MD5: 2a5bc1d266f4d99bda9a42b67d99b2a7
SHA1: 1919c864cf5cddd055dd77f24f17658d439a3587
SHA256: 66ffca3a0204f417d07898f6177ee2a123f31d954bdaa94a3684b2ba04cc32bf
SSDeep: 98304:y7kVfZhvaTAGNFsq1rIHW HE6tRN3FUycgmLIJppW/oK:fBQAqRI2CVRN3FUyc9IJpprK
Size: 3813025 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The AIT creates the following process(es):

freerip-setup.exe:3108
%original file name%.exe:2472

The AIT injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process freerip-setup.exe:3108 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFD14.tmp (21786 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\NSISPluginW.dll (19717 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\modern-header.bmp (3312 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\getCountry (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\NSISHelper.dll (8805 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\FreeRipLicenseAgreement.txt (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\UserInfo.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\System.dll (23 bytes)

The AIT deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\inst_start (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFD13.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp (0 bytes)

The process %original file name%.exe:2472 makes changes in the file system.
The AIT creates and/or writes to the following file(s):

%Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\freerip-setup.exe (34178 bytes)
%Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\Uninstall.exe (1007 bytes)
%Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\Uninstall.ini (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Hroulp.exe (27506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (4602 bytes)

The AIT deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (0 bytes)

Registry activity

The process freerip-setup.exe:3108 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\freerip-setup_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\freerip-setup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\freerip-setup_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\freerip-setup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\freerip-setup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\freerip-setup_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\freerip-setup_RASAPI32]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The AIT deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:2472 makes changes in the system registry.
The AIT creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeRIP MP3 Converter 5.6.0.1]
"NoModify" = "1"
"DisplayIcon" = "%Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\Uninstall.exe"
"DisplayName" = "FreeRIP MP3 Converter 5.6.0.1"
"UninstallString" = "%Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FreeRIP MP3 Converter 5.6.0.1]
"NoRepair" = "1"

The AIT deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: GreenTree Applications SRL
Product Name:
Product Version:
Legal Copyright: GreenTree Applications SRL
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.6.0.1
File Description: FreeRIP MP3 Converter 5.6.0.1 Installation
Comments:
Language: Russian (Russia)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://www.mybrowserbar.com/cgi/getcountry.html
hxxp://freecloudnetwork.com/images/pixel.gif?ct=ebd2.9&ies=0&eo=&cnid=287194&kt=frpau&isn=C8536435F97F45A3A111DBB32695BACE&mv=1
hxxp://rip1.greentreeapps.ro/images/pixel.gif?action=install&point=start&cid=18f9d8d54f563d3d3d7ebe870118d1f5&kt=frpau
hxxp://api.mybrowserbar.com/cgi/getcountry.html	174.36.215.20
hxxp://www.freerip.com/images/pixel.gif?action=install&point=start&cid=18f9d8d54f563d3d3d7ebe870118d1f5&kt=frpau	95.211.187.92
www.freecloudnetwork.com	174.37.208.213

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /images/pixel.gif?action=install&point=start&cid=18f9d8d54f563d3d3d7ebe870118d1f5&kt=frpau HTTP/1.0

Host: VVV.freerip.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Date: Wed, 26 Apr 2017 20:47:56 GMT

Server: Apache

Vary: Accept-Encoding

Content-Length: 0

Connection

GET /cgi/getcountry.html HTTP/1.0

Host: api.mybrowserbar.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Date: Wed, 26 Apr 2017 20:35:16 GMT

Server: Apache

Content-Length: 2

Connection: close

Content-Type: text/plain
UA..

The AIT connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

uxtheme.dll

c:\delphi7\Lib\KOL\KOL.pas

Unsupported bitmap format

;CRt$

PSAPI.dll

kernel32.dll

SOFTWARE\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups

Software\Microsoft\Windows

SOFTWARE\Microsoft\.NETFramework\policy

..\sim.exe

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

oleaut32.dll

WinExec

gdi32.dll

GetKeyState

ExitWindowsEx

EnumWindows

winmm.dll

ole32.dll

comctl32.dll

shell32.dll

GetWindowsDirectoryA

RegQueryInfoKeyA

RegEnumKeyExA

RegCreateKeyExA

ShellExecuteExA

ShellExecuteA

cabinet.dll

=!=$=)=-=1=5=9=

?./111/.

:./11//.

./1776--

KWindows

UrlMon

version="1.0.0.0"

name="Microsoft.Windows.SIM"

<requestedExecutionLevel level="requireAdministrator"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

FreeRIP MP3 Converter 5.6.0.1 Installation

5.6.0.1

freerip-setup.exe_3108:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

9`W32.Va

zY%U?

^.wO1=

d:\Autobuild\CleanSVN\freerip\branches\4.9.0\FreeRIP3\Release\FRP_DL.pdb

InternetCrackUrlW

HttpOpenRequestW

HttpSendRequestW

HttpQueryInfoW

WININET.dll

ShellExecuteExW

MSVCP90.dll

MSVCR90.dll

_malloc_crt

_amsg_exit

_crt_debugger_hook

GetProcessHeap

FRP_DL.dll

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

5_5j5

COMDLG32.dll

nsDialogs.dll

?@>?;87;87@>?@@?;87;87@>?@@?;87;87@@?@>?;87:87@>?@>?867:87@>?@@?:87867??>?=>:76:76?=>?=>976976?=>?=>976976??>>>=965965>>=>>=865865>=<><<864864=;<==<864754=<;=;;754753<<;<<;753643<;:<;:642642;;:;;:632632::9::9531531::999852152198798742042088788741031/87687631/30/77677620.20.7656652/.2/.6546541/.1.-5435430.-0.-5434320-,0-,432432/-,/-,321321/, ., 321321. *. *210210- *- *10/10/-*)-*)1/.1/.,*),)(0/.0/. )( )(0.-/.- (' ('/.-/.- (' ('.-,.-,*'&*'&-, -, *'&*'&-, -, )&%)&%, *, *)&%)&%,*),*)(%$(%$ *) *)(%$(%$ )( )('$#'$#*)(*)('$#'$#*)(*('&#"&#"*('*('&#"&#")(')('&#"&#")'&)'&%"!%"!('&('&%"!%"!('&('&$! $! (&%(&%$! $! (&%'%$$! $! '%$'%$$! $! '%$'%$#

1..10/-*)-*)10/210- *- *210210. *. *321321/, /, 321321/-,/-,4324320-,0-,4325430.-1/.765877632634=:;=:<857867=;=<:<634642:9899841030/87687631/31/887887410420987987420521998998521531::9::9632632::9::9642642;;:;;:642643<;:<;:643753<<;<<;753754=<;=<;754864==<==<864864==<>=<865865>=<>=<865965>>=>>=965965>>=??>976976??>??>976976??>??>976:76??>??>:76:76??>??>:76:76??>??>:76:76??>??>:76:76?=>@@?:87:87@>?@>?:87:76?=>?=>866:76?=>?=>:76866?=>?=>:76:78>=<?=>866856==;=;;856976==;==;854976><==<;755755=<;><=755755><<><<865865=;<;;:864864=;<=;<634754=;;=<;754634<:;<<;753753:98<;:643523;9:;9:642642:89:89412632:89:8953130197899852142097798742041088786731/31/87687630/30/77676520.20.6656652/.2/.6546541/.1.-5435430.-0.-5434320-,0-,432432/-,/-,321321/, /, 321321. *. *210210- *- *21010/-*)-*)1/.1/.,*),*)0/.0/.,)(,)(0.-0.- (' ('/.-/.- (' ('.-,.-,*'&*'&.-,-, *'&*'&-, -, )&%)&%-, -, )&%)&%, *, *(%$(%$,*) *)(%$(%$ *) *)(%$'$# )( )('$#'$#*)(*)('$#&#"*('*('&#"&#")(')('&#"&#")(')('%"!%"!)'&)'&%"!%"!('&('&%"!%"!('&(&%$! $! (&%(&%$! $! '%$'%$$! $! '%$'%$#

?./111/.

:./11//.

./1776--

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack < %d elements

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

ers\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\nsDialogs.dll

erter\freerip-setup.exe

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp

\FreeRIP MP3 Converter\freerip-setup.exe"

ement.txt

hXXp://d24jeb81yj2h0q.cloudfront.net/kits/sds/SMStubDLL.exe

NSIS_Inetc (Mozilla)

hXXp://VVV.freerip.com/images/pixel.gif?src=stub&kt=

hXXp://download.freerip.com/download/FreeRIPsetup.exe?kt=

HTTP/1.1

All Files|*.*

FreeRIP MP3 Converter 5.6.0.1 Setup

nsdFD25.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\inst_start

File: skipped: "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\nsDialogs.dll" (overwriteflag=1)

p\nsDialogs.dll"

ment.txt"

9, 327, 125, 23, 0)

2335808

Program Files\GreenTree Applications SRL\FreeRIP MP3 Converter\freerip-setup.exe"

2163344

"%Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\freerip-setup.exe"

%Program Files%\FreeRIP\

%Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter

freerip-setup.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsnFD13.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

%Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\freerip-setup.exe

453641727

1245782

1114290

1966726

1628046431

-1677065832

100728832

-2046754816

-2147410511

5.6.0.1

FreeRIP_setup.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   freerip-setup.exe:3108
   %original file name%.exe:2472

2. Delete the original AIT file.
   
3. Delete or disinfect the following files created/modified by the AIT:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsnFD14.tmp (21786 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\NSISPluginW.dll (19717 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\modern-header.bmp (3312 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\getCountry (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\NSISHelper.dll (8805 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\FreeRipLicenseAgreement.txt (15 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\UserInfo.dll (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\NSISdl.dll (31 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\nsDialogs.dll (21 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsdFD25.tmp\System.dll (23 bytes)
   %Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\freerip-setup.exe (34178 bytes)
   %Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\Uninstall.exe (1007 bytes)
   %Program Files%\GreenTree Applications SRL\FreeRIP MP3 Converter\Uninstall.ini (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\2.tmp (68 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Hroulp.exe (27506 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\$inst\temp_0.tmp (4602 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.