Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Trojan.Crossrider.17908

Added to the Dr.Web virus database: 2014-05-22

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • %WINDIR%\Tasks\globalUpdateUpdateTaskMachineUA.job
  • %WINDIR%\Tasks\globalUpdateUpdateTaskMachineCore.job
  • %WINDIR%\Tasks\bb64c212-90f5-4d7e-87f7-ee5b0ade62fe-4.job
Creates the following services:
  • [<HKLM>\SYSTEM\ControlSet001\Services\globalUpdate] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
  • '%PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe' /regsvc
  • '%PROGRAM_FILES%\Object Browser\Object Browser-codedownloader.exe' /WZscsBwa /dyqGeJy='Object Browser' /hhBQjVc=32850 /JGSkT='000046' /YTHbNkmX='0' /ciHdRpSZ='0' /rluRGxYUp=FC89DB910285496CBB76817902B29E86IE /WJOPj=6442f89589a669feb316e88dffd8a2a4 /WMSqXF=1_34_05_12 /iFUNYeEm=1.34.5.12 /CRFsAs=1408750692 /xqzkUn=http://st###.###entstatsservice.com /ZYlkDu=http://er####.##ientstatsservice.com /PxGcIm=http://js.#####tstatsservice.com /aZJRhuSIm=ie /mZOxglpw /rgtdh=installer /mxrJU='%TEMP%\Object BrowserInstaller_1408750692.log' /GqLQuN='file://%TEMP%\nsj6.tmp\extensionData'
  • '%PROGRAM_FILES%\Object Browser\bb64c212-90f5-4d7e-87f7-ee5b0ade62fe-4.exe' /amFDNXTmz /dyqGeJy='Object Browser' /eZMYoBF='%PROGRAM_FILES%\Object Browser\32850.xpi' /hhBQjVc=32850 /JGSkT='000046' /YTHbNkmX='0' /ciHdRpSZ='0' /rluRGxYUp=FC89DB910285496CBB76817902B29E86IE /WJOPj=6442f89589a669feb316e88dffd8a2a4 /WMSqXF=1_34_05_12 /iFUNYeEm=1.34.5.12 /CRFsAs=1408750692 /xqzkUn=http://st###.###entstatsservice.com /ZYlkDu=http://er####.##ientstatsservice.com /uymDivZza=300 /DPUmaDDE=9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com /cdQXKzy=0.94 /LkgeR=a9321b2762c2e4c5fbd04b8118e512707c0c8a2d632754caca0b252e936311db9com32850 /bZxxYEH=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/32850.rdf /RPOkTQZmQ='Object Browser' /LZvLlByLh='Browser enhancer' /ZKcdlNo='Object Browser' /aZJRhuSIm=ie /JDAXzHtY='{"asw":[0, 0]}' /mZOxglpw /FizjPHPN /XTYdtoBoe /LWpHklfn='http://up####.##ientstatsservice.com/ff_agent_updates/{CAMP_ID}/update.json' /hUQSxv /rgtdh='installer' /mxrJU='%TEMP%\Object BrowserInstaller_1408750692.log'
  • '%TEMP%\nsw3.tmp\Ecixv.exe'
  • '%TEMP%\comh.243805\GoogleUpdate.exe' /silent /install "appguid={a411beaa-c1b6-41c1-96de-301c4c62f5ad}&appname=0226a064-ac30-42a2-b7ae-80b114ef2930&needsadmin=True&lang=en"
Executes the following:
  • '<SYSTEM32>\msiexec.exe' /V
Terminates or attempts to terminate
the following user processes:
  • opera.exe
  • firefox.exe
  • iexplore.exe
Modifies file system :
Creates the following files:
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\icon24.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\skin.css
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\button5.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\icon16.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\button1.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\button3.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\button2.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\c0c3ddd31dea4f034d6263f009023041.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\3c542fa0ed907fa9f6d0505464e451a9.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\6e945d7a2a92ff48a1897d19ed72cee5.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\update.css
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\popup.html
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\icon48.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\panelarrow-up.png
  • %PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\psmachine.dll
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\psuser.dll
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\button4.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\crossrider_statusbar.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\skin\icon128.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions.sqlite-journal
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll
  • %TEMP%\CabB.tmp
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\dd1a3bf6d3545ee7f897b1d71c037d67.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\3fddcadd983f2f9a36254bf705377a3a.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\5919a7544a9f740410e1675ff21a42bb.js
  • %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\2bbc9035a572e1f6f0d5e9ae7b753557.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\9e708a0691f3579436bf98bdcf16fdec.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\17eb4d3c5412a2b32b961391cf109a59.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\58fe86c260276e0f2004e96ca6401b58.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\60037ed0cfef9d07d6a1ee2fe36a18d2.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\13e56b85b20773df5ddea136878150e1.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\a7bc4118c61f9f25ad63e25e231b28e4.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\af272831902b9ec88e6d5bceedfb68f2.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\dd72317bf1ce75825c4ee1a43a937f9d.js
  • %APPDATA%\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\82c285f6e78c0a71f282dddcb26d1467.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\5a280afe76ece7c89f9cb3c0fe0811ac.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\39107a678f1d547e5c15c8fd8a281fc8.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\0458071440582e4a40c9c33cd01a9460.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\08d1b5364b83c9ed708c1ed9d0bd276e.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\9aa549d6b188a61b70fb5d79d852476a.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\b75e82bd0e51e05e31ebe54df5cd54e6.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\8970087626683069eccfd32a9e6ef560.js
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\5fdb427f5dfc205cc25b93c394a4950c.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\d1d766587029a8cbe8ddb5283b323c38.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\api\bf01ae2be5195444c1f785c3d5644539.js
  • %TEMP%\Cab9.tmp
  • %PROGRAM_FILES%\Object Browser\Object Browser-codedownloader.exe
  • %TEMP%\nsj6.tmp\extensionData\plugins\42.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\41.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\40.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\45.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\44.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\43.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\4.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\36.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\35.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\3.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\39.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\38.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\37.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\46.js
  • %TEMP%\nsj6.tmp\extensionData\userCode\background.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\94.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\93.js
  • %WINDIR%\Installer\MSID.tmp
  • %WINDIR%\Installer\35749.msi
  • %TEMP%\nsj6.tmp\extensionData\userCode\extension.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\91.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\7.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\64.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\47.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\9.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\78.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\72.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\177.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\17.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\14.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\183.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\182.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\180.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\13.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\1.js
  • %TEMP%\nsj6.tmp\extensionData\plugins.json
  • %TEMP%\nsj6.tmp\extensionData\manifest.xml
  • %TEMP%\nsj6.tmp\extensionData\plugins\123.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\104.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\102.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\184.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\244.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\242.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\223.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\28.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\260.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\246.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\22.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\207.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\2.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\191.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\217.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\211.js
  • %TEMP%\nsj6.tmp\extensionData\plugins\21.js
  • %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
  • %TEMP%\nsj6.tmp\ExecDos.dll
  • %PROGRAM_FILES%\Object Browser\bb64c212-90f5-4d7e-87f7-ee5b0ade62fe-4.exe
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\locale\en-US\translations.dtd
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\install.rdf
  • %APPDATA%\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\goopdate.dll
  • %TEMP%\comh.243805\psmachine.dll
  • %TEMP%\comh.243805\npGoogleUpdate4.dll
  • %TEMP%\comh.243805\goopdateres_en.dll
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe
  • %PROGRAM_FILES%\Object Browser\32850.xpi
  • %TEMP%\comh.243805\psuser.dll
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\defaults\preferences\prefs.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\211.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\28.js
  • %TEMP%\Cab7.tmp
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\93.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\244.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\123.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\180.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\manifest.xml
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins.json
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome.manifest
  • %APPDATA%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
  • %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\183.js
  • %TEMP%\nsj6.tmp\InstallerUtils.dll
  • %TEMP%\nsj6.tmp\System.dll
  • %TEMP%\nsj6.tmp\StdUtils.dll
  • %TEMP%\nsj6.tmp\md5dll.dll
  • %TEMP%\nsj6.tmp\nsisos.dll
  • %TEMP%\nsj6.tmp\InstallerUtils2.dll
  • %TEMP%\nsi5.tmp
  • %TEMP%\nsw3.tmp\Bmpdzenp.tmp
  • %TEMP%\nsw3.tmp\System.dll
  • %TEMP%\nsw2.tmp
  • %TEMP%\nsw3.tmp\StdUtils.dll
  • %TEMP%\nsw3.tmp\Ecixv.exe
  • %TEMP%\nsw3.tmp\WrapperUtils.dll
  • %TEMP%\nsj6.tmp\UserInfo.dll
  • %TEMP%\comh.243805\GoogleUpdateBroker.exe
  • %TEMP%\comh.243805\GoogleUpdate.exe
  • %TEMP%\comh.243805\GoogleCrashHandler.exe
  • %TEMP%\comh.243805\goopdate.dll
  • %TEMP%\comh.243805\GoogleUpdateOnDemand.exe
  • %TEMP%\comh.243805\GoogleUpdateHelper.msi
  • %PROGRAM_FILES%\Object Browser\Uninstall.exe
  • %TEMP%\nsj6.tmp\update.json
  • %TEMP%\nsj6.tmp\inetc.dll
  • %TEMP%\nsj6.tmp\203270
  • %TEMP%\nsj6.tmp\394018
  • %PROGRAM_FILES%\Object Browser\utils.exe
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\16.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\cf31754b6a7c88b77319cc86d20e70ab.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\ffCoreFilesIndex.txt
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\background.html
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\browser.xul
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\options.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\search_dialog.xul
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\dialog.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\userCode\extension.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\207.js
  • %APPDATA%\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\da67ee1fa08dadf6bbee3eb73aacffbe.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\options.xul
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\userCode\background.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\0b214706602fbb1efcc87607da7585e0.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\38f01b8de35efd0daf1c58151e715dd6.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\8d018f67928ebe62c94d788906c4b54f.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\8f9271c792581094c3fc8fe8de4ba7b0.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\dc2f2dfe5c20a99ea101de579033ea63.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\installer.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\006818d1eb4833aab53b69140253106d.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\1b759bce6454e9b7f551c2bad79a4931.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\bb4a56817e947a11d48bab43994381b4.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\8400bf37a6a132a76d0b63e23b6b1cfa.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\6fa076d2474b153ab681136179a1aed2.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\e76e510009ac309297d1899d47a6fa33.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\730ca65ba2927fcb4e85c5df86e77d23.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\chrome\content\core\5e2a1cd5f8cf5df1ef2136656fc99987.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\104.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\217.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\9.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\260.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\177.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\14.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\182.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\4.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\242.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\91.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\1.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\7.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\21.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\22.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\47.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\17.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\78.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\98.js
  • %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\13.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\102.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\223.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\64.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\246.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\184.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\72.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\9321b276-2c2e-4c5f-bd04-b8118e512707@c0c8a2d6-3275-4cac-a0b2-52e936311db9.com\extensionData\plugins\191.js
Deletes the following files:
  • %TEMP%\CabB.tmp
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions.sqlite-journal
  • %TEMP%\Cab9.tmp
  • %TEMP%\nsj6.tmp\203270
  • %TEMP%\Cab7.tmp
Network activity:
Connects to:
  • 'www.download.windowsupdate.com':80
  • 'cr#.#hawte.com':80
  • 'ts####.ws.symantec.com':80
  • 'lo##.###entstatsservice.com':80
  • 'up####.##ientstatsservice.com':80
  • 'er####.##ientstatsservice.com':80
  • 'st###.###entstatsservice.com':80
TCP:
HTTP GET requests:
  • www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  • www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
  • ts####.ws.symantec.com/tss-ca-g2.crl
  • cr#.#hawte.com/ThawteTimestampingCA.crl
  • er####.##ientstatsservice.com/installer-error.gif?ac##################################################################################################################################################################################################################################################################################################################################################################
  • up####.##ientstatsservice.com/installer_updates/000046/update.json
  • lo##.###entstatsservice.com/monetization.gif?ev########################################################################################################################################################################################################################################################################################################################################################
  • st###.###entstatsservice.com/installer.gif?ac########################################################################################################################################################################################################################################################################################################################################################################################
UDP:
  • DNS ASK www.download.windowsupdate.com
  • DNS ASK cr#.#hawte.com
  • DNS ASK ts####.ws.symantec.com
  • DNS ASK lo##.###entstatsservice.com
  • DNS ASK up####.##ientstatsservice.com
  • DNS ASK er####.##ientstatsservice.com
  • DNS ASK st###.###entstatsservice.com
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Shell_TrayWnd' WindowName: ''

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android