ADW_BROWS

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

File Size:

1,452,222 bytes

File Type:

EXE

Memory Resident:

Yes

Initial Samples Received Date:

19 Feb 2015

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware creates the following folders:

%User Temp%\is-4HHRM.tmp
%User Temp%\is-3AI55.tmp
%User Temp%\is-3AI55.tmp\_isetup
%Program Files%\Microsoft Data
%User Temp%\Folder_Temp_12-21
%User Temp%\Folder_Temp_12-21\adds
%User Temp%\Folder_Temp_12-21\js
%User Temp%\Folder_Temp_12-21\xml

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.)

Autostart Technique

This adware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
chrome5 = "{random characters}"

Other System Modifications

This adware deletes the following files:

%User Temp%\Folder_Temp_12-21/?¼?H?

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It adds the following registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Google\Update

HKEY_CURRENT_USER\SOFTWARE\Policies\
Google\Update

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\AppCompat

HKEY_LOCAL_MACHINE\Software\Policies\
Microsoft\Windows\AppCompat

HKEY_CURRENT_USER\SOFTWARE\GTN_STF

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
Inno Setup: Setup Version = "5.5.3 (u)"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
Inno Setup: App Path = "%Program Files%\Microsoft Data"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
InstallLocation = "%Program Files%\Microsoft Data"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
Inno Setup: Icon Group = "(Default)"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
Inno Setup: User = "Wilbert"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
Inno Setup: Language = "default"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
DisplayName = "WebSecurity Extension version 16.40"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
UninstallString = "%Program Files%\Microsoft Data\unins000.exe "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
QuietUninstallString = "%Program Files%\Microsoft Data\unins000.exe /SILENT"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
DisplayVersion = "16.40"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
NoModify = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
NoRepair = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
InstallDate = "20150210"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
MajorVersion = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1
MinorVersion = "28"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Google\Update
UpdateDefault = "0"

HKEY_CURRENT_USER\Software\Policies\
Google\Update
UpdateDefault = "0"

HKEY_CURRENT_USER\Software\Policies\
Microsoft\Windows\AppCompat
DisablePCA = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\AppCompat
DisablePCA = "1"

HKEY_CURRENT_USER\Software\GTN_STF
uniID = "1423564161757"

It deletes the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
WebSecurity Extension_is1

Dropping Routine

This adware drops the following files:

%User Temp%\is-4hhrm.tmp\{malware file name}.tmp
%User Temp%\is-3AI55.tmp\_isetup\_shfoldr.dll
%Program Files%\Microsoft Data\unins000.dat
%Program Files%\Microsoft Data\is-LEAGH.tmp
%Program Files%\Microsoft Data\is-MLVCL.tmp
%Program Files%\Microsoft Data\is-GFN9D.tmp
%Program Files%\Microsoft Data\is-NA4AE.tmp
%Program Files%\Microsoft Data\is-H7P5U.tmp
%Program Files%\Microsoft Data\is-NQBUI.tmp
%User Temp%\Folder_Temp_12-21\uni_id_exist.glog
%User Temp%\Folder_Temp_12-21\log_chrome.glog
%User Profile%\Application Data\smw_inst
%User Temp%\Folder_Temp_12-21\adds\xx.crx
%User Temp%\Folder_Temp_12-21\adds\xx.oex
%User Temp%\Folder_Temp_12-21\adds\xx.xpi
%User Temp%\Folder_Temp_12-21\js\chr_pref.json
%User Temp%\Folder_Temp_12-21\js\ff_set.json
%User Temp%\Folder_Temp_12-21\xml\op_data.xml
%User Temp%\Folder_Temp_12-21\xml\op_wid.xml
%User Temp%\Folder_Temp_12-21\xml\task.xml
rmAds.bat
%User Temp%\Folder_Temp_12-21\log_opera.glog
%User Temp%\Folder_Temp_12-21\log_firefox.glog

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Program Files% is the Program Files folder, where it usually is C:\Program Files on all Windows operating system versions; C:\Program Files (x86) for 32-bit applications running on Windows 64-bit operating systems.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

Other Details

This adware connects to the following possibly malicious URL:

{BLOCKED}.7.250

This report is generated via an automated analysis system.

Minimum Scan Engine:

9.700

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Restart in Safe Mode

[ Learn More ]

Step 3

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
- WebSecurity Extension_is1

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google
- Update

In HKEY_CURRENT_USER\SOFTWARE\Policies\Google
- Update

In HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows
- AppCompat

In HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows
- AppCompat

In HKEY_CURRENT_USER\SOFTWARE
- GTN_STF

Step 4

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- chrome5 = "{random characters}"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- Inno Setup: Setup Version = "5.5.3 (u)"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- Inno Setup: App Path = "%Program Files%\Microsoft Data"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- InstallLocation = "%Program Files%\Microsoft Data"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- Inno Setup: Icon Group = "(Default)"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- Inno Setup: User = "Wilbert"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- Inno Setup: Language = "default"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- DisplayName = "WebSecurity Extension version 16.40"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- UninstallString = "%Program Files%\Microsoft Data\unins000.exe "

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- QuietUninstallString = "%Program Files%\Microsoft Data\unins000.exe /SILENT"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- DisplayVersion = "16.40"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- NoModify = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- NoRepair = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- InstallDate = "20150210"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- MajorVersion = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebSecurity Extension_is1
- MinorVersion = "28"

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Update
- UpdateDefault = "0"

In HKEY_CURRENT_USER\Software\Policies\Google\Update
- UpdateDefault = "0"

In HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\AppCompat
- DisablePCA = "1"

In HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat
- DisablePCA = "1"

In HKEY_CURRENT_USER\Software\GTN_STF
- uniID = "1423564161757"

To delete the registry value this malware/grayware created:

Open Registry Editor.
» For Windows 2000, Windows XP, and Windows Server 2003 users, click Start>Run, type regedit in the text box provided, and then press Enter.
» For Windows Vista, Windows 7, and Windows Server 2008 users, click the Start button, type regedit in the Search input field then press Enter.
» For Windows 8, Windows 8.1, and Windows Server 2012 users, right-click on the lower-left corner of the screen, click Run, type regedit in the text box provided, and then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
chrome5 = "{random characters}"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows>CurrentVersion>Uninstall>WebSecurity Extension_is1
In the right panel, locate and delete the entry:
Inno Setup: Setup Version = "5.5.3 (u)"
Again In the right panel, locate and delete the entry:
Inno Setup: App Path = "%Program Files%\Microsoft Data"
Again In the right panel, locate and delete the entry:
InstallLocation = "%Program Files%\Microsoft Data"
Again In the right panel, locate and delete the entry:
Inno Setup: Icon Group = "(Default)"
Again In the right panel, locate and delete the entry:
Inno Setup: User = "Wilbert"
Again In the right panel, locate and delete the entry:
Inno Setup: Language = "default"
Again In the right panel, locate and delete the entry:
DisplayName = "WebSecurity Extension version 16.40"
Again In the right panel, locate and delete the entry:
UninstallString = "%Program Files%\Microsoft Data\unins000.exe "
Again In the right panel, locate and delete the entry:
QuietUninstallString = "%Program Files%\Microsoft Data\unins000.exe /SILENT"
Again In the right panel, locate and delete the entry:
DisplayVersion = "16.40"
Again In the right panel, locate and delete the entry:
NoModify = "1"
Again In the right panel, locate and delete the entry:
NoRepair = "1"
Again In the right panel, locate and delete the entry:
InstallDate = "20150210"
Again In the right panel, locate and delete the entry:
MajorVersion = "1"
Again In the right panel, locate and delete the entry:
MinorVersion = "28"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Google>Update
In the right panel, locate and delete the entry:
UpdateDefault = "0"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Policies>Google>Update
In the right panel, locate and delete the entry:
UpdateDefault = "0"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Policies>Microsoft>Windows>AppCompat
In the right panel, locate and delete the entry:
DisablePCA = "1"
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Policies>Microsoft>Windows>AppCompat
In the right panel, locate and delete the entry:
DisablePCA = "1"
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>GTN_STF
In the right panel, locate and delete the entry:
uniID = "1423564161757"
Close Registry Editor.

Step 5

Search and delete these components

[ Learn More ]

There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%User Temp%\is-4hhrm.tmp\{malware file name}.tmp
%User Temp%\is-3AI55.tmp\_isetup\_shfoldr.dll
%Program Files%\Microsoft Data\unins000.dat
%Program Files%\Microsoft Data\is-LEAGH.tmp
%Program Files%\Microsoft Data\is-MLVCL.tmp
%Program Files%\Microsoft Data\is-GFN9D.tmp
%Program Files%\Microsoft Data\is-NA4AE.tmp
%Program Files%\Microsoft Data\is-H7P5U.tmp
%Program Files%\Microsoft Data\is-NQBUI.tmp
%User Temp%\Folder_Temp_12-21\uni_id_exist.glog
%User Temp%\Folder_Temp_12-21\log_chrome.glog
%User Profile%\Application Data\smw_inst
%User Temp%\Folder_Temp_12-21\adds\xx.crx
%User Temp%\Folder_Temp_12-21\adds\xx.oex
%User Temp%\Folder_Temp_12-21\adds\xx.xpi
%User Temp%\Folder_Temp_12-21\js\chr_pref.json
%User Temp%\Folder_Temp_12-21\js\ff_set.json
%User Temp%\Folder_Temp_12-21\xml\op_data.xml
%User Temp%\Folder_Temp_12-21\xml\op_wid.xml
%User Temp%\Folder_Temp_12-21\xml\task.xml
rmAds.bat
%User Temp%\Folder_Temp_12-21\log_opera.glog
%User Temp%\Folder_Temp_12-21\log_firefox.glog

To manually delete a malware/grayware file from an affected system:

• For Windows 2000, Windows XP, and Windows Server 2003:

Right-click Start then click Search....
In the File name* input box, type the following:
%User Temp%\is-4hhrm.tmp\{malware file name}.tmp
%User Temp%\is-3AI55.tmp\_isetup\_shfoldr.dll
%Program Files%\Microsoft Data\unins000.dat
%Program Files%\Microsoft Data\is-LEAGH.tmp
%Program Files%\Microsoft Data\is-MLVCL.tmp
%Program Files%\Microsoft Data\is-GFN9D.tmp
%Program Files%\Microsoft Data\is-NA4AE.tmp
%Program Files%\Microsoft Data\is-H7P5U.tmp
%Program Files%\Microsoft Data\is-NQBUI.tmp
%User Temp%\Folder_Temp_12-21\uni_id_exist.glog
%User Temp%\Folder_Temp_12-21\log_chrome.glog
%User Profile%\Application Data\smw_inst
%User Temp%\Folder_Temp_12-21\adds\xx.crx
%User Temp%\Folder_Temp_12-21\adds\xx.oex
%User Temp%\Folder_Temp_12-21\adds\xx.xpi
%User Temp%\Folder_Temp_12-21\js\chr_pref.json
%User Temp%\Folder_Temp_12-21\js\ff_set.json
%User Temp%\Folder_Temp_12-21\xml\op_data.xml
%User Temp%\Folder_Temp_12-21\xml\op_wid.xml
%User Temp%\Folder_Temp_12-21\xml\task.xml
rmAds.bat
%User Temp%\Folder_Temp_12-21\log_opera.glog
%User Temp%\Folder_Temp_12-21\log_firefox.glog
In the Look In drop-down list, select My Computer then press Enter.
Once located, select the file then press SHIFT+DELETE to delete it.
*Note: The file name input box title varies depending on the Windows version (e.g. Search for files or folders named or All or part of the file name.).

• For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

Open a Windows Explorer window.
- For Windows Vista, 7, and Server 2008 users, click Start>Computer.
- For Windows 8, 8.1, and Server 2012 users, right-click on the lower left corner of the screen,then click File Explorer.
In the Search Computer/This PC input box, type:
%User Temp%\is-4hhrm.tmp\{malware file name}.tmp
%User Temp%\is-3AI55.tmp\_isetup\_shfoldr.dll
%Program Files%\Microsoft Data\unins000.dat
%Program Files%\Microsoft Data\is-LEAGH.tmp
%Program Files%\Microsoft Data\is-MLVCL.tmp
%Program Files%\Microsoft Data\is-GFN9D.tmp
%Program Files%\Microsoft Data\is-NA4AE.tmp
%Program Files%\Microsoft Data\is-H7P5U.tmp
%Program Files%\Microsoft Data\is-NQBUI.tmp
%User Temp%\Folder_Temp_12-21\uni_id_exist.glog
%User Temp%\Folder_Temp_12-21\log_chrome.glog
%User Profile%\Application Data\smw_inst
%User Temp%\Folder_Temp_12-21\adds\xx.crx
%User Temp%\Folder_Temp_12-21\adds\xx.oex
%User Temp%\Folder_Temp_12-21\adds\xx.xpi
%User Temp%\Folder_Temp_12-21\js\chr_pref.json
%User Temp%\Folder_Temp_12-21\js\ff_set.json
%User Temp%\Folder_Temp_12-21\xml\op_data.xml
%User Temp%\Folder_Temp_12-21\xml\op_wid.xml
%User Temp%\Folder_Temp_12-21\xml\task.xml
rmAds.bat
%User Temp%\Folder_Temp_12-21\log_opera.glog
%User Temp%\Folder_Temp_12-21\log_firefox.glog
Once located, select the file then press SHIFT+DELETE to delete it.
*Note: Read the following Microsoft page if these steps do not work on Windows 7.

Step 6

Search and delete these folders

[ Learn More ]

Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.

%User Temp%\is-4HHRM.tmp
%User Temp%\is-3AI55.tmp
%User Temp%\is-3AI55.tmp\_isetup
%Program Files%\Microsoft Data
%User Temp%\Folder_Temp_12-21
%User Temp%\Folder_Temp_12-21\adds
%User Temp%\Folder_Temp_12-21\js
%User Temp%\Folder_Temp_12-21\xml

To delete malware/grayware/spyware folders:

For Windows 2000, Windows XP, and Windows Server 2003:

Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
In the File name* input box, type:

%User Temp%\is-4HHRM.tmp
%User Temp%\is-3AI55.tmp
%User Temp%\is-3AI55.tmp\_isetup
%Program Files%\Microsoft Data
%User Temp%\Folder_Temp_12-21
%User Temp%\Folder_Temp_12-21\adds
%User Temp%\Folder_Temp_12-21\js
%User Temp%\Folder_Temp_12-21\xml
In the Look In drop-down list, select My Computer, then press Enter.
Once located, select the folder then press SHIFT+DELETE to permanently delete the folder.
Repeat steps 2 to 4 for the remaining folders: %User Temp%\is-4HHRM.tmp
%User Temp%\is-3AI55.tmp
%User Temp%\is-3AI55.tmp\_isetup
%Program Files%\Microsoft Data
%User Temp%\Folder_Temp_12-21
%User Temp%\Folder_Temp_12-21\adds
%User Temp%\Folder_Temp_12-21\js
%User Temp%\Folder_Temp_12-21\xml

*Note: The file name input box title varies depending on the Windows version (e.g. Search for files or folders named or All or part of the file name.).

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

Open a Windows Explorer window.
- For Windows Vista, 7, and Server 2008 users, click Start>Computer.
- For Windows 8, 8.1, and Server 2012 users, right-click on the lower left corner of the screen, then click File Explorer.
In the Search Computer/This PC input box, type:
%User Temp%\is-4HHRM.tmp
%User Temp%\is-3AI55.tmp
%User Temp%\is-3AI55.tmp\_isetup
%Program Files%\Microsoft Data
%User Temp%\Folder_Temp_12-21
%User Temp%\Folder_Temp_12-21\adds
%User Temp%\Folder_Temp_12-21\js
%User Temp%\Folder_Temp_12-21\xml
Once located, select the file then press SHIFT+DELETE to permanently delete the folder.
Repeat steps 2-3 for the remaining folders: %User Temp%\is-4HHRM.tmp
%User Temp%\is-3AI55.tmp
%User Temp%\is-3AI55.tmp\_isetup
%Program Files%\Microsoft Data
%User Temp%\Folder_Temp_12-21
%User Temp%\Folder_Temp_12-21\adds
%User Temp%\Folder_Temp_12-21\js
%User Temp%\Folder_Temp_12-21\xml

*Note: Read the following Microsoft page if these steps do not work on Windows 7.

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as ADW_BROWS. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

%User Temp%\Folder_Temp_12-21/?¼?H?

Step 9

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
- WebSecurity Extension_is1

Did this description help? Tell us how we did.

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Kaynaklar

Destek

Trend Hakında

ADW_BROWS

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Kaynaklar

Destek

Trend Hakında

Amerika Kıtası

Orta Doğu ve Afrika

Avrupa

Asya ve Pasifik