Gen.Variant.Symmi.45193_1cced3bedb

by malwarelabrobot on June 18th, 2015 in Malware Descriptions.

Gen:Variant.Symmi.45193 (B) (Emsisoft), Gen:Variant.Symmi.45193 (AdAware), Trojan.Win32.BHO.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1cced3bedb67aa3f0c25c29b3ee548cc
SHA1: ff4be4534e7aebb781c8321442fc77e15311aaab
SHA256: ae70cdc9ff5eed54795b884da3de4de70a2343ffd67e0e26a9f97b8fc6f57b78
SSDeep: 49152:YnVvmL/kK/vnuX0iky0a9sNJrDuiJbfBk9O2:Ye/9ik95GUBu
Size: 1748277 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualCv71EXE, MicrosoftVisualCv70, UPolyXv05_v6
Company: no certificate found
Created at: 2007-03-19 09:14:11
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:464

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (1472 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\{3550C75F-CFFD-4222-B875-0B0B1FE28513}\_extra\wheeeee.swf (69236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (0 bytes)

Registry activity

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\BRiGHTSTAR\Untitled\V1.0\Settings]
"Options" = "31 00 00 00 46 00 6F 00 73 00 74 00 65 00 72 00"

"crc" = "20 4B 34 C2 47 31 15 25 0C E6 C1 E0 35 C2 55 4C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 BB 5C 92 94 2B 99 85 F7 8A 6D 62 05 FB 30 03"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: BRiGHTSTAR
Product Name: HD Player
Product Version: 1.0
Legal Copyright:
Legal Trademarks:
Original Filename: Untitled.exe
Internal Name: Untitled
File Version: 1.0
File Description:
Comments:
Language: Russian (Russia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 757138 757760 4.62074 0c7c21bdcb0f9fbcaaff99a35fdd1ab0
.rdata 761856 157774 159744 3.8446 86b146131f2b9dbb4ba44d8e74bd4ce5
.data 921600 59268 24576 2.88194 8b1015905deab19b04b0e25c3f2370fe
.rsrc 983040 120288 122880 3.55226 c7e020c18441a0b29a0ebe5b7485514b
.!rdata 1105920 135168 135168 0.29214 7ea6b83e1da96949817025ff711cabc7

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://cartoonnetwork.com/crossdomain.xml
hxxp://www.cartoonnetwork.com/crossdomain.xml 157.166.239.102


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Outdated Windows Flash Version IE

Traffic

GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cartoonnetwork.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Jun 2015 08:38:03 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Set-Cookie: CG=UA:07:Kharkov; path=/
Last-Modified: Tue, 22 Jul 2014 15:44:53 GMT
Cache-Control: max-age=600
Expires: Wed, 17 Jun 2015 08:40:44 GMT
X-Cache-Status: HIT
Content-Encoding: gzip
5c0..............Ms.6.....Pu..);n..c;.6.N;.\[email protected].}..(...v.(...&
gt;.`....O/y6..SJ..........._........<.F.e...I..:..u.........7..w..
n..s..s.H.s./..2.I...c.c..._..~.gY.w.3...\..F...p0Z.b.w.a..93Vk...i...
...).=...WF<.., .|I3n ....Fy....NY....jp.r.....T\....c..I=...3..C..
5#...8...2.=)......_...z..43....0...EZ>. .J.[.g..%1.Z?l..D.I...D../
....I{Q..]p..8..9X..R..i2....f..8.......g....e.5.^*> a.........v..z
\G.z."....r.o.U.7..5.p....A...d....M-f..CT.yR...D"^7d..clwD"V....?:.#.
.....q(........D...%Uf....I@.'Y.(.Nu..1...c.Z...#...i...R4.....;.U...F
......eL........C.|.... ......Em.a`.....z.p.[.p..u8..A."..C."T...`HA,.
..!p....Z....Y...F.(.Y9B..!......!.R.... .C."`....G./..!..Y.....]=..G.
.C[.....B....K....,8.....).'b..Px8Exr{....Qd.B....b*..p..<q~...'!.!
...1.........m......<K.q0..y..b%m.H.p.Det../]..D$...x..-.0..].. ..6
[email protected]...#.. ..{)j.h...<..'....*.\..9...V...[Z....,.aw..M.h..&...
.)..j,,.-.Dj........:)a..e.....A\.L.Y...8..=...E.T i3.C.%.O...me..Z...
...|.2..nh.<.4.......K..A../ ..t..d..h]...`......... .........E....
<...l..j.\.3..........O...,.i..............T?rVZa.V......B.......)q
\...u ...PAE.C..3. T[n......n......C..).....$W.N.B[...Q...*z.A.@6 ..f.
.......U.>...3p=.....n...m...S..>...S.|.j.v......>.,....$....
)K.h(..f...#......\........vE..<n..G.[U\7..........^.4..ln^. ......
q7..%.V..dD"J....S.....%.m..D...dk..H$.p.....U......K.L.#.F...2R..Yb!{
"...$y..2N`Zsx..Gx.P ..1Z..s.(.....(..2.. `.....2.......4...%5 .?./"..
1o.....qz...v....N..:.#W.'.n....<... 1...:. y......0..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_464:

.text
.rdata
.data
.rsrc
u2SSShY
1SSShY
uDPW
SSSSSh
.PWuF
YYu.VW
%uWVW
}`uk9U@t%9U(ua9U@t
.QPWR
.tgPV
FTPjK
FtPj;
C.PjRVj
u.VV3
.SSSSSSh|
HHCTRL.OCX
\\.\REGMON
\\.\REGVXD
1.1.3
SWFKit.BK
kernel32.dll
shlwapi.dll
comctl32.dll
------%s will be expired on d-d-d------
------%s will be expired after %d days after installed!------
f%d_%s
function f%d_%s() { return _call('%s', arguments);}
comdlg32.dll
urlmon.dll
user32.dll
%sX%d.cab
"%s" /Q /S
%sX%d.tmp
Failed to initialize the WIndows Socket!
%d%% Free
Physical memory available to Windows:
%d KB
0xX
SCRNSAVE.EXE
SYSTEM.INI
hXXp://VVV.swfbuddy.com
TOPURL
.main
%s\DefaultIcon
%s\shell\open\%s
windowShape
$EKHOTKEY
$KPDISABLEWINDOWKEYS
hotKey
exitKeys
keyPress
expiryMsg
windowSize
cmdItems
cmdLine
join
%s.%s
%s.%d
msgBox
winio.sys
\\.\PhysicalDrive%d
\\.\Scsi%d:
FtpGetFileSize
FtpRenameFileA
FtpDeleteFileA
FtpRemoveDirectoryA
FtpCreateDirectoryA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpOpenFileA
FtpFindFirstFileA
wininet.dll
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
_InetFtp_
@F_%u
VVV.swfkit.com
onGetUrl
openFtp
getHttpFileHeader
getHttpFileStatus
getHttpFileLastModifiedTime
getHttpFileSize
getUrl
_FFish_MCI_%d
errorMsg
sendCmdString
 OK %d %s
%d %s
UIDL %d
TOP %d %d
RETR %d
 OK %d %d
%d %d
LIST %d
DELE %d
password
port
RegKey
key not found
deleteKey
getSubkeyNames
\StringFileInfo\X\SpecialBuild
\StringFileInfo\X\productVersion
\StringFileInfo\X\ProductName
\StringFileInfo\X\PrivateBuild
\StringFileInfo\X\OriginalFilename
\StringFileInfo\X\LegalTrademarks
\StringFileInfo\X\LegalCopyright
\StringFileInfo\X\InternalName
\StringFileInfo\X\FileVersion
\StringFileInfo\X\FileDescription
\StringFileInfo\X\CompanyName
\StringFileInfo\X\Comments
Shell32.dll
software\microsoft\windows\currentversion
windows
findExecutable
windowStyle
URLShortcut
> %d.d.d
Windows 32s
Windows 95
Windows ME
Windows 98
Windows NT
Windows 2000
Windows XP
getWindowsByName
windowState
getExeName
processMsg
- deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetOpenUrlA
InternetCanonicalizeUrlA
illegal character '%s%c%c'
illegal unicode character '%s%c%c%c%c'
unterminated %s constant
unknown escape sequence '%c%c'
ECMAScript don't allow line terminators in %s constants
syntax error: %s
invalid alias name of the imported function
inflate 1.1.3 Copyright 1995-1998 Mark Adler
dllimport
import
export
?456789:;<=
!"#$%&'()* ,-./0123
attachment %d
====_SWFKIT_MAIL_PART_%X.%X.%X_====
Content-Transfer-Encoding: %s
Content-Type: %s; charset="%s"
Content-Type: %s; name="%s"
Content-Disposition: attachment; filename="%s"
Content-ID: <%s>
--%s--
boundary="%s"
X-Priority: %d
X-Mailer: SWFKit.FFish
Date: %s
Subject: =?%s?B?
Bcc: %s
Cc: %s
Reply-To: %s
To: %s
From: %s
boundary="%s";
login
AUTH PLAIN %s
AUTH LOGIN
%s %s
MAIL FROM:<%s>
HELO %s
EHLO %s
can't connect to the smtp server
PASS %s
USER %s
@F_%d
Reply from %d.%d.%d.%d: bytes=%d time=%dms TTL=%d
Unkown host %s
ICMP.DLL
Reply from %s: bytes=%d time=%dms TTL=%d icmp_seq=%u
Pinging %s [%s]: with %d bytes of data:
.yMax
.xMax
.yMin
.xMin
inetmib1.dll
SYSTEM\CurrentControlSet\Services\VxD\MSTCP
SYSTEM\CurrentControlSet\Services\Tcpip\parameters
SYSTEM\CurrentControlSet\Services\Tcpip\parameters\Transient
Runtime error: %s
Warning: unknown method "%s"
Warning: invalid index for operator []
hook break %d
Warning: can't set property "%s" with a wrong type
Warning: using undefined property "%s"
Warning: using undefined variable "%s"
CNotSupportedException
COMCTL32.DLL
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
hhctrl.ocx
commctrl_DragListMsg
CCmdTarget
CHotKeyCtrl
msctls_hotkey32
{X-X-X-XX-XXXXXX}
MSWHEEL_ROLLMSG
File%d
ntdll.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
%s.dll
CMDIChildWnd
CMDIFrameWnd
oleaut32.dll
olepro32.dll
ole32.dll
mscoree.dll
?#%X.y
Please contact the application's support team for more information.
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
portuguese-brazilian
<GetProcessWindowStation
0123456789
right-curly-bracket
left-curly-bracket
OLEAUT32.dll
OLEACC.dll
WINMM.dll
WSOCK32.dll
VERSION.dll
GetWindowsDirectoryA
CreatePipe
GetProcessHeaps
GetCPInfo
KERNEL32.dll
UnhookWindowsHookEx
SetWindowsHookExA
GetKeyState
GetKeyNameTextA
MapVirtualKeyA
EnumThreadWindows
ExitWindowsEx
EnumWindows
EnumChildWindows
CreateDialogIndirectParamA
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
RegEnumKeyExA
RegQueryInfoKeyA
RegDeleteKeyA
RegEnumKeyA
RegCreateKeyA
ADVAPI32.dll
ShellExecuteA
FindExecutableA
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
oledlg.dll
.PAVCFileException@@
.PAVCObject@@
.PAVCException@@
.PAVCTopBaseException@@
.PAVCZipException@@
This executable file was created by an UNREGISTERED copy of SWFKit!
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.?AVCNotSupportedException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.?AVCHotKeyCtrl@@
.PAVCArchiveException@@
.PAVCResourceException@@
.?AVCMDIFrameWnd@@
.?AVCMDIChildWnd@@
.PAVCOleDispatchException@@
zcÁ
c:\documents and settings\"%CurrentUserName%"\local settings\temporary internet files
wheeeee.swf
c:\%original file name%.exe
%S<^(
stdole2.tlbWWW
bstrMsgW
Created by MIDL version 6.00.0347 at Fri Mar 16 15:27:07 2007
<property id="%d">
<property id="%s">
<number>%d</number>
<string>%s</string>
<invoke name="%s" returntype="xml"><arguments>
%s:%s. See also: %s.
%s %s d d:d:d GMT% 04d %s%sd B.C.
%s %s d d:d:d GMT% 04d %s%sd
%s, d %s d d:d:d GMT B.C.
%s, d %s d d:d:d GMT
x%s.%s
%s.length
[object Inet.Ftp]
[object RegKey]
d[object URLShortcut]
<SUP>%s</SUP>
<SUB>%s</SUB>
<STRIKE>%s</STRIKE>
<SMALL>%s</SMALL>
<A HREF="%s">%s</A>
<I>%s</I>
<FONT SIZE="%s">%s</FONT>
<FONT COLOR="%s">%s</FONT>
<TT>%s</TT>
<B>%s</B>
<BLINK>%s</BLINK>
<BIG>%s</BIG>
<A NAME="%s">%s</A>
;/?:@&= $,#
accKeyboardShortcut
SUPPORT
Key Press
Disable Windows keys
Exit Keys
HotKey1
Custom Hot Key
%s Registration
Please enter your name, a serial number and a registration code to register %s.
Enter the World Wide Web location (URL) or specify the local file you would like to open.
WEBSITE
Port :
Prj.Document
Invalid projector window size!Invalid projector window position5Flash (*.swf,*.spl)|*.swf;*.spl|All Files (*.*)|*.*||
%s has expired!D%s
Press Register button to register %s, press OK button to exit.
'This copy of program is licensed to: %s
Serial Number: %s
Replace%Select the entire document
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Page %u
Pages %u-%u
Output.prn1Printer Files (*.prn)|*.prn|All Files (*.*)|*.*||
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
#Unable to load mail system support.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
Untitled.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (1472 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\{3550C75F-CFFD-4222-B875-0B0B1FE28513}\_extra\wheeeee.swf (69236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now