Win32/Virus.Adware.932

Adware No Comments

Dmitry Sokolov recommends UnHackMe!

UnHackMe is a powerful tool against malware.

UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

: Solved! 5 Stars (5 / 5)

Win32/Virus.Adware.932 also known as Gen:Variant.Adware.Strictor.75886, Gen:Variant.Adware.Strictor.75886, Gen:Variant.Adware.Strictor.75886 (B).

Malware Analysis of Win32/Virus.Adware.932 – AMISETUP1006__9664.EXE

Created files:

%Local Appdata%\Mozilla\Firefox\Profiles\profile.default\cache2\entries\641CF631F6691A803AF3031AB3729582559ACFC1
%Temp%\042EBF652713FDE56732268E968391ED.ini
%Temp%\amisetup1006__9664.exe
%Temp%\amitest.txt
%Temp%\chrome_BITS_3948_22664\BIT46.tmp

Autostart registry keys:

HKLM\Software\Classes\Applications\ccSvcHst.exe\TaskbarGroupIcon: “%Program Files%\Norton 360\Engine\6.0.0.145\NPC360ui.dll,0”
HKLM\Software\Classes\CLSID\{0579E89F-E364-4a3d-A9CB-90262B2B7E1C}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\buShell.dll”
HKLM\Software\Classes\CLSID\{09D32393-10DA-4eca-91AA-AD11C69DB966}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\McStatus.dll”
HKLM\Software\Classes\CLSID\{2272AE7A-0C30-48E1-91DF-F9E666276C0C}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\MsouPlug.dll”
HKLM\Software\Classes\CLSID\{3593C8B9-8E18-4B4B-B7D3-CB8BEB1AA42C}\InprocServer32\: “%Program Files%\XTab\SupTab.dll”
HKLM\Software\Classes\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\buShell.dll”
HKLM\Software\Classes\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\buShell.dll”
HKLM\Software\Classes\CLSID\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\coIEPlg.dll”
HKLM\Software\Classes\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\IPS\IPSBHO.DLL”
HKLM\Software\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\coIEPlg.dll”
HKLM\Software\Classes\CLSID\{B59987EA-25FE-44B4-8802-E4DE67073D8C}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\buShell.dll”
HKLM\Software\Classes\CLSID\{C038C017-8A01-4929-8639-52EBECB5F6B8}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\NPCGadgt.dll”
HKLM\Software\Classes\CLSID\{DE1F7EEF-1851-11D3-939E-0004AC1ABE1F}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\OfficeAV.dll”
HKLM\Software\Classes\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\buShell.dll”
HKLM\Software\Classes\CLSID\{F7CAA2A1-67A2-44BB-B20F-202FD8EB1DAB}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\buShell.dll”
HKLM\Software\Classes\CLSID\{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA}\InprocServer32\: “”%Program Files%\Norton 360\Engine\6.0.0.145\NavShExt.dll””
HKLM\Software\Classes\CLSID\{FD7B051A-1E54-41f8-8A87-2F4349A8CCC8}\InprocServer32\: “%Program Files%\Norton 360\Engine\6.0.0.145\uiWebHst.dll”
HKLM\Software\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\path: “%Program Files%\Norton 360\Engine\6.0.0.145\Exts\Chrome.crx”
HKLM\Software\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk\version: “2012.5.0.140”
HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\DisplayName: “istartsurf”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D20352A90C039D93DBF6126ECE614057\InstallProperties\UninstallString: “MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D20352A90C039D93DBF6126ECE614057\InstallProperties\DisplayName: “Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.17”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder\UninstallString: “”%Program Files%\CashReminder\uninstall.exe” /S”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\CashReminder\DisplayName: “CashReminder”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\DesProtetor\UninstallString: “”%Program Files%\DesProtetor\uninst.exe” ”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\DesProtetor\DisplayName: “DesProtetor”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall\DisplayName: “istartsurf uninstall”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\istartsurf uninstall\UninstallString: “%Appdata%\istartsurf\UninstallManager.exe -ptid=pcm”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup\DisplayName: “MyPC Backup ”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyPC Backup\UninstallString: “%Program Files%\MyPC Backup\uninst.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\N360\UninstallString: “%Program Files%\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360\A5E82D02\6.0.0.145\InstStub.exe /X /ARP”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\N360\DisplayName: “Norton 360”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9A25302D-30C0-39D9-BD6F-21E6EC160475}\UninstallString: “MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9A25302D-30C0-39D9-BD6F-21E6EC160475}\DisplayName: “Microsoft Visual C++ 2008 Redistributable – x86 9.0.30729.17”
HKLM\Software\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Common Client\ccService\Services\UserSession2\DisplayName: “ccService Host User Session”
HKLM\Software\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Common Client\ccService\Services\UserSession\DisplayName: “ccService Host User Session”
HKLM\Software\Symantec\PatchInst\NIS\ImagePath: “%Program Files%\Norton 360\Engine\6.0.0.145\NISPInst.dll”
HKLM\System\CurrentControlSet\Services\BackupStack\ImagePath: “%Program Files%\MyPC Backup\BackupStack.exe”
HKLM\System\CurrentControlSet\Services\BackupStack\DisplayName: “Computer Backup (MyPC Backup)”
HKLM\System\CurrentControlSet\Services\BHDrvx86\ImagePath: “\??\%Common Appdata%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\BASHDefs\20111201.001\BHDrvx86.sys”
HKLM\System\CurrentControlSet\Services\BHDrvx86\DisplayName: “BHDrvx86”
HKLM\System\CurrentControlSet\Services\CashReminder\ImagePath: “%Program Files%\CashReminder\CashReminder.exe”
HKLM\System\CurrentControlSet\Services\CashReminder\DisplayName: “CashReminder”
HKLM\System\CurrentControlSet\Services\ccSet_N360\ImagePath: “\SystemRoot\system32\drivers\N360\0600000.091\ccSetx86.sys”
HKLM\System\CurrentControlSet\Services\ccSet_N360\DisplayName: “Norton 360 Settings Manager”
HKLM\System\CurrentControlSet\Services\crfilterdrv\ImagePath: “system32\drivers\crfilterdrv.sys”
HKLM\System\CurrentControlSet\Services\crfilterdrv\DisplayName: “crfilterdrv”
HKLM\System\CurrentControlSet\Services\DesProtetor\ImagePath: “%Program Files%\DesProtetor\DesProtetor.exe”
HKLM\System\CurrentControlSet\Services\DesProtetor\DisplayName: “DesProtetor”
HKLM\System\CurrentControlSet\Services\desprotetordrv\ImagePath: “system32\drivers\desprotetordrv.sys”
HKLM\System\CurrentControlSet\Services\desprotetordrv\DisplayName: “desprotetordrv”
HKLM\System\CurrentControlSet\Services\IDSxpx86\ImagePath: “\??\%Common Appdata%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\IPSDefs\20111130.012\IDSxpx86.sys”
HKLM\System\CurrentControlSet\Services\IDSxpx86\DisplayName: “IDSxpx86”
HKLM\System\CurrentControlSet\Services\IHProtect Service\ImagePath: “%Program Files%\XTab\ProtectService.exe”
HKLM\System\CurrentControlSet\Services\IHProtect Service\DisplayName: “IHProtect Service”
HKLM\System\CurrentControlSet\Services\N360\ImagePath: “”%Program Files%\Norton 360\Engine\6.0.0.145\ccSvcHst.exe” /s “N360” /m “%Program Files%\Norton 360\Engine\6.0.0.145\diMaster.dll” /prefetch:1″
HKLM\System\CurrentControlSet\Services\N360\DisplayName: “Norton 360”
HKLM\System\CurrentControlSet\Services\NAVENG\ImagePath: “\??\%Common Appdata%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20111203.009\NAVENG.SYS”
HKLM\System\CurrentControlSet\Services\NAVENG\DisplayName: “NAVENG”
HKLM\System\CurrentControlSet\Services\NAVEX15\ImagePath: “\??\%Common Appdata%\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\Definitions\VirusDefs\20111203.009\NAVEX15.SYS”
HKLM\System\CurrentControlSet\Services\NAVEX15\DisplayName: “NAVEX15”
HKLM\System\CurrentControlSet\Services\SRTSP\ImagePath: “\SystemRoot\system32\drivers\N360\0600000.091\SRTSP.SYS”
HKLM\System\CurrentControlSet\Services\SRTSP\DisplayName: “Symantec Real Time Storage Protection”
HKLM\System\CurrentControlSet\Services\SRTSPX\ImagePath: “\SystemRoot\system32\drivers\N360\0600000.091\SRTSPX.SYS”
HKLM\System\CurrentControlSet\Services\SRTSPX\DisplayName: “Symantec Real Time Storage Protection (PEL)”
HKLM\System\CurrentControlSet\Services\SymDS\ImagePath: “system32\drivers\N360\0600000.091\SYMDS.SYS”
HKLM\System\CurrentControlSet\Services\SymDS\DisplayName: “Symantec Data Store”
HKLM\System\CurrentControlSet\Services\SymEFA\ImagePath: “system32\drivers\N360\0600000.091\SYMEFA.SYS”
HKLM\System\CurrentControlSet\Services\SymEFA\DisplayName: “Symantec Extended File Attributes”
HKLM\System\CurrentControlSet\Services\SymEvent\ImagePath: “\??\%SysDir%\Drivers\SYMEVENT.SYS”
HKLM\System\CurrentControlSet\Services\SymIRON\ImagePath: “\SystemRoot\system32\drivers\N360\0600000.091\Ironx86.SYS”
HKLM\System\CurrentControlSet\Services\SymIRON\DisplayName: “Symantec Iron Driver”
HKLM\System\CurrentControlSet\Services\SYMTDI\ImagePath: “\SystemRoot\system32\drivers\N360\0600000.091\SYMTDI.SYS”
HKLM\System\CurrentControlSet\Services\SYMTDI\DisplayName: “Symantec Network Dispatch Driver”
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2023ECEC-E06A-4372-A1C7-0B49F9E0FFF0}\DisplayName: “e”
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}\DisplayName: “istartsurf”
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{E733165D-CBCF-4FDA-883E-ADEF965B476C}\DisplayName: “Google”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\StormFall\DisplayName: “StormFall”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\StormFall\UninstallString: “%Appdata%\StormFall\Uninstaller.exe /Run /ePN:0S2Z1F1C1H0F1T1I1I”
HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: “”%Program Files%\Mozilla Firefox\firefox.exe” http://www.istartsurf.com/?type=sc&ts=1426093711&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001″
HKLM\Software\Clients\StartMenuInternet\Google Chrome\shell\open\command\: “”%Program Files%\Google\Chrome\Application\chrome.exe” http://www.istartsurf.com/?type=sc&ts=1426093711&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001″
HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: “%Program Files%\Internet Explorer\iexplore.exe http://www.istartsurf.com/?type=sc&ts=1426093711&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001”
HKLM\Software\Clients\StartMenuInternet\VMWAREHOSTOPEN.EXE\shell\open\command\: “”%Program Files%\VMware\VMware Tools\VMwareHostOpen.exe” http://www.istartsurf.com/?type=sc&ts=1426093711&from=pcm&uid=VMwareXVirtualXIDEXHardXDrive_00000000000000000001″
HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\DisplayName: “Bing”

Detected by UnHackMe:

AMISETUP1006__9664.EXE
Default location: %TEMP%\AMISETUP1006__9664.EXE

Dropper hash(md5): f7bd4d8187ef930ed44d4856bc151e5d

Written by 

Malware Hunter.

UnHackMe removes malware invisible for your antivirus!

Free Download

4
UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.

Tatva WordPress theme by IdeaBox

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera