ADW_SUITSEAR
WebToolbar.Win64.SearchSuite.e (Kaspersky)
Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)
Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
8,204,920 bytes
EXE
Yes
14 Jul 2014
Arrival Details
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This adware creates the following folders:
- %System Root%\DOCUME~1
- %System Root%\DOCUME~1\Wilbert
- %User Profile%\LOCALS~1
- %User Temp%\nsk7.tmp
- %User Temp%\nsk7
- %User Profile%\Application Data\systemk
- %User Temp%\nsk7\nsa17.tmp
- %Program Files%\Settings Manager
- %Program Files%\Settings Manager\systemk
- %Program Files%\Settings Manager\systemk\x64
- %User Temp%\nss80.tmp
- %User Temp%\nss80
- %Program Files%\Linkey
- %User Temp%\nss80\nsu8E.tmp
- %System Root%\Documents and Settings\Wilbert
- %Application Data%\Linkey
- %Application Data%\Linkey\IEExtension
- %User Temp%\nstA9.tmp
- %User Temp%\nstA9
- %Program Files%\LinkeyDeals
(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)
Autostart Technique
This adware adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Linkey Deals = "%Program Files%\LinkeyDeals\msilnk.exe "
It registers itself as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
It modifies the following registry entries to ensure it automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
AutoRestartShell = "1"
(Note: The default value data of the said registry entry is 1.)
Other System Modifications
This adware deletes the following files:
- %User Temp%\nsa1.tmp
- %User Temp%\nsk7.tmp
- %User Temp%\nsi7E.tmp
- %User Temp%\nss80.tmp
- %User Temp%\nsyA5.tmp
- %User Temp%\nstA9.tmp
- %User Profile%\systemk\coordinator.cfg.bak
- %User Profile%\systemk\S-1-5-21-1645522239-1292428093-682003330-1003.cfg.bak
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)
It adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bprotect.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserprotect.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserdefender.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bitguard.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
snapdo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browsersafeguard.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bpsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
protectedsearch.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst64.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotection.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
utiljumpflip.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dprotectsvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotector.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings64.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jumpflip
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
volaro
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vonteera
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchinstaller.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroids.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroidsservice.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
umbrella.exe
HKEY_LOCAL_MACHINE\Software\SystemK\
General
HKEY_CURRENT_USER\Software\SystemK\
General
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\AppCertDlls
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Approved Extensions
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}
HKEY_CURRENT_USER\SOFTWARE\Linkey
HKEY_LOCAL_MACHINE\SOFTWARE\Linkey
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\iedll.dll
HKEY_CLASSES_ROOT\Linkey.Linkey
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Linkey.Linkey\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\Implemented Categories
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\Implemented Categories\
{59FB2056-D625-48D0-A944-1A85B5AB2640}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\
FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\
0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\
0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\
HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\TypeLib
HKEY_CLASSES_ROOT\SettingsManagerIEHelper.DNSGuard.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SettingsManagerIEHelper.DNSGuard.1\CLSID
HKEY_CLASSES_ROOT\SettingsManagerIEHelper.DNSGuard
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SettingsManagerIEHelper.DNSGuard\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SettingsManagerIEHelper.DNSGuard\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\
FLAGS
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\
0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\
0\win32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\
HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\ProxyStubClsid
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\ProxyStubClsid32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\TypeLib
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
chrome.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
chrome.exe
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bprotect.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserprotect.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserdefender.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bitguard.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
snapdo.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browsersafeguard.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bpsvc.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
protectedsearch.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst32.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst64.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotection.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
utiljumpflip.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dprotectsvc.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotector.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings64.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jumpflip
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
volaro
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vonteera
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchinstaller.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroids.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroidsservice.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
umbrella.exe
debugger = "tasklist.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
use_secondary_url = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
iver = "5.0.0.13001"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
pver = "5.0.0.13001"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK
Version = "5.0.0.13001"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
appid = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
home = "%Program Files%\Settings Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ln = "en"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
sysid = "427"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
clid = "{3CA2CF07-8A58-4472-ACB9-B3DA14A19DB0}"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
osver = "5.1"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ostype = "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
osl = "en-US"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
itime = "2014-07-04"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ptype = "n"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
kisid = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
kapid = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
uid = "3202250780584472"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
uc = "398"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
kbn = "13001"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
guid = "{EB25CAE0-E5F3-E993-3950-E055FE755242}"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
os_user_type = "Admin"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ie_search_set = "1"
HKEY_CURRENT_USER\Software\SystemK\
General
ie_search_set = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK
browser = " ie ff cr"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ie_ds_supported = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ie_hp_supported = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=ds&p="
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "{random characters}"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Use Search Asst = "no"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\AppCertDlls
x86 = "%Program Files%\Settings Manager\systemk\sysapcrt.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
FrameAuto = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Toolbar
10 = "10"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Approved Extensions
{54739D49-AC03-4C57-9264-C5195596B3A1} = "{random values}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}
Flags = "4"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
aw = "No"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
sitime = "1404466048"
HKEY_CURRENT_USER\Software\Linkey
instdir = "%Application Data%\Linkey"
HKEY_CURRENT_USER\Software\Linkey
extraUninstaller = "%Program Files%\Settings Manager\systemk\Uninstall.exe /browser=all"
HKEY_CURRENT_USER\Software\Linkey
browsers = "chrome,ff,ie"
HKEY_CURRENT_USER\Software\Linkey
norestart = "Yes"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Linkey
ie_jsurl = "http://app.{BLOCKED}project.com/popup/IE/background.js"
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Approved Extensions
{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47} = "{random values}"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
Flags = "4"
HKEY_CURRENT_USER\Software\Linkey
iver = "0.0.0.469"
HKEY_CURRENT_USER\Software\Linkey
pver = "0.0.0.469"
HKEY_CURRENT_USER\Software\Linkey
appid = "0"
HKEY_CURRENT_USER\Software\Linkey
home = "%Application Data%\Linkey"
HKEY_CURRENT_USER\Software\Linkey
ln = "en"
HKEY_CURRENT_USER\Software\Linkey
sysid = "300"
HKEY_CURRENT_USER\Software\Linkey
clid = "{F3D13913-EDE2-4D57-91C6-8BE508FACF58}"
HKEY_CURRENT_USER\Software\Linkey
itime = "1404466033"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
NoModify = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
NoRepair = "1"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
DisplayName = "Linkey"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
InstallLocation = "%Application Data%\Linkey"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
DisplayVersion = "0.0.0.469"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
UninstallString = "%Application Data%\Linkey\uninstall.exe "
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
DisplayIcon = "%Application Data%\Linkey\uninstall.exe"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
Publisher = "Aztec Media Inc"
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
Traffic_type = "n"
HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
browser = "ie,ff,chrome,"
HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
company = "Linkey Deals"
HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
distributed = "Linkey Deals"
HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
UninstallString = "%Program Files%\LinkeyDeals\LinkeyDealsUninst.exe /browser=all"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\iedll.dll
AppID = "{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\InprocServer32
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
NoExplorer = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\TypeLib
Version = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\InprocServer32
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}\InprocServer32
ThreadingModel = "Apartment"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\TypeLib
Version = "1.0"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
srn0 = "SystemkService"
HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
srn1 = "F06DEFF2-5B9C-490D-910F-35D3A9119622"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\AppCertDlls
x64 = "%Program Files%\settings manager\systemk\x64\sysapcrt.dll"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "{random characters}"
(Note: The default value data of the said registry entry is http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm.)
HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=hmp"
(Note: The default value data of the said registry entry is http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "%Application Data%\Linkey\IEEXTE~1\iedll.dll "
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
LogSessionName = "stdout"
(Note: The default value data of the said registry entry is {random values}.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
Active = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
ControlFlags = "1"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi\ImapiSvc
Guid = "8107d8e9-e323-49f5-bba2-abc35c243dca"
(Note: The default value data of the said registry entry is 8107d8e9-e323-49f5-bba2-abc35c243dca.)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi\ImapiSvc
BitNames = "{random characters}"
(Note: The default value data of the said registry entry is ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort.)
It deletes the following registry keys:
HKEY_CURRENT_USER\Software\SystemK
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SystemkService.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
systemku.exe
Dropping Routine
This adware drops the following files:
- %User Temp%\nsf3.tmp
- %User Temp%\nsk7.tmp\System.dll
- %User Temp%\nsk7.tmp\UserInfo.dll
- %User Temp%\nsk7\Helper.dll
- %User Temp%\nsk7\Starter.exe
- %User Temp%\nsk7.tmp\registry.dll
- %User Temp%\nsk7\nsa17.tmp\pack.exe
- %User Temp%\nsk7\nsa17.tmp\mediabar.exe
- %User Temp%\nsk7\tbicon.exe
- %User Temp%\nsk7.tmp\nsExec.dll
- %Program Files%\Settings Manager\systemk\Uninstall.exe
- %Program Files%\Settings Manager\systemk\favicon.ico
- %Program Files%\Settings Manager\systemk\systemkmgrc2.cfg
- %Program Files%\Settings Manager\systemk\x64\systemkmgrc2.cfg
- %Program Files%\Settings Manager\systemk\Internet Explorer Settings Update.exe
- %Program Files%\Settings Manager\systemk\x64\Internet Explorer Settings Update.exe
- %Program Files%\Settings Manager\systemk\Internet Explorer Settings.exe
- %Program Files%\Settings Manager\systemk\x64\Internet Explorer Settings.exe
- %Program Files%\Settings Manager\systemk\SystemkService.exe
- %Program Files%\Settings Manager\systemk\systemku.exe
- %Program Files%\Settings Manager\systemk\sysapcrt.dll
- %Program Files%\Settings Manager\systemk\x64\sysapcrt.dll
- %Program Files%\Settings Manager\systemk\syskldr.dll
- %Program Files%\Settings Manager\systemk\x64\syskldr.dll
- %Program Files%\Settings Manager\systemk\syskldr_u.dll
- %Program Files%\Settings Manager\systemk\x64\syskldr_u.dll
- %Program Files%\Settings Manager\systemk\systemk.dll
- %Program Files%\Settings Manager\systemk\x64\systemk.dll
- %Program Files%\Settings Manager\systemk\systemkbho.dll
- %Program Files%\Settings Manager\systemk\x64\systemkbho.dll
- %User Temp%\nsk7\nsa17.tmp\SettingsManagerMediaBar.exe
- %User Temp%\nss80.tmp\System.dll
- %User Temp%\nss80\Helper.dll
- %User Temp%\nss80\Uninstall.exe
- %User Temp%\nss80.tmp\registry.dll
- %Program Files%\Linkey\log.log
- %User Temp%\nss80.tmp\nsArray.dll
- %User Temp%\nss80\nsu8E.tmp\pack.exe
- %User Temp%\nss80.tmp\nsExec.dll
- %User Temp%\nss80.tmp\MoreInfo.dll
- %User Temp%\nss80\config.xml
- %User Temp%\nss80.tmp\nsisXML.dll
- %Application Data%\Linkey\LinkeyDeals.exe
- %Application Data%\Linkey\IEExtension\iedll.dll
- %Application Data%\Linkey\IEExtension\iedll64.dll
- %User Temp%\nsnA7.tmp
- %User Temp%\nstA9\insthlp.dll
- %User Temp%\nstA9.tmp\System.dll
- %Program Files%\LinkeyDeals\msilnk.dll
- %Program Files%\LinkeyDeals\msilnk64.dll
- %Program Files%\LinkeyDeals\msilnk64.exe
- %Program Files%\LinkeyDeals\msilnk.exe
- %Program Files%\LinkeyDeals\insthlp.dll
- %Program Files%\LinkeyDeals\LinkeyDealsUninst.exe
- %User Profile%\systemk\general.cfg
- %User Profile%\systemk\S-1-5-21-1645522239-1292428093-682003330-1003.cfg
- %User Profile%\systemk\coordinator.cfg
- %Temp%\hvjmq55z.TMP
(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)
Other Details
This adware connects to the following possibly malicious URL:
- http://service.{BLOCKED}e.com
- {BLOCKED}.195.35
- {BLOCKED}5.109.70
This report is generated via an automated analysis system.
SOLUTION
9.700
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Identify and delete files detected as ADW_SUITSEAR using either the Startup Disk or Recovery Console
Step 3
Close all opened browser windows
Step 4
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- bprotect.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- browserprotect.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- browserdefender.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- bitguard.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- snapdo.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- browsersafeguard.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- bpsvc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- protectedsearch.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- stinst32.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- stinst64.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- searchprotection.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- utiljumpflip.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- dprotectsvc.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- searchprotector.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- searchsettings.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- searchsettings64.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- jumpflip
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- volaro
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- vonteera
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- searchinstaller.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- websteroids.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- websteroidsservice.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- umbrella.exe
- In HKEY_LOCAL_MACHINE\Software\SystemK
- General
- In HKEY_CURRENT_USER\Software\SystemK
- General
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
- Search
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
- AppCertDlls
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
- Approved Extensions
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings
- {54739D49-AC03-4C57-9264-C5195596B3A1}
- In HKEY_CURRENT_USER\SOFTWARE
- Linkey
- In HKEY_LOCAL_MACHINE\SOFTWARE
- Linkey
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings
- {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
- Linkey
- In HKEY_LOCAL_MACHINE\SOFTWARE
- LinkeyDeals
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- {6A7CD9EC-D8BD-4340-BCD0-77C09A282921}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
- iedll.dll
- In HKEY_CLASSES_ROOT
- Linkey.Linkey
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Linkey.Linkey
- CLSID
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
- {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- ProgID
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- VersionIndependentProgID
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- Programmable
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- InprocServer32
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- Implemented Categories
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\Implemented Categories
- {59FB2056-D625-48D0-A944-1A85B5AB2640}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
- {726E90BE-DC22-4965-B215-E0784DC26F47}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}
- 1.0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0
- FLAGS
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0
- 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\0
- win32
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0
- HELPDIR
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
- {4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
- ProxyStubClsid
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
- ProxyStubClsid32
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
- TypeLib
- In HKEY_CLASSES_ROOT
- SettingsManagerIEHelper.DNSGuard.1
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SettingsManagerIEHelper.DNSGuard.1
- CLSID
- In HKEY_CLASSES_ROOT
- SettingsManagerIEHelper.DNSGuard
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SettingsManagerIEHelper.DNSGuard
- CLSID
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SettingsManagerIEHelper.DNSGuard
- CurVer
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
- {54739D49-AC03-4C57-9264-C5195596B3A1}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
- ProgID
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
- VersionIndependentProgID
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
- Programmable
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
- InprocServer32
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
- {E1842850-FB16-4471-B327-7343FBAED55C}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}
- Programmable
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}
- InprocServer32
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
- {93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}
- 1.0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0
- FLAGS
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0
- 0
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\0
- win32
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0
- HELPDIR
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
- {AA760BA8-5862-4BC5-9263-4452CBC0B264}
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}
- ProxyStubClsid
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}
- ProxyStubClsid32
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}
- TypeLib
- In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
- chrome.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
- chrome.exe
Step 5
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Linkey Deals = "%Program Files%\LinkeyDeals\msilnk.exe "
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe
- debugger = "tasklist.exe"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- use_secondary_url = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- iver = "5.0.0.13001"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- pver = "5.0.0.13001"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK
- Version = "5.0.0.13001"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- appid = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- home = "%Program Files%\Settings Manager"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- ln = "en"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- sysid = "427"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- clid = "{3CA2CF07-8A58-4472-ACB9-B3DA14A19DB0}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- osver = "5.1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- ostype = "win32"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- osl = "en-US"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- itime = "2014-07-04"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- ptype = "n"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- kisid = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- kapid = "0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- uid = "3202250780584472"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- uc = "398"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- kbn = "13001"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- guid = "{EB25CAE0-E5F3-E993-3950-E055FE755242}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- os_user_type = "Admin"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- ie_search_set = "1"
- In HKEY_CURRENT_USER\Software\SystemK\General
- ie_search_set = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK
- browser = " ie ff cr"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- ie_ds_supported = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- ie_hp_supported = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Search Bar = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=ds&p="
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
- SearchAssistant = "{random characters}"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- Use Search Asst = "no"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls
- x86 = "%Program Files%\Settings Manager\systemk\sysapcrt.dll"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
- FrameAuto = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
- 10 = "10"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions
- {54739D49-AC03-4C57-9264-C5195596B3A1} = "{random values}"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}
- Flags = "4"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- aw = "No"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- sitime = "1404466048"
- In HKEY_CURRENT_USER\Software\Linkey
- instdir = "%Application Data%\Linkey"
- In HKEY_CURRENT_USER\Software\Linkey
- extraUninstaller = "%Program Files%\Settings Manager\systemk\Uninstall.exe /browser=all"
- In HKEY_CURRENT_USER\Software\Linkey
- browsers = "chrome,ff,ie"
- In HKEY_CURRENT_USER\Software\Linkey
- norestart = "Yes"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
- LoadAppInit_DLLs = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Linkey
- ie_jsurl = "http://app.{BLOCKED}project.com/popup/IE/background.js"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions
- {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47} = "{random values}"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- Flags = "4"
- In HKEY_CURRENT_USER\Software\Linkey
- iver = "0.0.0.469"
- In HKEY_CURRENT_USER\Software\Linkey
- pver = "0.0.0.469"
- In HKEY_CURRENT_USER\Software\Linkey
- appid = "0"
- In HKEY_CURRENT_USER\Software\Linkey
- home = "%Application Data%\Linkey"
- In HKEY_CURRENT_USER\Software\Linkey
- ln = "en"
- In HKEY_CURRENT_USER\Software\Linkey
- sysid = "300"
- In HKEY_CURRENT_USER\Software\Linkey
- clid = "{F3D13913-EDE2-4D57-91C6-8BE508FACF58}"
- In HKEY_CURRENT_USER\Software\Linkey
- itime = "1404466033"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- NoModify = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- NoRepair = "1"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- DisplayName = "Linkey"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- InstallLocation = "%Application Data%\Linkey"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- DisplayVersion = "0.0.0.469"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- UninstallString = "%Application Data%\Linkey\uninstall.exe "
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- DisplayIcon = "%Application Data%\Linkey\uninstall.exe"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- Publisher = "Aztec Media Inc"
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
- Traffic_type = "n"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
- browser = "ie,ff,chrome,"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
- company = "Linkey Deals"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
- distributed = "Linkey Deals"
- In HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
- UninstallString = "%Program Files%\LinkeyDeals\LinkeyDealsUninst.exe /browser=all"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\iedll.dll
- AppID = "{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\InprocServer32
- ThreadingModel = "Apartment"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
- NoExplorer = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\TypeLib
- Version = "1.0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\InprocServer32
- ThreadingModel = "Apartment"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}\InprocServer32
- ThreadingModel = "Apartment"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\TypeLib
- Version = "1.0"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- srn0 = "SystemkService"
- In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
- srn1 = "F06DEFF2-5B9C-490D-910F-35D3A9119622"
- In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls
- x64 = "%Program Files%\settings manager\systemk\x64\sysapcrt.dll"
Step 6
Restore these modified registry values
Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
- From: SearchAssistant = "{random characters}"
To: SearchAssistant = ""http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm""
- From: SearchAssistant = "{random characters}"
- In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- From: Start Page = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=hmp"
To: Start Page = ""http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome""
- From: Start Page = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=hmp"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
- AppInit_DLLs = "%Application Data%\Linkey\IEEXTE~1\iedll.dll "
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
- From: LogSessionName = "stdout"
To: LogSessionName = ""{random values}""
- From: LogSessionName = "stdout"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
- From: Active = "1"
To: Active = ""1""
- From: Active = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
- From: ControlFlags = "1"
To: ControlFlags = ""1""
- From: ControlFlags = "1"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc
- From: Guid = "8107d8e9-e323-49f5-bba2-abc35c243dca"
To: Guid = ""8107d8e9-e323-49f5-bba2-abc35c243dca""
- From: Guid = "8107d8e9-e323-49f5-bba2-abc35c243dca"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc
- From: BitNames = "{random characters}"
To: BitNames = "" ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort""
- From: BitNames = "{random characters}"
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- From: AutoRestartShell = "1"
To: AutoRestartShell = ""1""
- From: AutoRestartShell = "1"
Step 7
Search and delete these components
- %User Temp%\nsf3.tmp
- %User Temp%\nsk7.tmp\System.dll
- %User Temp%\nsk7.tmp\UserInfo.dll
- %User Temp%\nsk7\Helper.dll
- %User Temp%\nsk7\Starter.exe
- %User Temp%\nsk7.tmp\registry.dll
- %User Temp%\nsk7\nsa17.tmp\pack.exe
- %User Temp%\nsk7\nsa17.tmp\mediabar.exe
- %User Temp%\nsk7\tbicon.exe
- %User Temp%\nsk7.tmp\nsExec.dll
- %Program Files%\Settings Manager\systemk\Uninstall.exe
- %Program Files%\Settings Manager\systemk\favicon.ico
- %Program Files%\Settings Manager\systemk\systemkmgrc2.cfg
- %Program Files%\Settings Manager\systemk\x64\systemkmgrc2.cfg
- %Program Files%\Settings Manager\systemk\Internet Explorer Settings Update.exe
- %Program Files%\Settings Manager\systemk\x64\Internet Explorer Settings Update.exe
- %Program Files%\Settings Manager\systemk\Internet Explorer Settings.exe
- %Program Files%\Settings Manager\systemk\x64\Internet Explorer Settings.exe
- %Program Files%\Settings Manager\systemk\SystemkService.exe
- %Program Files%\Settings Manager\systemk\systemku.exe
- %Program Files%\Settings Manager\systemk\sysapcrt.dll
- %Program Files%\Settings Manager\systemk\x64\sysapcrt.dll
- %Program Files%\Settings Manager\systemk\syskldr.dll
- %Program Files%\Settings Manager\systemk\x64\syskldr.dll
- %Program Files%\Settings Manager\systemk\syskldr_u.dll
- %Program Files%\Settings Manager\systemk\x64\syskldr_u.dll
- %Program Files%\Settings Manager\systemk\systemk.dll
- %Program Files%\Settings Manager\systemk\x64\systemk.dll
- %Program Files%\Settings Manager\systemk\systemkbho.dll
- %Program Files%\Settings Manager\systemk\x64\systemkbho.dll
- %User Temp%\nsk7\nsa17.tmp\SettingsManagerMediaBar.exe
- %User Temp%\nss80.tmp\System.dll
- %User Temp%\nss80\Helper.dll
- %User Temp%\nss80\Uninstall.exe
- %User Temp%\nss80.tmp\registry.dll
- %Program Files%\Linkey\log.log
- %User Temp%\nss80.tmp\nsArray.dll
- %User Temp%\nss80\nsu8E.tmp\pack.exe
- %User Temp%\nss80.tmp\nsExec.dll
- %User Temp%\nss80.tmp\MoreInfo.dll
- %User Temp%\nss80\config.xml
- %User Temp%\nss80.tmp\nsisXML.dll
- %Application Data%\Linkey\LinkeyDeals.exe
- %Application Data%\Linkey\IEExtension\iedll.dll
- %Application Data%\Linkey\IEExtension\iedll64.dll
- %User Temp%\nsnA7.tmp
- %User Temp%\nstA9\insthlp.dll
- %User Temp%\nstA9.tmp\System.dll
- %Program Files%\LinkeyDeals\msilnk.dll
- %Program Files%\LinkeyDeals\msilnk64.dll
- %Program Files%\LinkeyDeals\msilnk64.exe
- %Program Files%\LinkeyDeals\msilnk.exe
- %Program Files%\LinkeyDeals\insthlp.dll
- %Program Files%\LinkeyDeals\LinkeyDealsUninst.exe
- %User Profile%\systemk\general.cfg
- %User Profile%\systemk\S-1-5-21-1645522239-1292428093-682003330-1003.cfg
- %User Profile%\systemk\coordinator.cfg
- %Temp%\hvjmq55z.TMP
Step 8
Search and delete these folders
- %System Root%\DOCUME~1
- %System Root%\DOCUME~1\Wilbert
- %User Profile%\LOCALS~1
- %User Temp%\nsk7.tmp
- %User Temp%\nsk7
- %User Profile%\Application Data\systemk
- %User Temp%\nsk7\nsa17.tmp
- %Program Files%\Settings Manager
- %Program Files%\Settings Manager\systemk
- %Program Files%\Settings Manager\systemk\x64
- %User Temp%\nss80.tmp
- %User Temp%\nss80
- %Program Files%\Linkey
- %User Temp%\nss80\nsu8E.tmp
- %System Root%\Documents and Settings\Wilbert
- %Application Data%\Linkey
- %Application Data%\Linkey\IEExtension
- %User Temp%\nstA9.tmp
- %User Temp%\nstA9
- %Program Files%\LinkeyDeals
Step 9
Scan your computer with your Trend Micro product to delete files detected as ADW_SUITSEAR. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 10
Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.
- %User Temp%\nsa1.tmp
- %User Temp%\nsk7.tmp
- %User Temp%\nsi7E.tmp
- %User Temp%\nss80.tmp
- %User Temp%\nsyA5.tmp
- %User Temp%\nstA9.tmp
- %User Profile%\systemk\coordinator.cfg.bak
- %User Profile%\systemk\S-1-5-21-1645522239-1292428093-682003330-1003.cfg.bak
Step 11
Restore these deleted registry keys/values from backup
*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.
- In HKEY_CURRENT_USER\Software
- SystemK
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- SystemkService.exe
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- systemku.exe
Did this description help? Tell us how we did.