Meine Bibliothek
Meine Bibliothek

+ Zur Bibliothek hinzufügen

Support

Ihre Anfragen

Rufen Sie uns an

+7 (495) 789-45-86

Profil

Trojan.Crossrider.36008

Added to the Dr.Web virus database: 2014-10-14

Virus description added:

Technical Information

To ensure autorun and distribution:
Creates or modifies the following files:
  • %WINDIR%\Tasks\globalUpdateUpdateTaskMachineUA.job
  • %WINDIR%\Tasks\09d2f095-b00b-4e2a-8f47-83a824a7126a-4.job
  • %WINDIR%\Tasks\globalUpdateUpdateTaskMachineCore.job
  • %WINDIR%\Tasks\09d2f095-b00b-4e2a-8f47-83a824a7126a-3.job
  • %WINDIR%\Tasks\09d2f095-b00b-4e2a-8f47-83a824a7126a-11.job
Creates the following services:
  • [<HKLM>\SYSTEM\ControlSet001\Services\globalUpdate] 'Start' = '00000002'
Malicious functions:
Creates and executes the following:
  • '%PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe' /handoff "appguid={489ac49f-1cce-4618-bc42-fc5428b8f6dc}&appname=05f2f373-58af-41e7-be37-f3e7548ac26d&needsadmin=True&lang=en" /installsource otherinstallcmd /sessionid "{B139A8A9-14DF-43D4-9C33-5D20B08A6368}" /silent
  • '%PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe' /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjUuMCIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntCMTM5QThBOS0xNERGLTQzRDQtOUMzMy01RDIwQjA4QTYzNjh9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezdDODE2RkJCLTA0MDUtNDE5RC1CNTc4LTVBNjc3QkY0RTRFQn0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI1LjEiIHNwPSJTZXJ2aWNlIFBhY2sgMiIgYXJjaD0ieDg2Ii8-PGFwcCBhcHBpZD0iezQzMEZENEQwLUI3MjktNEY2MS1BQTM0LTkxNTI2NDgxNzk5RH0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4yNS4wIiBsYW5nPSJlbiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
  • '%PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe' /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB2ZXJzaW9uPSIxLjMuMjUuMCIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntCMTM5QThBOS0xNERGLTQzRDQtOUMzMy01RDIwQjA4QTYzNjh9IiBpbnN0YWxsc291cmNlPSJvdGhlcmluc3RhbGxjbWQiIHRlc3Rzb3VyY2U9ImF1dG8iIHJlcXVlc3RpZD0iezUxMUI0QUZCLTM3RUQtNDgzRC1CNkMxLUU4RjAxRTU4NTc5Nn0iPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI1LjEiIHNwPSJTZXJ2aWNlIFBhY2sgMiIgYXJjaD0ieDg2Ii8-PGFwcCBhcHBpZD0iezQ4OUFDNDlGLTFDQ0UtNDYxOC1CQzQyLUZDNTQyOEI4RjZEQ30iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMTA3Mjg5Njc2MCIgZXh0cmFjb2RlMT0iMjY4NDM1NDU5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg==
  • '%PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe' /svc
  • '%PROGRAM_FILES%\The weDownload Manager\09d2f095-b00b-4e2a-8f47-83a824a7126a-4.exe' /dVWxce /oayPhBa='The weDownload Manager' /earWh='%PROGRAM_FILES%\The weDownload Manager\49074.xpi' /QIQpTY=49074 /CkyBK='000898' /cyoXJiU='0' /Ogojh='0' /OaoPYpuup=1DD2864537B5448A9DC33695B7CE7F43IE /iUjPaxy=ded457faab865d642f35487d907006c4 /uHJTze=1_34_06_10 /AuhTn=1.34.6.10 /aaEoboXHy=1416775501 /jcARvmGzo=http://st###.#atagenserv.com /zlGjU=http://er####.datagenserv.com /yqZKZce=300 /yJfXSc=b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com /zpbdcmm=0.94 /szncnD=ab1ac2ff78e514bb68bf887f1d567919a4bb97481aead4c2ea62be25e264651bbcom49074 /JlfJe=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/49074.rdf /AinJd='The weDownload Manager' /LGebIYUF='Enhance your search results with direct download links and information for apps and games.' /rrijOUJ='weDownload' /aXbfkrX=ie /AuRfBhQOT='{"asw":[0, 0, 0]}' /YVViAlXHe /lImKKppT /yZvuhnKwj /eAqANEI='http://up####.datagenserv.com/ff_agent_updates/{CAMP_ID}/update.json' /vnsgZQNcg /dwtOWNF='installer' /QtHWinKgQ='%TEMP%\The weDownload ManagerInstaller_1416775501.log'
  • '%PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe' /regsvc
  • '%TEMP%\comh.76168\GoogleUpdate.exe' /silent /install "appguid={489ac49f-1cce-4618-bc42-fc5428b8f6dc}&appname=05f2f373-58af-41e7-be37-f3e7548ac26d&needsadmin=True&lang=en"
  • '%PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe' /regserver
  • '%PROGRAM_FILES%\The weDownload Manager\09d2f095-b00b-4e2a-8f47-83a824a7126a-11.exe' /dtImD=IuG78f++F6A74G6yoB3WUp4fldgUfws0hoCOZQb6F2QazxrIiME3aZ5u4w52VthKctg5n5bW9UXjbZWG50970kNaQRHzmX+N2nLSXmHMFsva5dCsH2hEiW+9DwIZwlEcu5vsOcC5npCPNl88OrDqRiYuuWLvUxsdIMN2+iA5OIU1WbF/Ou9/kNfvSYOV+lWaSpXqi3t1qV9O9fsDfl8gailmwWs5WBgnB7BzsIY0F2jzGHOBJnFIQgG7viYhMq+2IgV9a/KbgJ3RLWoNdkFGLTyehJct+bLeR2V5RJhpR8FFTNI0PngXlkTubmASoZq+diUgJKtw2vvM8C0LzQunPblu+4umm2MFRRuVnfUfcG5ri9+oVcWrUecvSdCt2pgg9Q0vhCUGANZ+JJU+l8t610nxhSCxNrhMje3WVWbEO9El4hp31ghtxhaLLVXRBlZ2/aTKypwxccqM08CyyY2lmgOGbid7FJmMZprtMGZrLEHQ3RdOcWYuj/SrYQk9YN5YKbXXh4XQYODUJcFOcmlTQirtTTshSD/R0j2ofXUxn5zBs6/WOGBVJfWKmUoMNbNxxAQrg0HImbDWBhR9HOh96f3idW0yHxhYnTsyc9dCW1UYaxbc7ZXEALhBsdvOxRy7sCjq8btlxUlr7bAvXuKYktVPsyuEfX8mWAjRKszKcZddn/PYMlcac5/JQ38Tv/ExchIn2YiY43Sy/B2MCdFJ1dtcQTSRPcu+5IojzC+HRXSYnP4EzYUR+1R9jlb0i6ko32O3BuJimJhOaB+El+h1nZZCIcU14rEkIZP36w9/co7OSqDCNXuZkpeeVGuDiPhlGMAZTuHnOcTn9AmB8vJaAn1rzbhHCxFGkB7Kw+QeEsT3e1XEQcSINW1qwsFg2pD6gohv5nZXk/YJ3hfG5zwqfHbBMdsTOqkZTUVmHFQUCnswXNrldvf7hAL0bDCJ0k8lLxSRgg8SxVaDDHFii0FFuM7LXbLr0fEMp93483mMj+cxfL3Z+exuG8KihMMRE2ZNqW5ehOydYQvoMrqCBmJAMoWZ+OYemEgZ0mSVzXX++QK5lPIaXiBgWgqZQ3QuOEUHOQxF/OI/UENuY2QEf9WYxa+lytTf6pSz2XRZh9fC9DqcHPnIhpeTRQvcSpIQ+IrWgqF9eBnAACkLfKg/GOPNOuWLh3CbQgeh6a4yjTGIDxM4xBiWcBvFCZGiU+T+hBOAMvhvdWHMQF/YSNvxBizZOT/nOdDSivOZAdfVLYpB8b1+c+YyyNZa3y/mAubiShNbwH7r08URqZSXgANokErp5sRwznzTZCh9XapEeqo4a2r1BXnW0DRh9A0Pa0l29vn1K+q3kYzxM5ihvNM2Q/HqMQ39qC5V65ZRJo6yoXpjafymuoDaB1ij1j9ybo1rPgqc0KDA+j7fmqBAUVhxo44HOObHr5KFzOi4uQkZ37jMYlrlwlN/0dh2PsTIS0E20Y+WpAau5L+HcfWpH0Tg9RxXdWLASwQbowRx5LfdEk2GluNOJsb+fvkiTh05brbE4ekAk6PdkHsBMZsreS5KpQC0GJrNTFo79mYD55SBWQVgriLZjWekTQ6ArYFtaNZyjPZ+boG37XTyHaLIHoglJ2zvWZCw+OU+pZLON/FuWp103HXoC0Lkijy6XYgfgXlHLgRCLveAGUqDLRb8XXfOFyZgeb9BR3vMiXrUJXdmjN8q9QgNJK3Q+249eQVbi55vWz8/MU2YQYbbGoSFQ3WztVJ+9wdrVBjf8aNk1TH1ZPCLdgDrNmMJ7fngQ+suZVf2KM6AnR4jJagq70JQDyLrConCvNCAXmA9gBbBvpNYRj9RXKgQXFrjG7e3J/W1fLWnQOAOu10Gqi71DgF1QOOyYSYkRA==
Executes the following:
  • '<SYSTEM32>\msiexec.exe' /V
Terminates or attempts to terminate
the following user processes:
  • opera.exe
  • firefox.exe
  • iexplore.exe
Modifies file system :
Creates the following files:
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\ffCoreFilesIndex.txt
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\fd56766040ca18ffd23d8ee9d15577f8.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\search_dialog.xul
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\972c4f9f8d06165d51f7c6f0a6d9eb9a.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\ea21391454ddc0fd2e6fc95e7d68bd1d.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\options.xul
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\userCode\background.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\9c2efd9833216f1cd6de4acaa7bcf7f6.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\background.html
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\dialog.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\options.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\9ab1024a9762b8516ed6d40e7388e1ad.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\675877a573b8cb56577d029055256458.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\8c9c65c18d06719d05cd3ef0c8a4c8c9.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\be39984cb2a3d57aa006ebd7cd76c306.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\5a68b9a71f866ee87b3be9ac8ad4307d.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\74fa5fc234e83ef4e505cd6edbcc77c9.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\browser.xul
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\449aa46fe4630a28c5087f24ed4e4b94.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\f125f7660aca2722b4fc88acc9af59c7.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\f69ac79dd275255021b49cc3a174e77b.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\userCode\extension.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\262.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\246.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\220.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\223.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\64.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\14.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\104.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\177.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\22.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\263.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\191.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\47.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\17.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\13.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\207.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\98.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\184.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\72.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\193.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\78.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\102.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\4d63e0ee442f115fc90682ea0038e38b.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\icon48.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\134e726ebc0114a69a74d67534739aea.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\popup.html
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\button2.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\update.css
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\2f9d45b2e52c5ef5fed7c425f17732c0.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\6a5e35517a97fc0fa191f7166222336a.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\481a8fcb76cc4f8422c0473ae8b5616c.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\f43e012e4ee15003c1c4066c6f33edff.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\2baafa56e3ca99549d9191ec34b1fbbb.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\button5.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\icon128.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\panelarrow-up.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\crossrider_statusbar.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions.sqlite-journal
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\button4.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\icon24.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\skin.css
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\button3.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\icon16.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\skin\button1.png
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\16bd3cd692337713b96542c76d286e09.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\53a7b53f5c7082cf2129d06f8dfaece2.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\5de8eb83216c9f3fac9259db5afcc7f4.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\38841738a26a74103ae8ad7ee5875bd6.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\4e66dcb7ec3056f7fb935d2a91e48219.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\2d2ac5e3a382db425a5f209fc401ca53.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\71a50f885d01abfea6393c35b1646915.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\f4065826846f0abb84d8de1f62f81207.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\956124bf3ec43c0250d8c941897f4998.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\ccf47890a5f8f63c49e993c01544b413.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\installer.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\core\f0e81114373aabffd8677a25454ed4bd.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\653c714ac32b1435c1d78b5acff2654f.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\939238f68af059b87b2d87580873a871.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\10f64d40ebc953dc25028a9ef16ff254.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\e77e7b453424e26cf0e462bd403780b0.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\76dd4b6a0e49979e37add97db9809896.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\5369fb497327361aa8db7f15a51af12d.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\b83eab014b13b0e873dbf6effe86c32a.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\c5566f0fa9174bdb8f858115f8fb42cd.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\eb819af4236650b6523c7a32824d88c1.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome\content\api\e43b963fa4fe59409f2493b5e5c3f2cc.js
  • %APPDATA%\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
  • %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
  • %PROGRAM_FILES%\The weDownload Manager\49074.crx
  • %APPDATA%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
  • %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
  • %TEMP%\comh.76168\psmachine.dll
  • %TEMP%\comh.76168\npGoogleUpdate4.dll
  • %TEMP%\comh.76168\psuser.dll
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\goopdate.dll
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleUpdate.exe
  • %TEMP%\Cab4.tmp
  • %TEMP%\Cab6.tmp
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleCrashHandler.exe
  • %PROGRAM_FILES%\The weDownload Manager\1293297481.mxaddon
  • %PROGRAM_FILES%\The weDownload Manager\360-49074.crx
  • %TEMP%\Cab8.tmp
  • %APPDATA%\Microsoft\CryptnetUrlCache\Content\C3E814D1CB223AFCD58214D14C3B7EAB
  • %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\C3E814D1CB223AFCD58214D14C3B7EAB
  • %PROGRAM_FILES%\The weDownload Manager\09d2f095-b00b-4e2a-8f47-83a824a7126a-3.exe
  • %APPDATA%\Microsoft\CryptnetUrlCache\Content\8BD11C4A2318EC8E5A82462092971DEA
  • %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\8BD11C4A2318EC8E5A82462092971DEA
  • %TEMP%\comh.76168\goopdateres_en.dll
  • %TEMP%\nsx3.tmp\md5dll.dll
  • %TEMP%\nsx3.tmp\nsisos.dll
  • %TEMP%\nsx3.tmp\UserInfo.dll
  • %TEMP%\nsx3.tmp\update.json
  • %TEMP%\nsx3.tmp\inetc.dll
  • %TEMP%\nsx3.tmp\StdUtils.dll
  • %TEMP%\nss2.tmp
  • %TEMP%\nsx3.tmp\System.dll
  • %TEMP%\nsx3.tmp\InstallerUtils2.dll
  • %TEMP%\nsx3.tmp\InstallerUtils.dll
  • %TEMP%\comh.76168\GoogleUpdateBroker.exe
  • %TEMP%\comh.76168\GoogleUpdate.exe
  • %TEMP%\comh.76168\GoogleUpdateHelper.msi
  • %TEMP%\comh.76168\goopdate.dll
  • %TEMP%\comh.76168\GoogleUpdateOnDemand.exe
  • %TEMP%\nsx3.tmp\70315
  • %PROGRAM_FILES%\The weDownload Manager\utils.exe
  • %TEMP%\nsx3.tmp\229498
  • %TEMP%\comh.76168\GoogleCrashHandler.exe
  • %PROGRAM_FILES%\The weDownload Manager\Uninstall.exe
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\goopdateres_en.dll
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\244.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\123.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\221.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\16.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\93.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\268.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\28.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\226.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\155.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\192.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\91.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\1.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\5.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\182.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\217.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\9.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\4.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\242.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\21.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\7.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\234.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins\183.js
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleUpdateBroker.exe
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\npGoogleUpdate4.dll
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleUpdateOnDemand.exe
  • %TEMP%\nsx3.tmp\ExecDos.dll
  • %PROGRAM_FILES%\The weDownload Manager\09d2f095-b00b-4e2a-8f47-83a824a7126a-11.exe
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\GoogleUpdateHelper.msi
  • %PROGRAM_FILES%\The weDownload Manager\09d2f095-b00b-4e2a-8f47-83a824a7126a.crx
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\psuser.dll
  • %PROGRAM_FILES%\globalUpdate\Update\GoogleUpdate.exe
  • %PROGRAM_FILES%\globalUpdate\Update\1.3.25.0\psmachine.dll
  • %WINDIR%\Installer\33a5a.msi
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\defaults\preferences\prefs.js
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\locale\en-US\translations.dtd
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\chrome.manifest
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\manifest.xml
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\extensionData\plugins.json
  • C:\Config.Msi\33a5d.rbs
  • %WINDIR%\Installer\MSIA.tmp
  • %PROGRAM_FILES%\The weDownload Manager\49074.xpi
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions\b1ac2ff7-8e51-4bb6-8bf8-87f1d567919a@4bb97481-aead-4c2e-a62b-e25e264651bb.com\install.rdf
  • %PROGRAM_FILES%\The weDownload Manager\09d2f095-b00b-4e2a-8f47-83a824a7126a-4.exe
Deletes the following files:
  • %WINDIR%\Installer\33a5a.msi
  • C:\Config.Msi\33a5d.rbs
  • %APPDATA%\Mozilla\Firefox\Profiles\cwdgt0y8.default\extensions.sqlite-journal
  • %WINDIR%\Installer\33a5c.ipi
  • %WINDIR%\Installer\MSIA.tmp
  • %TEMP%\Cab4.tmp
  • %TEMP%\nsx3.tmp\229498
  • %TEMP%\Cab8.tmp
  • %TEMP%\Cab6.tmp
Network activity:
Connects to:
  • 'ts####.ws.symantec.com':80
  • 'cr#.#hawte.com':80
  • 'localhost':1046
  • 'localhost':1051
  • 'localhost':1048
  • 'er####.datagenserv.com':80
  • 'up####.datagenserv.com':80
  • 'st###.#atagenserv.com':80
  • 'www.download.windowsupdate.com':80
  • 'lo##.##tagenserv.com':80
TCP:
HTTP GET requests:
  • up####.datagenserv.com/omaha/489AC49F-1CCE-4618-BC42-FC5428B8F6DC/1/update.xml?ra########################################################################################################################################################################################
  • up####.datagenserv.com/omaha/430FD4D0-B729-4F61-AA34-91526481799D/1/ping.xml?ra########
  • ts####.ws.symantec.com/tss-ca-g2.crl
  • up####.datagenserv.com/omaha/489AC49F-1CCE-4618-BC42-FC5428B8F6DC/1/update.xml?ra########
  • up####.datagenserv.com/omaha/489AC49F-1CCE-4618-BC42-FC5428B8F6DC/1/ping.xml?ra#####
  • up####.datagenserv.com/omaha/489AC49F-1CCE-4618-BC42-FC5428B8F6DC/1/ping.xml?ra########
  • lo##.##tagenserv.com/monetization.gif?ra######################################################################################################################################################################
  • st###.#atagenserv.com/installer.gif?ac####################################################################################################################################################################################################################################################################################################################################################################################################################################
  • er####.datagenserv.com/installer-error.gif?ac########################################################################################################################################################################################################################################################################################################################################################################################################
  • up####.datagenserv.com/installer_updates/000898/update.json
  • lo##.##tagenserv.com/monetization.gif?ev#############################################################################################################################################################################################################################################################################################################################################################################
  • cr#.#hawte.com/ThawteTimestampingCA.crl
  • www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  • www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
UDP:
  • DNS ASK www.download.windowsupdate.com
  • DNS ASK cr#.#hawte.com
  • DNS ASK ts####.ws.symantec.com
  • DNS ASK lo##.##tagenserv.com
  • DNS ASK up####.datagenserv.com
  • DNS ASK er####.datagenserv.com
  • DNS ASK st###.#atagenserv.com
Miscellaneous:
Searches for the following windows:
  • ClassName: 'Shell_TrayWnd' WindowName: ''

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android