MD5: 0cb533e444832fc669b44d737bbd025b
SHA1: fa09e8f514b92a0c27e00605f059d5e0d1f08631
SHA256: 587d4872d90945da2707838dcd454c32268f9431ab28f48c7792313472ba7927
SSDeep: 98304:isQVdfnIlbHlkM07BJ aPNUNL2PNBjsAZjHu7:LsIlbHlkD7DPONL2NZu
Size: 3553792 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-14 08:50:27
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1516
YOUTUB~1.EXE:128

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\64bit.exe (7960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\YOUTUB~1.EXE (49498 bytes)

The process YOUTUB~1.EXE:128 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Dealio_install.bmp (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\ioSpecial.ini (4681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\InstallOptions.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\modern-wizard.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (7382 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 7B 06 73 96 2E 30 57 95 09 6A 97 E8 67 3E C3"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process YOUTUB~1.EXE:128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 9C 7D D4 FB 45 B9 F3 C6 9B 40 4C 6E 76 EE 74"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: Internet Explorer
Product Version: 11.00.9600.16428
Legal Copyright: (c) Microsoft Corporation. All rights reserved.
Legal Trademarks:
Original Filename: WEXTRACT.EXE .MUI
Internal Name: Wextract
File Version: 11.00.9600.16428 (winblue_gdr.131013-1700)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.idata

@.rsrc

@.reloc

Invalid parameter passed to C runtime function.

advapi32.dll

setupx.dll

setupapi.dll

advpack.dll

wininit.ini

Software\Microsoft\Windows\CurrentVersion\App Paths

ADMQCMD

USRQCMD

FINISHMSG

IXPd.TMP

msdownld.tmp

TMP4351$.TMP

wextract.pdb

PSSSSSSh

SSSh<

PSSShp

PSShp

rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"

System\CurrentControlSet\Control\Session Manager\FileRenameOperations

wextract_cleanup%d

Command.com /c %s

rundll32.exe %s,InstallHinfSection %s 128 %s

Software\Microsoft\Windows\CurrentVersion\RunOnce

%s /D:%s

PendingFileRenameOperations

SHELL32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\

RegCreateKeyExA

RegOpenKeyExA

RegQueryInfoKeyA

RegCloseKey

ADVAPI32.dll

GetWindowsDirectoryA

KERNEL32.dll

GDI32.dll

ExitWindowsEx

MsgWaitForMultipleObjects

USER32.dll

_amsg_exit

_acmdln

msvcrt.dll

COMCTL32.dll

Cabinet.dll

VERSION.dll

)-.Yln

YOUTUB~1.EXE

64bit.exe

 .Ake

.IQMThV

J@:'%S

zMu.BF

59^".);,)

|.Ti h

cwC*WX.ad)

v.NR2

x.Ija

i.wJ4

NgT%sT

a_BÉ

%F K.

?/.ZQW

-.NANq

Z7.vH

\.tC;

sJ3A%s

J%XxBs

k.Ac=

D.mj:

l%CP6Y

m6=%s

<%uS9r7G

(h.hz

%5u*F

).aXX

O<.fk

V(.cp

.Eug^"

Lb%sh

84%UQ

9=.Ul

S.sB]

p:.cNO

]s.`A

%xTm5

Md.HJ

}X[%c

$t{k%s

%CkbP

.cJ.[

U.rmu0

O.WXwV

%D]H4

P.IX^

jG.wD2@

A.NW%>

.bqlT

.tuC8

/q{%u

K.Mb3

keY2u

-rr}J

9?j.dV

.JhB{

÷#rd

.tXuh?

yM.FN

Tu.qb

.oZk]4%

.wg//

6h: P.BLIp

N0P.qi

f%cjW

ovi%D

a.Pxr

=m$%D

b{.ra|

%ci!ktK

.ystb

3.RHp

P.GKNt

ZO.HE

=SQlNI

K.pX@(

Pkd%XB

G2.Qx

P:.mwx4

I.Vm}

d-j}~

%U;uU

iQ%XW

>t%SG5

.cNCV

qzG%DX

|B.WP5R

p=N%D

@o.mZ

$9.MA;1

2.YSR}

wûY

9-oE}

%s;st

%SClg

AA.fF

2|.pGu

x<<z.uPQ

l.msW

0%Cj[

>`.Dw

D?.AJ

"I:4x.kZ

x-STg}

aV#.Dd

.mu^[

VpY.qg*

YK.dN

E.vAL

^h<.JRX

Vs47.KBZ

.IbW>

@^n<5sX%D

^zE%Ct

 ,5L

H.vA%>h

TMuRL`5

EC`%UG

.jaF:H

j .bB

\*Y%U

XY.fb

%s7N,

*D%x$X

X!%x)?

x.Aa$

Tj&.Me

c0-I}

weBE5{

#".krzN

.TTSv

4%FUy)

haÊ

,;%F&

y0%FY

Ö).e

xs.Dp

%DubL

3.rJr_

.gbYs,

%Dg(k

#.rFB

Kvn.aCc

e%S~~~

;=fTp,L

o.Nm:

D\{.iY

 %D|d

8%F_`

*S%xOqYz`

%xLAr

5u.wB

G%fj0

k.FfgH%^

:.qH=

1g}%s

>%c}<

yNJ.EZ

W`@%Sw

x.hLc

i%XSs

%UAiv

3.oY/3H] q,

2;.UYs

.bHHV

Zo.jG4

ui.iT0

5h8.kVU

I\.PN

{z9

/4%0u;

rb7^.mD

h.RZ`

3.Lmz-

/.Frc

#.nEg

>FC.Ju

Q.ZMz2J(E

y[.taL

fTP{7

~#.Ac&

<8%xy

d^R.P%f

VWEb

4A.hs8^

(v.Rae

dZ.Tj

#jz%D 

Rzs47%f

[DQs.Ab

p.zrVN:)

%d}D;#

yQ.JA

oKW%4s

gSyR%Ci

)Ë;

*u.Vku

kT.IN_{

bþ"

(G%Sg

}PiÛ

I.mH=

o.Ac%

5j.fUN

%Csfj

.nvB*

.kW\.

6U.to

F%FXG

0.ZRU/7

Jq%C}3

2iÝ

<m%So

":.wi7

.NNo#

%d E*

.vDYO

:HT5%s

.OT<l|2.

"SSh*)j

za_.pT=zbly

m\i3%S

L.zuq

Y.iViC

u.dKl

#v^=.Ub

ÀY;

9Z$%F

1%X0f

.AZ2&6

^=.gqO

&%S8Q

m.QEo

/8.lZ

O.zx'

yD.pITv?y

.rml03

p{yq.fR

V8.OEw

Zxq.Dr!S

.skan

j.Gs&

.iHfE

%Cu i ^M

nb.Il)

zÚ"

.ekR{

.XzM&g

n.JW4

%S3 n

3.RT 

XKeyg

rcq~.WB}

&.Omu

[ro

.qAj%

H e3%U

lmw%F

lxs%C

Nk4(%S

a~].fu

.jNBe

'.reH

|:>%s

.qv4`

m0X%Q6%dzM

E%fSK

v%c`h

qDv`mh.fhBlso` ,

35

%U1sems

x)Ma.TDL

B.BJc

(tCp;o

RG.Dk

4y.Iw

.fr~S

h.WGI

`.dC#i

GrZo%U

p.aFqsf

c'zpK.Da

EmSGv

d:hP~l%F

g.mjH

q.TGc

.Fmg<=

.ci~d

W.bKd

C~LMÄ*OWl

[.fZP#

WtCp

%&.Jg

.deI n

$%SIt

.efY)

2.a%s

OBv.Su

KcMd>

,Q.ohBEf

;.wyw

D%Fm=

.etCoz

~'.Dk_C

.bLSs

s =.Og

][m%F

rW.Ol?

w .rAm

<assemblyIdentity version="5.1.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

Kernel32.dll

Please read the following license agreement. Press the PAGE DOWN key to see the rest of the agreement.

CFailed to get disk space information from: %s.

System Message: %s.&A required resource cannot be located. Are you sure you want to cancel?

8Unable to retrieve operating system version information.!Memory allocation request failed.

Filetable full.Ên not change to destination folder.

Setup could not find a drive with %s KB free disk space to install the program. Please free up some space first and press RETRY or press CANCEL to exit setup.KThat folder is invalid. Please make sure the folder exists and is writable.IYou must specify a folder with fully qualified pathname or choose Cancel.KKan geen informatie krijgen over schijfruimte van: %s.

Systeemmelding: %s.#Kan een benodigde bron niet vinden."Weet u zeker dat u wilt annuleren?

Setup kan geen station vinden met %s kB beschikbare schijfruimte om het programma te installeren. Maak schijfruimte vrij en probeer het opnieuw of annuleer de installatie.QDe map is ongeldig. Controleer of de map bestaat en of deze niet alleen-lezen is.DU moet een map met een volledig pad opgeven of op Annuleren klikken.

!Could not update folder edit box.5Could not load functions required for browser dialog.7Could not load Shell32.dll required for browser dialog.

(Error creating process <%s>. Reason: %s1The cluster size in this system is not supported.,A required resource appears to be corrupted.QWindows 95 or Windows NT 4.0 Beta 2 or greater is required for this installation.

Error loading %shGetProcAddress() failed on function '%s'. Possible reason: incorrect version of advpack.dll being used./Windows 95 or Windows NT is required to install

Could not create folder '%s'

To install this program, you need %s KB disk space on drive %s. It is recommended that you free up the required disk space before you continue.

-Kan het invoervak voor de map niet bijwerken.KKan de functies die vereist zijn voor het bladerdialoogvenster, niet laden.UKan het bestand Shell32.dll dat vereist is voor het bladerdialoogvenster, niet laden.

-Fout bij het maken van proces <%s>. Reden: %s8De clustergrootte in dit systeem wordt niet ondersteund. Een vereiste bron lijkt beschadigd te zijn.^Voor deze installatie is Windows 95 of Windows NT 4.0 B

Fout bij het laden van %s.uGetProcAddress() is mislukt bij functie %s. Mogelijke reden: er wordt een incorrecte versie van advpack.dll gebruikt.7Voor de installatie is Windows 95 of Windows NT vereist

Kan de map %s niet maken.

U hebt %s kB schijfruimte nodig op station %s om het programma te installeren. Het wordt aanbevolen de benodigde schijfruimte vrij te maken voordat u verdergaat.

Error retrieving Windows folder

$NT Shutdown: OpenProcessToken error.)NT Shutdown: AdjustTokenPrivileges error.!NT Shutdown: ExitWindowsEx error.}Extracting file failed. It is most likely caused by low memory (low disk space for swapping file) or corrupted Cabinet file.aThe setup program could not retrieve the volume information for drive (%s) .

System message: %s.xSetup could not find a drive with %s KB free disk space to install the program. Please free up some space and try again.eThe installation program appears to be damaged or corrupted. Contact the vendor of this application.

$Fout bij het ophalen van Windows-map

 NT wordt afgesloten: OpenProcessToken-fout.0NT wordt afgesloten: AdjustTokenPrivileges-fout.(NT wordt afgesloten: ExitWindowsEx-fout.

Het uitpakken van het bestand is mislukt. Waarschijnlijk door gebrek aan geheugen (te weinig schijfruimte voor wisselbestand) of beschadigd CAB-bestand.bHet installatieprogramma kan de volumegegevens voor station (%s) niet ophalen.

Systeembericht: %s.

Setup kan geen station vinden met %s kB vrije schijfruimte voor de installatie van het programma. Maak schijfruimte vrij en probeer het opnieuw.\Het installatieprogramma is beschadigd. Neem contact op met de verkoper van deze toepassing.

/C:<Cmd> -- Override Install Command defined by author.

eAnother copy of the '%s' package is already running on your system. Do you want to run another copy?

Could not find the file: %s.

jEr wordt al een exemplaar van het pakket %s op de computer uitgevoerd. Wilt u een extra exemplaar starten?

Kan het bestand %s niet vinden.

:The folder '%s' does not exist. Do you want to create it?hAnother copy of the '%s' package is already running on your system. You can only run one copy at a time.OThe '%s' package is not compatible with the version of Windows you are running.SThe '%s' package is not compatible with the version of the file: %s on your system.

.De map %s bestaat niet. Wilt u deze map maken?hHet pakket %s is al op het systeem ge

n exemplaar tegelijkertijd gebruiken.FHet pakket %s is niet compatibel met de Windows-versie die u gebruikt.QHet pakket %s is niet compatibel met de versie van het bestand %s op de computer.

11.00.9600.16428 (winblue_gdr.131013-1700)

WEXTRACT.EXE .MUI

11.00.9600.16428

YOUTUB~1.EXE_128:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp\InstallOptions.dll

Tube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp\InstallOptions.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp

installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.

COMDLG32.DLL

FC:\Windows\system32\stdole2.tlb

%Program Files%\Microsoft Visual Studio\VB98\Flash9f.oca

frmLogin

modExecCmd

modGetHTMLFromURL

modURLEncoding

%Program Files%\Microsoft Visual Studio\VB98\VB6.OLB

cmdOk

lblURL

shell32.dll

VBA6.DLL

&cmdCancel

txtPassword

LoginSucceeded

Password

Comctl32.dll

LxcmdAbort

C:\Windows\system32\MSVBVM60.DLL\3

%Program Files%\Microsoft Visual Studio\VB98\MSCOMCTL.oca

advapi32.dll

shdocvw.dll

wininet.dll

InternetOpenUrlA

OWebBrowser1

SC:\Windows\system32\ieframe.oca

cmdPlayVideo

cmdDownloadOptions

txtURL

lblWebLink

cmdShowFiles

cmdPickFile

cmdDownloadFolder

@.reloc

comdlg32.dll

InstallOptions.dll

PASSWORD

Field %d

All Files|*.*

O%D=s

YouTube Downloader 2.5.3 Setup

nsn3.tmp

his wizard will guide you through the installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\YOUTUB~1.EXE

%Program Files%\YouTube Downloader

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP

YOUTUB~1.EXE

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

1114414

ard will guide you through the installation of YouTube Downloader 2.5.3.\r\n\r\nIt is recommended that you close all other applications before starting Setup. This will make it possible to update relevant system files without having to reboot your computer.\r\n\r\nClick Next to continue.

1074398204

1441914

)-.Yln

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.39</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo></assembly>

.CommonDialog

.VBError

.clsAnimControl

comctl32.dll

Show video file URL

hXXp://youtubedownload.altervista.org/notifier.htm

<!-- URL=

hXXp://youtubedownload.altervista.org/

See hXXp://youtubedownload.altervista.org for details on what's new in this version.

Flv Files (*.flv)|*.flv|Mp3 Files (*.mp3)|*.mp3|Mp4 Files (*.mp4)|*.mp4|Mov Files (*.mov)|*.mov|Avi Files (*.avi)|*.avi|All Files (*.*)|*.*

Enter video URL

Enter video URL!

hXXp://

explorer.exe

Unable get html from url

youtube.com

Do you want Login to access your account ?

hXXps://VVV.google.com/accounts/ServiceLoginAuth?service=youtube

hXXp://VVV.youtube.com/signin?action_handle_signin=true&hl=en_US&next=

hXXp://VVV.youtube.com/verify_age?next_url=/watch?v=

hXXp://VVV.youtube.com/?action_logout=1

Sorry, your login was incorrect

The username or password you entered is incorrect

Sorry, your login was incorrect.

The url contained a malformed video id

The url contained a malformed video id.

hXXp://...

otherwise Cancel to terminate the operation.

Remote file URL:

Passwd

This can be caused by an unsupported combination of parameters

or by a missing or unsupported codec.

Windows Media Video (V.7 WMV)

ffmpeg -i %1 -s 320x240 -r 14 -b 50 -ar 22050 -ab 56 -ac 1 %1.mov

%1.xxx = Output file (.xxx the format to convert!)

\Help.hlp

Primeport

All (*.*)| *.*

2.5.3

hXXp://youtubedownload.altervista.org

Enter Password

\Gears.avi

hXXp://VVV.youtube.com/get_video?video_id=

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1516
   YOUTUB~1.EXE:128

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\64bit.exe (7960 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\YOUTUB~1.EXE (49498 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\Dealio_install.bmp (1552 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\ioSpecial.ini (4681 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\InstallOptions.dll (14 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp\modern-wizard.bmp (784 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsn2.tmp (7382 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
   "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.