Trojan.StartPage.52752

Technical Information

To ensure autorun and distribution:

Modifies the following registry keys:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'sys10' = '%HOMEPATH%\Local Settings\TempImages\sys13.exe'

Creates or modifies the following files:

%WINDIR%\Tasks\Scheduled Update for Ask Toolbar.job

Creates the following services:

[<HKLM>\SYSTEM\ControlSet001\Services\Seekapp Service] 'Start' = '00000002'

Malicious functions:

Creates and executes the following:

'%ALLUSERSPROFILE%\Application Data\Seekapp\seekapp122.exe' "%PROGRAM_FILES%\Seekapp\seekapp.dll" Service
'%TEMP%\nst8.tmp\seekapp.exe' "%TEMP%\nst8.tmp\seekapp.dll" Install "-p SkapPAP "
'%PROGRAM_FILES%\Seekapp\seekapp.exe' "%PROGRAM_FILES%\Seekapp\seekapp.dll" Main
'%PROGRAM_FILES%\Ask.com\TaskScheduler.exe' %PROGRAM_FILES%\Ask.com\UpdateTask.exe
'%WINDIR%\Installer\MSI10.tmp'
'%HOMEPATH%\Local Settings\TempImages\skasetup-122-SkapPAP.exe' Settings\TempImages\skasetup-122-SkapPAP.exe
'%HOMEPATH%\Local Settings\TempImages\askToolbarInstaller-1.3.1.0.exe' Settings\TempImages\askToolbarInstaller-1.3.1.0.exe /verysilent /sa /tbr toolbar=SE
'%TEMP%\ska4.tmp\skasetup-122-SkapPAP.exe' -p SkapPAP /S
'%TEMP%\nst8.tmp\seekapp.exe' "%TEMP%\nst8.tmp\seekapp.dll" -r
'%TEMP%\NEW3.tmp.exe' /s /v"PARTNER=SE HPR=NO /qn"

Executes the following:

'<SYSTEM32>\msiexec.exe' -Embedding 63BD18DCCE4DC1C1C452BBDD811C3415
'<SYSTEM32>\msiexec.exe' -Embedding 24B2E1866EF1AA27B21703CAA322A73C M Global\MSI0000
'<SYSTEM32>\msiexec.exe' /i "%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\Ask Toolbar.msi" /L*vx %TEMP%\ASKSUTBLOG PARTNER=SE HPR=NO /qn SETUPEXEDIR="%HOMEPATH%\Local Settings\Temp" SETUPEXENAME="NEW3.tmp.exe"
'<SYSTEM32>\msiexec.exe' /V

Sets a new unauthorized home page for Windows Internet Explorer.

Modifies file system :

Creates the following files:

%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\RunIE.exe
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\askHomePage.exe
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\AskFFSuccess.js
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\askpopup.exe
%WINDIR%\Installer\MSIF.tmp
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\AskHPRFF.js
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\JSXPCOMInstaller.exe
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\Del_AskHPRFF.VBS
%PROGRAM_FILES%\Seekapp\uninstall.exe
%PROGRAM_FILES%\Seekapp\readme.html
%PROGRAM_FILES%\Seekapp\seekapp.exe
%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\Ask Toolbar.msi
%WINDIR%\Installer\MSIE.tmp
%WINDIR%\Installer\28850.msi
%TEMP%\ASKSUTBLOG
%WINDIR%\Installer\MSI10.tmp
%PROGRAM_FILES%\Ask.com\config.xml
%PROGRAM_FILES%\Ask.com\mupcfg.xml
%PROGRAM_FILES%\Ask.com\UpdateTask.exe
%WINDIR%\Installer\MSI16.tmp
%WINDIR%\Installer\MSI19.tmp
%WINDIR%\Installer\MSI18.tmp
%WINDIR%\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe
%PROGRAM_FILES%\Ask.com\TaskScheduler.exe
%WINDIR%\Installer\MSI12.tmp
%WINDIR%\Installer\MSI11.tmp
%TEMP%\~13.tmp
%PROGRAM_FILES%\Ask.com\GenericAskToolbar.dll
%WINDIR%\Installer\MSI15.tmp
C:\Config.Msi\28853.rbs
%TEMP%\nsc2.tmp\ExecDos.dll
%TEMP%\nsc2.tmp\modern-wizard.bmp
%TEMP%\nsc2.tmp\ioSpecial.ini
%TEMP%\NEW3.tmp.exe
%TEMP%\nss7.tmp\System.dll
%TEMP%\nss6.tmp
%TEMP%\ska4.tmp\skasetup-122-SkapPAP.exe
%TEMP%\nsc2.tmp\ioAsk.ini
%HOMEPATH%\Local Settings\TempImages\AskInstallChecker.exe
%HOMEPATH%\Local Settings\TempImages\ioClean.ini
%TEMP%\nsc2.tmp\System.dll
%HOMEPATH%\Local Settings\TempImages\askToolbarInstaller-1.3.1.0.exe
%HOMEPATH%\Local Settings\TempImages\spf11.exe
%HOMEPATH%\Local Settings\TempImages\skasetup-122-SkapPAP.exe
%HOMEPATH%\Local Settings\TempImages\ask.bmp
%TEMP%\nss7.tmp\logo.bmp
%TEMP%\_isC.tmp
%TEMP%\nst8.tmp\seekapp.exe
%TEMP%\nst8.tmp\uninstall.exe
%TEMP%\~B.tmp
%PROGRAM_FILES%\Seekapp\seekapp.dll
%ALLUSERSPROFILE%\Application Data\Seekapp\seekapp122.exe
%TEMP%\_isD.tmp
%TEMP%\nst8.tmp\readme.html
%TEMP%\_is9.tmp
%TEMP%\nst8.tmp\seekapp.dll
%TEMP%\nss7.tmp\infoPage.ini
%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\Setup.INI
%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\0x0409.ini
%TEMP%\_isA.tmp
%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\_ISMSIDEL.INI

Deletes the following files:

%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\AskHPRFF.js
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\askHomePage.exe
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\Del_AskHPRFF.VBS
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\askpopup.exe
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\AskFFSuccess.js
%PROGRAM_FILES%\Ask.com\TaskScheduler.exe
C:\Config.Msi\28853.rbs
%WINDIR%\Installer\MSI18.tmp
%TEMP%\~13.tmp
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\JSXPCOMInstaller.exe
%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\Setup.INI
%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\Ask Toolbar.msi
%TEMP%\NEW3.tmp.exe
%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\_ISMSIDEL.INI
%TEMP%\{B368134D-80DD-48C5-A665-2E88BE3C4A8F}\0x0409.ini
%WINDIR%\Installer\MSI19.tmp
%TEMP%\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\RunIE.exe
%WINDIR%\Installer\28852.ipi
%WINDIR%\Installer\28850.msi
%WINDIR%\Installer\MSI11.tmp
%TEMP%\nst8.tmp\seekapp.exe
%TEMP%\nst8.tmp\seekapp.dll
%TEMP%\nss7.tmp\infoPage.ini
%TEMP%\nst8.tmp\uninstall.exe
%TEMP%\nst8.tmp\readme.html
%TEMP%\_isA.tmp
%TEMP%\_is9.tmp
%TEMP%\~B.tmp
%TEMP%\_isC.tmp
%TEMP%\nss7.tmp\logo.bmp
%WINDIR%\Installer\MSI12.tmp
%WINDIR%\Installer\MSI10.tmp
%WINDIR%\Installer\MSI16.tmp
%WINDIR%\Installer\MSI15.tmp
%WINDIR%\Installer\MSIF.tmp
%TEMP%\ska4.tmp\skasetup-122-SkapPAP.exe
%TEMP%\nss7.tmp\System.dll
%WINDIR%\Installer\MSIE.tmp
%TEMP%\_isD.tmp

Miscellaneous:

Searches for the following windows:

ClassName: 'IEFrame' WindowName: ''
ClassName: 'Shell_TrayWnd' WindowName: ''
ClassName: 'Indicator' WindowName: ''

Technologies

Begriffe

Schulung und Training

Mythen

Technical Information

Curing recommendations

Free trial