxleq.2. 0'01"*.J``Ibs!6"FF=TXARLQANRZMN>P.Mnbtu\j`UZP_`ncfKjjmc`nHJT0.$.KcdEdu62.2.AIBS^?UPM=IM]RMDN Qj^op_o_[XSc\j^aNoisacrDFO ).QapmmlIZkb.9.Sc\j^aNoisacrDFO ).Onobp[oBB.43-60'.<eu^srKfd`j.3.).HoW_dlAhpFhrpajg.5**.?waUPG.5.fqno6/-_d,'blqmoepq]m*,`il Ilnl\ejbl.Oe_m[cIplnd_tE`f`kg`)Raap^`Kkmq_bpGci]mba1Mdpun)]s^ ).Bkmk\f_Egk_!6".*J@@;FHS. .*;OBB:=S/3/4/., ).NbfcmMME 7.gptn5'*hdc_qocp`]i'_mjr)tp\[fl,`il /ma^`kq,>xjakd[J_dblR_rc`f:hdc_qed;,)2.noicqcrd\8-/3,%`iqoa_61/*7"lc\\k63.26"cmpfokwf^<31$nqn[gq72.&baZ8)$e\<."*.J\mc.4,-, <\_brfim]lB\l\.8.. .AloaqbprmdoRcbC`rq.4!., KYthsq.9)1*.
<<
<<< skipped >>>
GET /Installer/Track?pubid=1955&distid=3208&productid=5187&subpubid=-1&campaignid=0&networkid=1&reqid=107257330&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=4850&d2=41&d3=-1&d4=-1&d5=-1&ds1=&hb=2&systembit=32&vm=1&status=0&installedid=5187&offerscreenid=&offerorder=10&downloadduration=10609&installduration=109 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: installer.apps-track.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Thu, 12 Jun 2014 05:26:09 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK......
GET /Installer/TrackFinish?reqid=107257330&x=y&clickid=-1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: installer.apps-track.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Thu, 12 Jun 2014 05:26:10 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK....
GET /blank.gif?t=141592501254&h=a023e0f902a095d8b136fb5b66956e00&cids=n8d HTTP/1.1
Accept: */*
Referer: hXXp://d.delivery49.com/widget/render/hash/a023e0f902a095d8b136fb5b66956e00
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: counter.d.delivery49.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Date: Thu, 12 Jun 2014 05:26:25 GMT
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Server: nginx/1.2.1
Content-Length: 43
Connection: keep-alive
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Content-Type: image/gif..Date: Thu, 12 Jun 2014 05:26:25 GMT..Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT..Server: nginx/1.2.1..Content-Length: 43..Connection: keep-alive..GIF89a.............!.......,...........L..;..
GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/css; charset=UTF-8
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Thu, 12 Jun 2014 04:50:50 GMT
Expires: Thu, 12 Jun 2014 05:50:50 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 6091
X-XSS-Protection: 1; mode=block
Age: 2119
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Alternate-Protocol: 80:quic
...........=k.....3...E...yl.=.=.....7@..6..~...e.#K.$.#A..=.!%J|iz...;@Z.:...y..}..........X.H~{G...O~......-.M^M....@o..c.....Og.s............!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.WO8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ........... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}...t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>......|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}g@G..m^...S2.gn.h......;V.yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or..%X...78.I.>..Y.99@.........U......4....5.......2.......UY.<.W EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M... ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<._.. J.YK.:9.H}3....U.B..$..W..f$l]^m....@..c..........0.h...l.q.,(."......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v..~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4...1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t...M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C
<<
<<< skipped >>>
GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Thu, 12 Jun 2014 04:42:31 GMT
Expires: Thu, 12 Jun 2014 05:42:31 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 88
X-XSS-Protection: 1; mode=block
Age: 2622
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....G,Z`....IDAT..c.....&.....G0..ed.......w...........IEND.B`.....
GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Thu, 12 Jun 2014 04:42:31 GMT
Expires: Thu, 12 Jun 2014 05:42:31 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 88
X-XSS-Protection: 1; mode=block
Age: 2622
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....G,Z`....IDAT..c.....&.....G0..ed.......w...........IEND.B`.....
GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1
Accept: */*
Referer: hXXp://offerscreen.apps-tracks.com//offers/DynamicOfferScreen?offerid=2&distid=3208&leadp=5187&countryid=71&sysbit=32&dfb=0&hb=2&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Thu, 12 Jun 2014 05:22:32 GMT
Expires: Thu, 12 Jun 2014 06:22:32 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 3457
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 221
Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B....6...._.d.c.......*...V......|U.......w-...p..>Z..........`............`............`............`............`............`............`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."...-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C.....y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._<....p.p....`............`..b.......:............:.............Xj)...w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7.....;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O.....m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD..M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x.....].?/..9r......h...]^}M....<....;..........p.p....`........}.....n..~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M......j..4.%..x......!ij....bXcT..^ file.
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\modern-wizard.bmp (2784 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\InstallOptions.dll (15 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\components.ini (1218 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\summary.ini (86 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\modern-header.bmp (25 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\options.ini (3918 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\shortcuts.ini (1782 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\System.dll (11 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp\ioSpecial.ini (9996 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\button_over[1].png (921 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\jquery-ui.min[1].js (5973 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\DynamicOfferScreen[1].htm (948 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\PreExe_ID_13667.exe (58 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\jquery-ui[1].css (33 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BuzzIT2Checker11-6[1].exe (9673 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\6_Offer_10.exe (1753642 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\Firefox Setup 26.0[1].exe (2741579 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\jquery-ui-1.8.19.custom[1].css (5521 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\jquery.min[1].js (2321 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\button[1].png (458 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\bodyImg[1].png (8072 bytes)%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\DynamicOfferScreen[1].htm (850 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\f.exe (7972 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\instructionsCalgk.dat (27433 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\nszB3.tmp\System.dll (11 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.dll (2435 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libEGL.dll (95 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\twitter.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozjs.dll (34782 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.ini (4 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt-stub.exe (1145 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.dic (6572 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\install.rdf (305 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\blocklist.xml (1227 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\uninstall\helper.exe (8326 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozglue.dll (1422 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\omni.ja (70343 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice_installer.exe (2693 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.exe (3414 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\libGLESv2.dll (7187 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\browsercomps.dll (2666 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\crashreporter.exe (2061 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\setup.exe (6698 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\omni.ja (37685 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\icon.png (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\D3DCompiler_43.dll (18141 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\amazondotcom.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\crashreporter-override.ini (783 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\yahoo.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\webapprt.ini (487 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcr100.dll (8532 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\gkmedias.dll (28466 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\bing.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\defaults\pref\channel-prefs.js (358 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\wikipedia.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\AccessibleMarshal.dll (1886 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapprt\omni.ja (33 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.dll (1676 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\xul.dll (183544 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\freebl3.chk (899 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssdbm3.chk (899 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\chrome.manifest (40 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\platform.ini (140 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\removed-files (36 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\updater.ini (1 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nss3.dll (14726 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-hang-ui.exe (1832 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\msvcp100.dll (3352 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\components\components.manifest (34 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.dll (1110 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\google.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\softokn3.chk (899 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\maintenanceservice.exe (1753 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\webapp-uninstaller.exe (4203 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\mozalloc.dll (17 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\update-settings.ini (137 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\plugin-container.exe (18 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\browser\searchplugins\eBay.xml (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\application.ini (685 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dictionaries\en-US.aff (3 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\firefox.exe (2583 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\precomplete (2 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\dependentlibs.list (99 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\nssckbi.dll (3701 bytes)%Documents and Settings%\%current user%\Local Settings\Temp\7zSB4.tmp\core\breakpadinjector.dll (844 bytes)