ALIASES:

WebToolbar.Win64.SearchSuite.e (Kaspersky)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Adware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File Size: 8,204,920 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 14 Jul 2014

Arrival Details

This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This adware creates the following folders:

  • %System Root%\DOCUME~1
  • %System Root%\DOCUME~1\Wilbert
  • %User Profile%\LOCALS~1
  • %User Temp%\nsk7.tmp
  • %User Temp%\nsk7
  • %User Profile%\Application Data\systemk
  • %User Temp%\nsk7\nsa17.tmp
  • %Program Files%\Settings Manager
  • %Program Files%\Settings Manager\systemk
  • %Program Files%\Settings Manager\systemk\x64
  • %User Temp%\nss80.tmp
  • %User Temp%\nss80
  • %Program Files%\Linkey
  • %User Temp%\nss80\nsu8E.tmp
  • %System Root%\Documents and Settings\Wilbert
  • %Application Data%\Linkey
  • %Application Data%\Linkey\IEExtension
  • %User Temp%\nstA9.tmp
  • %User Temp%\nstA9
  • %Program Files%\LinkeyDeals

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

Autostart Technique

This adware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
Linkey Deals = "%Program Files%\LinkeyDeals\msilnk.exe "

It registers itself as a BHO to ensure its automatic execution every time Internet Explorer is used by adding the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}

It modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
AutoRestartShell = "1"

(Note: The default value data of the said registry entry is 1.)

Other System Modifications

This adware deletes the following files:

  • %User Temp%\nsa1.tmp
  • %User Temp%\nsk7.tmp
  • %User Temp%\nsi7E.tmp
  • %User Temp%\nss80.tmp
  • %User Temp%\nsyA5.tmp
  • %User Temp%\nstA9.tmp
  • %User Profile%\systemk\coordinator.cfg.bak
  • %User Profile%\systemk\S-1-5-21-1645522239-1292428093-682003330-1003.cfg.bak

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.)

It adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bprotect.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserprotect.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserdefender.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bitguard.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
snapdo.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browsersafeguard.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bpsvc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
protectedsearch.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst64.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotection.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
utiljumpflip.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dprotectsvc.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotector.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings64.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jumpflip

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
volaro

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vonteera

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchinstaller.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroids.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroidsservice.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
umbrella.exe

HKEY_LOCAL_MACHINE\Software\SystemK\
General

HKEY_CURRENT_USER\Software\SystemK\
General

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Session Manager\AppCertDlls

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Approved Extensions

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}

HKEY_CURRENT_USER\SOFTWARE\Linkey

HKEY_LOCAL_MACHINE\SOFTWARE\Linkey

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey

HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\iedll.dll

HKEY_CLASSES_ROOT\Linkey.Linkey

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Linkey.Linkey\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\Implemented Categories

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\Implemented Categories\
{59FB2056-D625-48D0-A944-1A85B5AB2640}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\
FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\
0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\
0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\
HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\TypeLib

HKEY_CLASSES_ROOT\SettingsManagerIEHelper.DNSGuard.1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SettingsManagerIEHelper.DNSGuard.1\CLSID

HKEY_CLASSES_ROOT\SettingsManagerIEHelper.DNSGuard

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SettingsManagerIEHelper.DNSGuard\CLSID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
SettingsManagerIEHelper.DNSGuard\CurVer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\ProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\VersionIndependentProgID

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}\Programmable

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\
FLAGS

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\
0

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\
0\win32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\
HELPDIR

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\ProxyStubClsid

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\ProxyStubClsid32

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\TypeLib

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
chrome.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\App Paths\
chrome.exe

It adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bprotect.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserprotect.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browserdefender.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bitguard.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
snapdo.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
browsersafeguard.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
bpsvc.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
protectedsearch.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst32.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
stinst64.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotection.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
utiljumpflip.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
dprotectsvc.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchprotector.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchsettings64.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
jumpflip
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
volaro
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
vonteera
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
searchinstaller.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroids.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
websteroidsservice.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
umbrella.exe
debugger = "tasklist.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
use_secondary_url = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
iver = "5.0.0.13001"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
pver = "5.0.0.13001"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK
Version = "5.0.0.13001"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
appid = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
home = "%Program Files%\Settings Manager"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ln = "en"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
sysid = "427"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
clid = "{3CA2CF07-8A58-4472-ACB9-B3DA14A19DB0}"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
osver = "5.1"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ostype = "win32"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
osl = "en-US"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
itime = "2014-07-04"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ptype = "n"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
kisid = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
kapid = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
uid = "3202250780584472"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
uc = "398"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
kbn = "13001"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
guid = "{EB25CAE0-E5F3-E993-3950-E055FE755242}"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
os_user_type = "Admin"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ie_search_set = "1"

HKEY_CURRENT_USER\Software\SystemK\
General
ie_search_set = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK
browser = " ie ff cr"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ie_ds_supported = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
ie_hp_supported = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Search Bar = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=ds&p="

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Search
SearchAssistant = "{random characters}"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Use Search Asst = "no"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\AppCertDlls
x86 = "%Program Files%\Settings Manager\systemk\sysapcrt.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Main
FrameAuto = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Toolbar
10 = "10"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Approved Extensions
{54739D49-AC03-4C57-9264-C5195596B3A1} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}
Flags = "4"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
aw = "No"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
sitime = "1404466048"

HKEY_CURRENT_USER\Software\Linkey
instdir = "%Application Data%\Linkey"

HKEY_CURRENT_USER\Software\Linkey
extraUninstaller = "%Program Files%\Settings Manager\systemk\Uninstall.exe /browser=all"

HKEY_CURRENT_USER\Software\Linkey
browsers = "chrome,ff,ie"

HKEY_CURRENT_USER\Software\Linkey
norestart = "Yes"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
LoadAppInit_DLLs = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Linkey
ie_jsurl = "http://app.{BLOCKED}project.com/popup/IE/background.js"

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Approved Extensions
{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Ext\
Settings\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
Flags = "4"

HKEY_CURRENT_USER\Software\Linkey
iver = "0.0.0.469"

HKEY_CURRENT_USER\Software\Linkey
pver = "0.0.0.469"

HKEY_CURRENT_USER\Software\Linkey
appid = "0"

HKEY_CURRENT_USER\Software\Linkey
home = "%Application Data%\Linkey"

HKEY_CURRENT_USER\Software\Linkey
ln = "en"

HKEY_CURRENT_USER\Software\Linkey
sysid = "300"

HKEY_CURRENT_USER\Software\Linkey
clid = "{F3D13913-EDE2-4D57-91C6-8BE508FACF58}"

HKEY_CURRENT_USER\Software\Linkey
itime = "1404466033"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
NoModify = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
NoRepair = "1"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
DisplayName = "Linkey"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
InstallLocation = "%Application Data%\Linkey"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
DisplayVersion = "0.0.0.469"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
UninstallString = "%Application Data%\Linkey\uninstall.exe "

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
DisplayIcon = "%Application Data%\Linkey\uninstall.exe"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
Publisher = "Aztec Media Inc"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Uninstall\
Linkey
Traffic_type = "n"

HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
browser = "ie,ff,chrome,"

HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
company = "Linkey Deals"

HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
distributed = "Linkey Deals"

HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
UninstallString = "%Program Files%\LinkeyDeals\LinkeyDealsUninst.exe /browser=all"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
AppID\iedll.dll
AppID = "{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\
Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
NoExplorer = "1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}\InprocServer32
ThreadingModel = "Apartment"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\TypeLib
Version = "1.0"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
srn0 = "SystemkService"

HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\
General
srn1 = "F06DEFF2-5B9C-490D-910F-35D3A9119622"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Control\Session Manager\AppCertDlls
x64 = "%Program Files%\settings manager\systemk\x64\sysapcrt.dll"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Internet Explorer\Search
SearchAssistant = "{random characters}"

(Note: The default value data of the said registry entry is http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm.)

HKEY_CURRENT_USER\Software\Microsoft\
Internet Explorer\Main
Start Page = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=hmp"

(Note: The default value data of the said registry entry is http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Windows
AppInit_DLLs = "%Application Data%\Linkey\IEEXTE~1\iedll.dll "

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
LogSessionName = "stdout"

(Note: The default value data of the said registry entry is {random values}.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
Active = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi
ControlFlags = "1"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi\ImapiSvc
Guid = "8107d8e9-e323-49f5-bba2-abc35c243dca"

(Note: The default value data of the said registry entry is 8107d8e9-e323-49f5-bba2-abc35c243dca.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Tracing\
Microsoft\Imapi\ImapiSvc
BitNames = "{random characters}"

(Note: The default value data of the said registry entry is ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort.)

It deletes the following registry keys:

HKEY_CURRENT_USER\Software\SystemK

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
SystemkService.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
systemku.exe

Dropping Routine

This adware drops the following files:

  • %User Temp%\nsf3.tmp
  • %User Temp%\nsk7.tmp\System.dll
  • %User Temp%\nsk7.tmp\UserInfo.dll
  • %User Temp%\nsk7\Helper.dll
  • %User Temp%\nsk7\Starter.exe
  • %User Temp%\nsk7.tmp\registry.dll
  • %User Temp%\nsk7\nsa17.tmp\pack.exe
  • %User Temp%\nsk7\nsa17.tmp\mediabar.exe
  • %User Temp%\nsk7\tbicon.exe
  • %User Temp%\nsk7.tmp\nsExec.dll
  • %Program Files%\Settings Manager\systemk\Uninstall.exe
  • %Program Files%\Settings Manager\systemk\favicon.ico
  • %Program Files%\Settings Manager\systemk\systemkmgrc2.cfg
  • %Program Files%\Settings Manager\systemk\x64\systemkmgrc2.cfg
  • %Program Files%\Settings Manager\systemk\Internet Explorer Settings Update.exe
  • %Program Files%\Settings Manager\systemk\x64\Internet Explorer Settings Update.exe
  • %Program Files%\Settings Manager\systemk\Internet Explorer Settings.exe
  • %Program Files%\Settings Manager\systemk\x64\Internet Explorer Settings.exe
  • %Program Files%\Settings Manager\systemk\SystemkService.exe
  • %Program Files%\Settings Manager\systemk\systemku.exe
  • %Program Files%\Settings Manager\systemk\sysapcrt.dll
  • %Program Files%\Settings Manager\systemk\x64\sysapcrt.dll
  • %Program Files%\Settings Manager\systemk\syskldr.dll
  • %Program Files%\Settings Manager\systemk\x64\syskldr.dll
  • %Program Files%\Settings Manager\systemk\syskldr_u.dll
  • %Program Files%\Settings Manager\systemk\x64\syskldr_u.dll
  • %Program Files%\Settings Manager\systemk\systemk.dll
  • %Program Files%\Settings Manager\systemk\x64\systemk.dll
  • %Program Files%\Settings Manager\systemk\systemkbho.dll
  • %Program Files%\Settings Manager\systemk\x64\systemkbho.dll
  • %User Temp%\nsk7\nsa17.tmp\SettingsManagerMediaBar.exe
  • %User Temp%\nss80.tmp\System.dll
  • %User Temp%\nss80\Helper.dll
  • %User Temp%\nss80\Uninstall.exe
  • %User Temp%\nss80.tmp\registry.dll
  • %Program Files%\Linkey\log.log
  • %User Temp%\nss80.tmp\nsArray.dll
  • %User Temp%\nss80\nsu8E.tmp\pack.exe
  • %User Temp%\nss80.tmp\nsExec.dll
  • %User Temp%\nss80.tmp\MoreInfo.dll
  • %User Temp%\nss80\config.xml
  • %User Temp%\nss80.tmp\nsisXML.dll
  • %Application Data%\Linkey\LinkeyDeals.exe
  • %Application Data%\Linkey\IEExtension\iedll.dll
  • %Application Data%\Linkey\IEExtension\iedll64.dll
  • %User Temp%\nsnA7.tmp
  • %User Temp%\nstA9\insthlp.dll
  • %User Temp%\nstA9.tmp\System.dll
  • %Program Files%\LinkeyDeals\msilnk.dll
  • %Program Files%\LinkeyDeals\msilnk64.dll
  • %Program Files%\LinkeyDeals\msilnk64.exe
  • %Program Files%\LinkeyDeals\msilnk.exe
  • %Program Files%\LinkeyDeals\insthlp.dll
  • %Program Files%\LinkeyDeals\LinkeyDealsUninst.exe
  • %User Profile%\systemk\general.cfg
  • %User Profile%\systemk\S-1-5-21-1645522239-1292428093-682003330-1003.cfg
  • %User Profile%\systemk\coordinator.cfg
  • %Temp%\hvjmq55z.TMP

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).. %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %Temp% is the Windows Temporary folder, which is usually C:\Windows\Temp.)

Other Details

This adware connects to the following possibly malicious URL:

  • http://service.{BLOCKED}e.com
  • {BLOCKED}.195.35
  • {BLOCKED}5.109.70

This report is generated via an automated analysis system.

  SOLUTION

Minimum Scan Engine: 9.700

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Identify and delete files detected as ADW_SUITSEAR using either the Startup Disk or Recovery Console

[ Learn More ]

Step 3

Close all opened browser windows

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • bprotect.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • browserprotect.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • browserdefender.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • bitguard.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • snapdo.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • browsersafeguard.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • bpsvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • protectedsearch.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • stinst32.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • stinst64.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • searchprotection.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • utiljumpflip.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • dprotectsvc.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • searchprotector.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • searchsettings.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • searchsettings64.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • jumpflip
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • volaro
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • vonteera
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • searchinstaller.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • websteroids.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • websteroidsservice.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • umbrella.exe
  • In HKEY_LOCAL_MACHINE\Software\SystemK
    • General
  • In HKEY_CURRENT_USER\Software\SystemK
    • General
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    • Search
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
    • AppCertDlls
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    • Approved Extensions
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings
    • {54739D49-AC03-4C57-9264-C5195596B3A1}
  • In HKEY_CURRENT_USER\SOFTWARE
    • Linkey
  • In HKEY_LOCAL_MACHINE\SOFTWARE
    • Linkey
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings
    • {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
    • Linkey
  • In HKEY_LOCAL_MACHINE\SOFTWARE
    • LinkeyDeals
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
    • {6A7CD9EC-D8BD-4340-BCD0-77C09A282921}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID
    • iedll.dll
  • In HKEY_CLASSES_ROOT
    • Linkey.Linkey
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Linkey.Linkey
    • CLSID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    • VersionIndependentProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    • Programmable
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    • Implemented Categories
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\Implemented Categories
    • {59FB2056-D625-48D0-A944-1A85B5AB2640}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {726E90BE-DC22-4965-B215-E0784DC26F47}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}
    • 1.0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0
    • FLAGS
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0
    • 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0\0
    • win32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{726E90BE-DC22-4965-B215-E0784DC26F47}\1.0
    • HELPDIR
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    • {4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
    • ProxyStubClsid
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
    • ProxyStubClsid32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}
    • TypeLib
  • In HKEY_CLASSES_ROOT
    • SettingsManagerIEHelper.DNSGuard.1
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SettingsManagerIEHelper.DNSGuard.1
    • CLSID
  • In HKEY_CLASSES_ROOT
    • SettingsManagerIEHelper.DNSGuard
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SettingsManagerIEHelper.DNSGuard
    • CLSID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\SettingsManagerIEHelper.DNSGuard
    • CurVer
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {54739D49-AC03-4C57-9264-C5195596B3A1}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
    • ProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
    • VersionIndependentProgID
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
    • Programmable
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID
    • {E1842850-FB16-4471-B327-7343FBAED55C}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}
    • Programmable
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}
    • InprocServer32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib
    • {93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}
    • 1.0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0
    • FLAGS
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0
    • 0
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0\0
    • win32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{93D511B5-143B-4A99-ABFC-B5B78AD0AE1B}\1.0
    • HELPDIR
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface
    • {AA760BA8-5862-4BC5-9263-4452CBC0B264}
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}
    • ProxyStubClsid
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}
    • ProxyStubClsid32
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}
    • TypeLib
  • In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
    • chrome.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
    • chrome.exe

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • Linkey Deals = "%Program Files%\LinkeyDeals\msilnk.exe "
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bprotect.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserprotect.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browserdefender.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bitguard.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snapdo.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\browsersafeguard.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpsvc.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protectedsearch.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst32.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\stinst64.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotection.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utiljumpflip.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dprotectsvc.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchprotector.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchsettings64.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jumpflip
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\volaro
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vonteera
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\searchinstaller.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroids.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\websteroidsservice.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\umbrella.exe
    • debugger = "tasklist.exe"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • use_secondary_url = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • iver = "5.0.0.13001"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • pver = "5.0.0.13001"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK
    • Version = "5.0.0.13001"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • appid = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • home = "%Program Files%\Settings Manager"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • ln = "en"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • sysid = "427"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • clid = "{3CA2CF07-8A58-4472-ACB9-B3DA14A19DB0}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • osver = "5.1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • ostype = "win32"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • osl = "en-US"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • itime = "2014-07-04"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • ptype = "n"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • kisid = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • kapid = "0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • uid = "3202250780584472"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • uc = "398"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • kbn = "13001"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • guid = "{EB25CAE0-E5F3-E993-3950-E055FE755242}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • os_user_type = "Admin"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • ie_search_set = "1"
  • In HKEY_CURRENT_USER\Software\SystemK\General
    • ie_search_set = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK
    • browser = " ie ff cr"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • ie_ds_supported = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • ie_hp_supported = "1"
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • Search Bar = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=ds&p="
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
    • SearchAssistant = "{random characters}"
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • Use Search Asst = "no"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls
    • x86 = "%Program Files%\Settings Manager\systemk\sysapcrt.dll"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
    • FrameAuto = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
    • 10 = "10"
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions
    • {54739D49-AC03-4C57-9264-C5195596B3A1} = "{random values}"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{54739D49-AC03-4C57-9264-C5195596B3A1}
    • Flags = "4"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • aw = "No"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • sitime = "1404466048"
  • In HKEY_CURRENT_USER\Software\Linkey
    • instdir = "%Application Data%\Linkey"
  • In HKEY_CURRENT_USER\Software\Linkey
    • extraUninstaller = "%Program Files%\Settings Manager\systemk\Uninstall.exe /browser=all"
  • In HKEY_CURRENT_USER\Software\Linkey
    • browsers = "chrome,ff,ie"
  • In HKEY_CURRENT_USER\Software\Linkey
    • norestart = "Yes"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    • LoadAppInit_DLLs = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Linkey
    • ie_jsurl = "http://app.{BLOCKED}project.com/popup/IE/background.js"
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Approved Extensions
    • {4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47} = "{random values}"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    • Flags = "4"
  • In HKEY_CURRENT_USER\Software\Linkey
    • iver = "0.0.0.469"
  • In HKEY_CURRENT_USER\Software\Linkey
    • pver = "0.0.0.469"
  • In HKEY_CURRENT_USER\Software\Linkey
    • appid = "0"
  • In HKEY_CURRENT_USER\Software\Linkey
    • home = "%Application Data%\Linkey"
  • In HKEY_CURRENT_USER\Software\Linkey
    • ln = "en"
  • In HKEY_CURRENT_USER\Software\Linkey
    • sysid = "300"
  • In HKEY_CURRENT_USER\Software\Linkey
    • clid = "{F3D13913-EDE2-4D57-91C6-8BE508FACF58}"
  • In HKEY_CURRENT_USER\Software\Linkey
    • itime = "1404466033"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • NoModify = "1"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • NoRepair = "1"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • DisplayName = "Linkey"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • InstallLocation = "%Application Data%\Linkey"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • DisplayVersion = "0.0.0.469"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • UninstallString = "%Application Data%\Linkey\uninstall.exe "
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • DisplayIcon = "%Application Data%\Linkey\uninstall.exe"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • Publisher = "Aztec Media Inc"
  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Linkey
    • Traffic_type = "n"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
    • browser = "ie,ff,chrome,"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
    • company = "Linkey Deals"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
    • distributed = "Linkey Deals"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\LinkeyDeals
    • UninstallString = "%Program Files%\LinkeyDeals\LinkeyDealsUninst.exe /browser=all"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\iedll.dll
    • AppID = "{6A7CD9EC-D8BD-4340-BCD0-77C09A282921}"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}\InprocServer32
    • ThreadingModel = "Apartment"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D9101D6-5BA0-4048-BDDE-7E2DF54C8C47}
    • NoExplorer = "1"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4613B1C1-FBC0-43C3-A4B9-B1D6CD360BB3}\TypeLib
    • Version = "1.0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{54739D49-AC03-4C57-9264-C5195596B3A1}\InprocServer32
    • ThreadingModel = "Apartment"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1842850-FB16-4471-B327-7343FBAED55C}\InprocServer32
    • ThreadingModel = "Apartment"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA760BA8-5862-4BC5-9263-4452CBC0B264}\TypeLib
    • Version = "1.0"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • srn0 = "SystemkService"
  • In HKEY_LOCAL_MACHINE\SOFTWARE\SystemK\General
    • srn1 = "F06DEFF2-5B9C-490D-910F-35D3A9119622"
  • In HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCertDlls
    • x64 = "%Program Files%\settings manager\systemk\x64\sysapcrt.dll"

Step 6

Restore these modified registry values

[ Learn More ]

Important:Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this only if you know how to or you can seek your system administrator's help. You may also check out this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
    • From: SearchAssistant = "{random characters}"
      To: SearchAssistant = ""http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm""
  • In HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • From: Start Page = "http://www.{BLOCKED}t-search.net?sid=427&aid=0&itype=n&ver=13001&tm=398&src=hmp"
      To: Start Page = ""http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    • AppInit_DLLs = "%Application Data%\Linkey\IEEXTE~1\iedll.dll "
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
    • From: LogSessionName = "stdout"
      To: LogSessionName = ""{random values}""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
    • From: Active = "1"
      To: Active = ""1""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi
    • From: ControlFlags = "1"
      To: ControlFlags = ""1""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc
    • From: Guid = "8107d8e9-e323-49f5-bba2-abc35c243dca"
      To: Guid = ""8107d8e9-e323-49f5-bba2-abc35c243dca""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc
    • From: BitNames = "{random characters}"
      To: BitNames = "" ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort""
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    • From: AutoRestartShell = "1"
      To: AutoRestartShell = ""1""

Step 7

Search and delete these components

[ Learn More ]
There may be some components that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %User Temp%\nsf3.tmp
  • %User Temp%\nsk7.tmp\System.dll
  • %User Temp%\nsk7.tmp\UserInfo.dll
  • %User Temp%\nsk7\Helper.dll
  • %User Temp%\nsk7\Starter.exe
  • %User Temp%\nsk7.tmp\registry.dll
  • %User Temp%\nsk7\nsa17.tmp\pack.exe
  • %User Temp%\nsk7\nsa17.tmp\mediabar.exe
  • %User Temp%\nsk7\tbicon.exe
  • %User Temp%\nsk7.tmp\nsExec.dll
  • %Program Files%\Settings Manager\systemk\Uninstall.exe
  • %Program Files%\Settings Manager\systemk\favicon.ico
  • %Program Files%\Settings Manager\systemk\systemkmgrc2.cfg
  • %Program Files%\Settings Manager\systemk\x64\systemkmgrc2.cfg
  • %Program Files%\Settings Manager\systemk\Internet Explorer Settings Update.exe
  • %Program Files%\Settings Manager\systemk\x64\Internet Explorer Settings Update.exe
  • %Program Files%\Settings Manager\systemk\Internet Explorer Settings.exe
  • %Program Files%\Settings Manager\systemk\x64\Internet Explorer Settings.exe
  • %Program Files%\Settings Manager\systemk\SystemkService.exe
  • %Program Files%\Settings Manager\systemk\systemku.exe
  • %Program Files%\Settings Manager\systemk\sysapcrt.dll
  • %Program Files%\Settings Manager\systemk\x64\sysapcrt.dll
  • %Program Files%\Settings Manager\systemk\syskldr.dll
  • %Program Files%\Settings Manager\systemk\x64\syskldr.dll
  • %Program Files%\Settings Manager\systemk\syskldr_u.dll
  • %Program Files%\Settings Manager\systemk\x64\syskldr_u.dll
  • %Program Files%\Settings Manager\systemk\systemk.dll
  • %Program Files%\Settings Manager\systemk\x64\systemk.dll
  • %Program Files%\Settings Manager\systemk\systemkbho.dll
  • %Program Files%\Settings Manager\systemk\x64\systemkbho.dll
  • %User Temp%\nsk7\nsa17.tmp\SettingsManagerMediaBar.exe
  • %User Temp%\nss80.tmp\System.dll
  • %User Temp%\nss80\Helper.dll
  • %User Temp%\nss80\Uninstall.exe
  • %User Temp%\nss80.tmp\registry.dll
  • %Program Files%\Linkey\log.log
  • %User Temp%\nss80.tmp\nsArray.dll
  • %User Temp%\nss80\nsu8E.tmp\pack.exe
  • %User Temp%\nss80.tmp\nsExec.dll
  • %User Temp%\nss80.tmp\MoreInfo.dll
  • %User Temp%\nss80\config.xml
  • %User Temp%\nss80.tmp\nsisXML.dll
  • %Application Data%\Linkey\LinkeyDeals.exe
  • %Application Data%\Linkey\IEExtension\iedll.dll
  • %Application Data%\Linkey\IEExtension\iedll64.dll
  • %User Temp%\nsnA7.tmp
  • %User Temp%\nstA9\insthlp.dll
  • %User Temp%\nstA9.tmp\System.dll
  • %Program Files%\LinkeyDeals\msilnk.dll
  • %Program Files%\LinkeyDeals\msilnk64.dll
  • %Program Files%\LinkeyDeals\msilnk64.exe
  • %Program Files%\LinkeyDeals\msilnk.exe
  • %Program Files%\LinkeyDeals\insthlp.dll
  • %Program Files%\LinkeyDeals\LinkeyDealsUninst.exe
  • %User Profile%\systemk\general.cfg
  • %User Profile%\systemk\S-1-5-21-1645522239-1292428093-682003330-1003.cfg
  • %User Profile%\systemk\coordinator.cfg
  • %Temp%\hvjmq55z.TMP

Step 8

Search and delete these folders

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %System Root%\DOCUME~1
  • %System Root%\DOCUME~1\Wilbert
  • %User Profile%\LOCALS~1
  • %User Temp%\nsk7.tmp
  • %User Temp%\nsk7
  • %User Profile%\Application Data\systemk
  • %User Temp%\nsk7\nsa17.tmp
  • %Program Files%\Settings Manager
  • %Program Files%\Settings Manager\systemk
  • %Program Files%\Settings Manager\systemk\x64
  • %User Temp%\nss80.tmp
  • %User Temp%\nss80
  • %Program Files%\Linkey
  • %User Temp%\nss80\nsu8E.tmp
  • %System Root%\Documents and Settings\Wilbert
  • %Application Data%\Linkey
  • %Application Data%\Linkey\IEExtension
  • %User Temp%\nstA9.tmp
  • %User Temp%\nstA9
  • %Program Files%\LinkeyDeals

Step 9

Scan your computer with your Trend Micro product to delete files detected as ADW_SUITSEAR. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 10

Restore this file from backup only Microsoft-related files will be restored. If this malware/grayware also deleted files related to programs that are not from Microsoft, please reinstall those programs on you computer again.

  • %User Temp%\nsa1.tmp
  • %User Temp%\nsk7.tmp
  • %User Temp%\nsi7E.tmp
  • %User Temp%\nss80.tmp
  • %User Temp%\nsyA5.tmp
  • %User Temp%\nstA9.tmp
  • %User Profile%\systemk\coordinator.cfg.bak
  • %User Profile%\systemk\S-1-5-21-1645522239-1292428093-682003330-1003.cfg.bak

Step 11

Restore these deleted registry keys/values from backup

*Note: Only Microsoft-related keys/values will be restored. If the malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

  • In HKEY_CURRENT_USER\Software
    • SystemK
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • SystemkService.exe
  • In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
    • systemku.exe


Did this description help? Tell us how we did.