Program.Unwanted.504

Technical Information

Malicious functions

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /F /IM PropertySync.exe
'%WINDIR%\syswow64\taskkill.exe' /F /IM BackgroundHost.exe
'%WINDIR%\syswow64\taskkill.exe' /F /IM BackgroundHost64.exe

Modifies file system

Creates the following files

%TEMP%\seesimilar.exe
%TEMP%\che67a9.tmp\i48.png
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\i128.png
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\i128.ico
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\framework.xul
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\framework.png
%TEMP%\che67a9.tmp\i48.ico
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\framework.js
%TEMP%\che67a9.tmp\i32.png
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\content.js
%TEMP%\che67a9.tmp\i32.ico
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\config.js
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\button.xml
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\background.html
%TEMP%\che67a9.tmp\i16.png
%TEMP%\che67a9.tmp\i16.ico
%TEMP%\che67a9.tmp\i128.png
%TEMP%\che67a9.tmp\i128.ico
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\i16.ico
%TEMP%\che67a9.tmp\jquery.uuid.js
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\install.rdf
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\i16.png
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\icon.png
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome.manifest
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\skin\framework.css
%TEMP%\che67a9.tmp\mz\content.js
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\settings.json
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\options.xul
%TEMP%\che67a9.tmp\mz\background.js
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\mz\content.js
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\mz\background.js
%TEMP%\che67a9.tmp\settings.json
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\jquery-1.9.1.min.js
%TEMP%\che67a9.tmp\popup.js
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\i48.png
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\i48.ico
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\i32.png
%TEMP%\che67a9.tmp\manifest.json
%APPDATA%\mozilla\firefox\profiles\q0evdndb.default\extensions\seesimilar@seesimilar.com\chrome\content\i32.ico
%TEMP%\che67a9.tmp\content.js
%TEMP%\che67a9.tmp\jquery-1.9.1.min.js
%TEMP%\che67a9.tmp\ci.content.pack.js
%ProgramFiles(x86)%\seesimilar\i32.ico
%ProgramFiles(x86)%\seesimilar\i16.ico
%ProgramFiles(x86)%\seesimilar\i128.png
%ProgramFiles(x86)%\seesimilar\i128.ico
%ProgramFiles(x86)%\seesimilar\content.js
%ProgramFiles(x86)%\seesimilar\config.xml
%ProgramFiles(x86)%\seesimilar\background.html
%ProgramFiles(x86)%\seesimilar\scripthost64.dll
%ProgramFiles(x86)%\seesimilar\scripthost.dll
%ProgramFiles(x86)%\seesimilar\buttonsite64.dll
%ProgramFiles(x86)%\seesimilar\buttonsite.dll
%ProgramFiles(x86)%\seesimilar\backgroundhost64.exe
%ProgramFiles(x86)%\seesimilar\backgroundhost.exe
%ProgramFiles(x86)%\seesimilar\addonsframework.typelib64.dll
%ProgramFiles(x86)%\seesimilar\addonsframework.typelib.dll
%TEMP%\nsn20ca.tmp\uac.dll
%TEMP%\nsn20ca.tmp\ie9install.bmp
%TEMP%\nsn20ca.tmp\help_page.ini
%ProgramFiles(x86)%\seesimilar\i16.png
%ProgramFiles(x86)%\seesimilar\i32.png
%TEMP%\che67a9.tmp\ci.bg.pack.js
%ProgramFiles(x86)%\seesimilar\i48.ico
%TEMP%\che67a9.tmp\background.html
%TEMP%\che6769.tmp
%TEMP%\nsc66fd.tmp\nsisunz.dll
%TEMP%\seesimilar.xpi
%APPDATA%\seesimilar\install_helper.exe
%APPDATA%\seesimilar\seesimilar.crx
%TEMP%\install_helper.exe
%TEMP%\nsn20ca.tmp\system.dll
%ProgramFiles(x86)%\seesimilar\uninstall.exe
%ProgramFiles(x86)%\seesimilar\mz\content.js
%ProgramFiles(x86)%\seesimilar\mz\background.js
%ProgramFiles(x86)%\seesimilar\updaterwrapper.js
%ProgramFiles(x86)%\seesimilar\updater.js
%ProgramFiles(x86)%\seesimilar\options.htm
%ProgramFiles(x86)%\seesimilar\json2.min.js
%ProgramFiles(x86)%\seesimilar\jquery-1.9.1.min.js
%ProgramFiles(x86)%\seesimilar\i48.png
%TEMP%\che67a9.tmp\ci.browser.helper.js
%ProgramFiles(x86)%\seesimilar\uninst.exe

Deletes the following files

%TEMP%\nsn20ca.tmp\help_page.ini
%TEMP%\nsn20ca.tmp\ie9install.bmp
%TEMP%\nsn20ca.tmp\system.dll
%TEMP%\nsn20ca.tmp\uac.dll
%TEMP%\install_helper.exe
%TEMP%\seesimilar.exe
%APPDATA%\seesimilar\install_helper.exe
%TEMP%\seesimilar.xpi
%TEMP%\nsc66fd.tmp\nsisunz.dll

Moves the following files

from %TEMP%\che67a9.tmp\background.html to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\background.html
from %TEMP%\che67a9.tmp\manifest.json to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\manifest.json
from %TEMP%\che67a9.tmp\jquery.uuid.js to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\jquery.uuid.js
from %TEMP%\che67a9.tmp\jquery-1.9.1.min.js to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\jquery-1.9.1.min.js
from %TEMP%\che67a9.tmp\i48.png to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\i48.png
from %TEMP%\che67a9.tmp\i48.ico to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\i48.ico
from %TEMP%\che67a9.tmp\i32.png to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\i32.png
from %TEMP%\che67a9.tmp\i32.ico to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\i32.ico
from %TEMP%\che67a9.tmp\i16.png to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\i16.png
from %TEMP%\che67a9.tmp\i16.ico to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\i16.ico
from %TEMP%\che67a9.tmp\i128.png to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\i128.png
from %TEMP%\che67a9.tmp\i128.ico to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\i128.ico
from %TEMP%\che67a9.tmp\content.js to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\content.js
from %TEMP%\che67a9.tmp\ci.content.pack.js to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\ci.content.pack.js
from %TEMP%\che67a9.tmp\ci.browser.helper.js to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\ci.browser.helper.js
from %TEMP%\che67a9.tmp\ci.bg.pack.js to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\ci.bg.pack.js
from %TEMP%\che67a9.tmp\popup.js to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\popup.js
from %TEMP%\che67a9.tmp\settings.json to %LOCALAPPDATA%\google\chrome\user data\default\extensions\hekmimebcpbncnklfjadbpnjiaffabee\1.0.0.6\settings.json

Modifies the following files

%LOCALAPPDATA%\google\chrome\user data\default\preferences

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'%TEMP%\seesimilar.exe' /S
'%ProgramFiles(x86)%\seesimilar\backgroundhost.exe' /RegServer
'%ProgramFiles(x86)%\seesimilar\backgroundhost64.exe' /RegServer
'%TEMP%\install_helper.exe' /browser=IE /guid={7549CA81-7BB5-41AF-AF7D-4689F5CF8340}
'%APPDATA%\seesimilar\install_helper.exe' /browser=CH /path="%APPDATA%\SeeSimilar\SeeSimilar.crx" /id=hekmimebcpbncnklfjadbpnjiaffabee

Executes the following

'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\ScriptHost.dll"
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\ButtonSite.dll"
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\AddonsFramework.Typelib.dll"
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\ButtonSite64.dll"
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\ButtonSite64.dll"
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\ScriptHost64.dll"
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\ScriptHost64.dll"
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\AddonsFramework.Typelib64.dll"
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SeeSimilar\AddonsFramework.Typelib64.dll"
'%WINDIR%\syswow64\taskkill.exe' /F /IM PropertySync.exe' (with hidden window)
'%WINDIR%\syswow64\taskkill.exe' /F /IM BackgroundHost.exe' (with hidden window)
'%WINDIR%\syswow64\taskkill.exe' /F /IM BackgroundHost64.exe' (with hidden window)

Technologies

Terminology

Training and education

Myths

Technical Information

Curing recommendations

Free trial