MD5: 56b9c593a71e65951f29a483742b23ac
SHA1: a298eb83afb78aca078aa8bc84b0b657ca35d3c7
SHA256: 92c93c6abba3b6d09ddc344f3943458c86aa4efa14b6f12b8a7e4cf181be190b
SSDeep: 49152:2OnWer29dfvVrxyfRBdustaR4N3PPjun3FW8Y:2OWKKd3Vqust04tPPg8
Size: 1717248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, MicrosoftVisualCv60SPx, UPolyXv05_v6
Company: no certificate found
Created at: 2003-03-25 09:08:18
Analyzed on: WindowsXP SP3 32-bit

Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

QVODÖØ~1.EXE:1756
regsvr32.exe:1136
Rundll32.exe:320
Rundll32.exe:1952
minibrowser.exe:1908
x5s32.exe:368
%original file name%.exe:1832

The Dropped injects its code into the following process(es):

QvodSetupPlus3.exe:936

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process QVODÖØ~1.EXE:1756 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%System%\syste9.dll (35 bytes)

The process regsvr32.exe:1136 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\2c109a7d17.dat (294 bytes)
%System%\8aa20ab617.dat (13 bytes)

The process QvodSetupPlus3.exe:936 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
%Program Files%\ȤÍæÓÎÏ·\QvodSetupPlus.exe.!qd (1740037 bytes)

The process Rundll32.exe:320 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%System%\drivers\Drver.sys (6 bytes)
C:\Driver.sys (5 bytes)
%System%\syste2.dll (11 bytes)

The Dropped deletes the following file(s):

C:\Driver.sys (0 bytes)

The process Rundll32.exe:1952 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

C:\AutoRun.vbs (109 bytes)
C:\system.exe (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\474953.tmp (4545 bytes)
C:\AutoRun.inf (73 bytes)

The process minibrowser.exe:1908 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPINGDQB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5NTS3QTJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\INL042XV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W0B1UWYR\desktop.ini (67 bytes)

The process x5s32.exe:368 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\ȤÍæÓÎÏ·\Msvcp71.dll (13536 bytes)
%Program Files%\ȤÍæÓÎÏ·\SocketModule.dll (16 bytes)
%Program Files%\ȤÍæÓÎÏ·\ȤÍæÍø.lnk (1 bytes)
%Program Files%\ȤÍæÓÎÏ·\logo.ico (29 bytes)
%Program Files%\ȤÍæÓÎÏ·\images\loading-s.gif (13 bytes)
%Program Files%\ȤÍæÓÎÏ·\QvodSetupPlus3.exe (3785 bytes)
%Program Files%\ȤÍæÓÎÏ·\DownLoad.dll (20 bytes)
%Program Files%\ȤÍæÓÎÏ·\SkinControls.dll (6559 bytes)
%Program Files%\ȤÍæÓÎÏ·\Mfc71.dll (21237 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ȤÍæÓÎÏ·\ȤÍæÓÎÏ·.url (49 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ȤÍæÓÎÏ·\ȤÍæÓÎÏ·.lnk (1 bytes)
%System%\drivers\etc\hosts (3 bytes)
%Program Files%\ȤÍæÓÎÏ·\qvod.dll (15756 bytes)
%System%\qvod.dll (4185 bytes)
%Program Files%\ȤÍæÓÎÏ·\hosts (3 bytes)
%Documents and Settings%\%current user%\Desktop\ȤÍæÍø.lnk (1 bytes)
%Program Files%\ȤÍæÓÎÏ·\images\bg.jpg (492 bytes)
%Program Files%\ȤÍæÓÎÏ·\images\platformbg.jpg (1 bytes)
%Program Files%\ȤÍæÓÎÏ·\offlinel.html (518 bytes)
%Program Files%\ȤÍæÓÎÏ·\offline.html (469 bytes)
%Program Files%\ȤÍæÓÎÏ·\images\loading.gif (16 bytes)
%Program Files%\ȤÍæÓÎÏ·\17Wan.exe (15305 bytes)
%Program Files%\ȤÍæÓÎÏ·\Msvcr71.dll (8763 bytes)
%Documents and Settings%\%current user%\Desktop\ȤÍæÓÎÏ·.lnk (1 bytes)
%Program Files%\ȤÍæÓÎÏ·\minibrowser.exe (1574 bytes)
%Program Files%\ȤÍæÓÎÏ·\ComService.dll (1568 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl1.tmp (0 bytes)
%Program Files%\ȤÍæÓÎÏ·\qvod.dll (0 bytes)
%Program Files%\ȤÍæÓÎÏ·\hosts (0 bytes)

The process %original file name%.exe:1832 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\x5s32.exe (23546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QVODÖØ~1.EXE (1568 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\x5s32.exe (0 bytes)

Registry activity

The process Rundll32.exe:320 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 91 D7 81 5C A7 B0 3D 5F 98 FB 2C 7D 52 88 4B"

The process %original file name%.exe:1832 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 AC C5 42 C1 0A B0 23 44 FD 04 A2 B2 27 25 DD"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

Dropped PE files

HOSTS file anomalies

The Dropped modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 3957 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

The Dropped installs the following kernel-mode hooks:

ZwCreateProcessEx

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Microsoft(R) Windows(R) Operating System
Product Version: 6.00.3790.0
Legal Copyright: (C) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.3790.0 (srv03_rtm.030324-2048)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://b2.st.dns.kuaibo.com/qd.jpg
hxxp://b2.st.dns.kuaibo.com/QvodSetupPlus5_5.0.72_for_35.exe
hxxp://qd.qvod.com/QvodSetupPlus5_5.0.72_for_35.exe	115.231.216.36
hxxp://update.qvod.com/qd.jpg	115.231.216.36
agent.qvod.com	222.186.3.142
stun.qvod.com	115.231.216.13
track.qvod.com	222.186.3.165

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE QVOD Related Spyware/Malware User-Agent (Qvod)

Traffic

GET /qd.jpg HTTP/1.1

Accept: application/vnd.ms-powerpoint, application/msword, */*

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: QvodDown

Host: update.qvod.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 16 Aug 2016 17:36:25 GMT

Content-Type: image/jpeg

Content-Length: 144

Connection: keep-alive

Server: nginx

Last-Modified: Tue, 06 Sep 2011 11:14:58 GMT

ETag: "4e6600b2-90"

Accept-Ranges: bytes
[QVODDOWN]..Name=QvodSetupPlus.exe..Hash=14109F1A7EDB0375DB868071287D1
9C0D1EDFA45..Httpurl=hXXp://qd.qvod.com/QvodSetupPlus5_5.0.72_for_35.e
xe....

GET /QvodSetupPlus5_5.0.72_for_35.exe HTTP/1.1

Accept: */*

Accept-Language: zh-cn

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Host: qd.qvod.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 16 Aug 2016 17:36:27 GMT

Content-Type: application/octet-stream

Content-Length: 28536664

Connection: keep-alive

Server: nginx

Last-Modified: Tue, 06 Sep 2011 10:48:50 GMT

ETag: "4e65fa92-1b36f58"

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..
u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....
:J.................\...........2.......p....@.........................
[email protected]........
...W...............................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected]...@[email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}..e..9}[email protected]........ M............U....M....3..
.3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M..
[email protected]@..u....E..9}[email protected].}.j
[email protected]@[email protected] ...Pj.h.6B.W..Xr@.
.u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.
;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>

The Dropped connects to the servers at the folowing location(s):

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

minibrowser.exe_1908:

.text

`.rdata

@.data

.rsrc

MFC42.DLL

MSVCRT.dll

_acmdln

KERNEL32.dll

RegisterHotKey

UnregisterHotKey

USER32.dll

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

targeturl

hXXp://sns.178bfg.com/minibrowser.php?url=

%s - %s

if [email protected]

1, 0, 0, 1

minibrowser.EXE

Minibrowser.Document

VVV.google.cn

QvodSetupPlus3.exe_936:

`.rsrc

.tTPV

u.hH.C

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

portuguese-brazilian

GET /%s HTTP/1.1

Accept: application/vnd.ms-powerpoint, application/msword, */*

Host: %s

%s (%s)

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

%s %.2f GB

%s %.2f MB

%s %I64d KB

%s %I64d Byte

Httpurl

hXXp://update.qvod.com/qd.jpg

%s\qd.ini

%s\%s

%s_1.%s

QvodSetupPlus.exe

hXXp://

QVODd
2I64X

tcp connecting limit is %d

\drivers\tcpip.sys

stun01.sipphone.com

stun.qvod.com

61.139.219.200

track.qvod.com

TCP Port

61.139.219.203

221.194.134.216

agent.qvod.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Range: bytes=%u-

Port Restricted Nat

, random port

, preserves ports

PWindowsFirewallAppIsEnabled failed: 0xlx

M-SEARCH * HTTP/1.1

HOST: 239.255.255.250:1900

controlURL

URLBase

HTTP/1.1

s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">

xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"

AddPortMapping

NewPortMappingDescription

NewInternalPort

NewExternalPort

DeletePortMapping

External NAT port in use

External NAT port in use: Too many retries

Port mapping not owned by this class

Error getting StaticPortMappingCollection

problem parsing Password

Password =

ipv6 not supported

HMAC with password:

Encoding Password:

About to send msg of len

Some problem opening port/interface to send on

POST /service HTTP/1.1

Content-Length: %d

Host: %s:%d

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)

127.0.0.1

recv %d

Opened port

Port

for receiving UDP is in use

Could not bind UDP receive port

Could not create a UDP socket:

err EAFNOSUPPORT in send

zcÁ

%Program Files%\

\QvodSetupPlus3.exe

GetCPInfo

.text

`.rdata

@.data

.rsrc

@.MNe|

version="5.1.0.0"

name="test.exe"/>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

USER32.dll

VERSION.dll

WS2_32.dll

.torrent

: %d K/S

%s ...

%s...

3, 0, 0, 0

QvodInstall.exe

QvodSetupPlus3.exe_936_rwx_00401000_0004A000:

.tTPV

u.hH.C

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

user32.dll

portuguese-brazilian

GET /%s HTTP/1.1

Accept: application/vnd.ms-powerpoint, application/msword, */*

Host: %s

%s (%s)

Floating point (%%e, %%f, %%g, and %%G) is not supported by the WTL::CString class.

%s %.2f GB

%s %.2f MB

%s %I64d KB

%s %I64d Byte

Httpurl

hXXp://update.qvod.com/qd.jpg

%s\qd.ini

%s\%s

%s_1.%s

QvodSetupPlus.exe

hXXp://

QVODd
2I64X

tcp connecting limit is %d

\drivers\tcpip.sys

stun01.sipphone.com

stun.qvod.com

61.139.219.200

track.qvod.com

TCP Port

61.139.219.203

221.194.134.216

agent.qvod.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)

Range: bytes=%u-

Port Restricted Nat

, random port

, preserves ports

PWindowsFirewallAppIsEnabled failed: 0xlx

M-SEARCH * HTTP/1.1

HOST: 239.255.255.250:1900

controlURL

URLBase

HTTP/1.1

s:encodingStyle="hXXp://schemas.xmlsoap.org/soap/encoding/">

xmlns:s="hXXp://schemas.xmlsoap.org/soap/envelope/"

AddPortMapping

NewPortMappingDescription

NewInternalPort

NewExternalPort

DeletePortMapping

External NAT port in use

External NAT port in use: Too many retries

Port mapping not owned by this class

Error getting StaticPortMappingCollection

problem parsing Password

Password =

ipv6 not supported

HMAC with password:

Encoding Password:

About to send msg of len

Some problem opening port/interface to send on

POST /service HTTP/1.1

Content-Length: %d

Host: %s:%d

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;)

127.0.0.1

recv %d

Opened port

Port

for receiving UDP is in use

Could not bind UDP receive port

Could not create a UDP socket:

err EAFNOSUPPORT in send

zcÁ

%Program Files%\

\QvodSetupPlus3.exe

GetCPInfo

.text

`.rdata

@.data

.rsrc

.torrent

: %d K/S

%s ...

%s...

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   QVODÖØ~1.EXE:1756
   regsvr32.exe:1136
   Rundll32.exe:320
   Rundll32.exe:1952
   minibrowser.exe:1908
   x5s32.exe:368
   %original file name%.exe:1832

3. Delete the original Dropped file.
   
4. Delete or disinfect the following files created/modified by the Dropped:
   

   %System%\syste9.dll (35 bytes)
   %Program Files%\2c109a7d17.dat (294 bytes)
   %System%\8aa20ab617.dat (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (144 bytes)
   %Program Files%\ȤÍæÓÎÏ·\QvodSetupPlus.exe.!qd (1740037 bytes)
   %System%\drivers\Drver.sys (6 bytes)
   C:\Driver.sys (5 bytes)
   %System%\syste2.dll (11 bytes)
   C:\AutoRun.vbs (109 bytes)
   C:\system.exe (38 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\474953.tmp (4545 bytes)
   C:\AutoRun.inf (73 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPINGDQB\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5NTS3QTJ\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\INL042XV\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W0B1UWYR\desktop.ini (67 bytes)
   %Program Files%\ȤÍæÓÎÏ·\Msvcp71.dll (13536 bytes)
   %Program Files%\ȤÍæÓÎÏ·\SocketModule.dll (16 bytes)
   %Program Files%\ȤÍæÓÎÏ·\ȤÍæÍø.lnk (1 bytes)
   %Program Files%\ȤÍæÓÎÏ·\logo.ico (29 bytes)
   %Program Files%\ȤÍæÓÎÏ·\images\loading-s.gif (13 bytes)
   %Program Files%\ȤÍæÓÎÏ·\QvodSetupPlus3.exe (3785 bytes)
   %Program Files%\ȤÍæÓÎÏ·\DownLoad.dll (20 bytes)
   %Program Files%\ȤÍæÓÎÏ·\SkinControls.dll (6559 bytes)
   %Program Files%\ȤÍæÓÎÏ·\Mfc71.dll (21237 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\ȤÍæÓÎÏ·\ȤÍæÓÎÏ·.url (49 bytes)
   %Documents and Settings%\%current user%\Start Menu\Programs\ȤÍæÓÎÏ·\ȤÍæÓÎÏ·.lnk (1 bytes)
   %System%\drivers\etc\hosts (3 bytes)
   %Program Files%\ȤÍæÓÎÏ·\qvod.dll (15756 bytes)
   %System%\qvod.dll (4185 bytes)
   %Program Files%\ȤÍæÓÎÏ·\hosts (3 bytes)
   %Documents and Settings%\%current user%\Desktop\ȤÍæÍø.lnk (1 bytes)
   %Program Files%\ȤÍæÓÎÏ·\images\bg.jpg (492 bytes)
   %Program Files%\ȤÍæÓÎÏ·\images\platformbg.jpg (1 bytes)
   %Program Files%\ȤÍæÓÎÏ·\offlinel.html (518 bytes)
   %Program Files%\ȤÍæÓÎÏ·\offline.html (469 bytes)
   %Program Files%\ȤÍæÓÎÏ·\images\loading.gif (16 bytes)
   %Program Files%\ȤÍæÓÎÏ·\17Wan.exe (15305 bytes)
   %Program Files%\ȤÍæÓÎÏ·\Msvcr71.dll (8763 bytes)
   %Documents and Settings%\%current user%\Desktop\ȤÍæÓÎÏ·.lnk (1 bytes)
   %Program Files%\ȤÍæÓÎÏ·\minibrowser.exe (1574 bytes)
   %Program Files%\ȤÍæÓÎÏ·\ComService.dll (1568 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\x5s32.exe (23546 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\QVODÖØ~1.EXE (1568 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

6. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
8. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.