MD5: 5f5e43d70852ab93f0762e4a13fc891c
SHA1: b8fe58ad34d8aafe98950715956b702c80e91c1b
SHA256: 29cd5ae1fab2acbaa25cd17bd0d4eb259bf16bf11fd88393c60fdf419d1cd319
SSDeep: 24576:1D iF7WJM0k3vJ9/Vojs8rWe b4lqD97kojnXkiqwgt6pR1RyUzpApQqLD8T3a:11ySp3zew8h Ao7rLXE83RyULqLD8O
Size: 2064384 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2013-04-25 08:03:26
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:800

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST23GP6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXY3KHQB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VPB7R0AS\getimage[1].jpg (2144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9R60NKE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VPB7R0AS\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 5D 67 2C 55 3A AF 37 35 71 10 FB 1E DA 73 D4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://a1574.b.akamai.net/getimage?aid=11000101&0.46598424223382673
hxxp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673	112.90.83.73
hxxp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673	188.43.72.51

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: captcha.qq.com

Cache-Control: no-cache

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP=CAO PSA OUR

Content-Length: 2051

Set-Cookie: verifysession=h010b1f0dca1bc8e05bf110588c74d419ac159143ce6a794ec6bf05e5081ceeb30b56b1c9411537b19b; PATH=/; DOMAIN=qq.com;

Connection: close

Content-Type: image/jpeg
......JFIF.............C...........................#.%$"."!& 7/&)4)!"0
A149;>>>%.DIC<H7=>;...C...........;("(;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;......5....".........................
...................................}........!1A..Qa."q.2....#B...R..$3
br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...............
......................................................................
.........................................w.......!1..AQ.aq."2...B.....
#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz........
......................................................................
......?...(..,(...(...(...(...(...(...(...(......;.In......h..f'...C.a
.:.. lpE_...F.u../.(.....7>....X[.....P0A...QXT....k..... ./...6...
..m.RG<.}.>?.\O3A.. ..y<...Q........i.%..5.DxX3F....:..HZ....
Z.I.]..\...1.dq..f.J..._.Z......O..3Z.9..q,.P.O.....{...]E....,..$...v
..8...k.}.Gh`.,Q.f...9&.{.R.....q.f...X...I..T......(..... .p.hz...D..
......up-....8.L.....f.K.m.h4...a..D..&.\.`..E.(....... ..F.H.2 ..7|..
Vi...-\.....,m...A.h2I.C.....}........V.s..^.z...u.$...m[.....%...1. o
......d.tB...k...).\X...2.y..9..`t...c.E{t-...#B'M..]..ARk...l..Kh....
E...#......v.=A'5...ii._.2...e/.p.s...B=....$.f..m.m5Mv8a..m04...;...n
.8.K]zd..5 x...-n`.<FN...x.X.YZO...........d...8.==...0.C....p...B.
..NYd. ...t..R.^.q.;.*..;\.....K.;}J.Vk.;...@..(.W....D5.&.V.....!....
.:....49...xoc..I..{}...........4...........V.X].<.tJ.........U{.Ry
....i....oz...s.B..[.^.7..c%.Kv ...NA...O..H.....@*..2T.r..]9mcNx.
<<< skipped >>>

GET /getimage?aid=11000101&0.46598424223382673 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Referer: hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

Accept-Language: zh-cn

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Host: ptlogin2.qq.com

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: Tencent Login Server/2.0.0

Location: hXXp://captcha.qq.com/getimage?aid=11000101&0.46598424223382673

Content-Type: text/html

Date: Thu, 20 Aug 2015 19:22:36 GMT

Transfer-Encoding:  chunked

Connection: keep-alive

Connection: Transfer-Encoding
00000005..0....00000000..HTTP/1.1 302 Moved Temporarily..Server: Tence
nt Login Server/2.0.0..Location: hXXp://captcha.qq.com/getimage?aid=11
000101&0.46598424223382673..Content-Type: text/html..Date: Thu, 20 Aug
 2015 19:22:36 GMT..Transfer-Encoding:  chunked..Connection: keep-aliv
e..Connection: Transfer-Encoding..00000005..0....00000000..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t$(SSh

~%UVW

u$SShe

shlwapi.dll

wininet.dll

kernel32.dll

ntdll.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

hXXp://shen3.cccpan.com/

q.7.qE

%S4WD

hg%fpM

S.Ac9SR

0.I%3s

,wAe.kI

aiUy'4xu

%c*@j

.eH'y

{&%U)

lj%4U

xe%CNs

9F.cLe

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

hXXp://ys-g.ys168.com/1.0/361467312/h545I366K5NMJFiseSNJ/300.jpg

hXXp://ys-e.ys168.com/1.0/361467317/iseSNJg581K55744MQJK/3000.jpg

hXXp://ys-e.ys168.com/1.0/361467355/mqcUOJk244N245561M5M/zizuan.jpg

VVV.ktv188306.com/qiang/card/getway.asp

&Submit=Ìá½»

&cardPass=

[email protected]

smtp.qq.com

[email protected]

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

http=

HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

Content-Type: application/x-www-form-urlencoded

hXXp://

hXXp://ys-e.ys168.com/1.0/361467320/k254J6237L2NM2ktcVJK/mozuan.jpg

hXXp://ys-g.ys168.com/1.0/361467315/iseSNJj244N254L7KMIL/600.jpg

VVV.ktv188306.com/hai/card/getway.asp

G|Z%d

user32.dll

GetKeyboardType,MessageBoxA,CharNextA

advapi32.dll

RegQueryValueExA,RegOpenKeyExA,RegCloseKey

hXXp://ys-g.ys168.com/1.0/361467321/ktcVJKf462M244P3MOGM/1500.jpg

hXXp://ys-e.ys168.com/1.0/361467339/lrfRKMl254J623771N52/hongzuan.jpg

hXXp://ys-e.ys168.com/1.0/361467328/i733L362556LKktcVJK/dnf.jpg

hXXp://ptlogin2.qq.com/getimage?aid=11000101&0.46598424223382673

[email protected]

2013/4/2 5

hXXp://ys-e.ys168.com/1.0/361467342/i545I35743NMOJjubSMO/cf_副本.jpg

hXXp://ys-e.ys168.com/1.0/361467325/ktcVJKj244N245561MJ/chaojiQQ.jpg

hXXp://ys-e.ys168.com/1.0/361467334/h632L724735LLlrfRKM/fenzuan.jpg

hXXp://ys-e.ys168.com/1.0/361467349/jubSMOl254J623771N55/qqvip.jpg

416488350

hXXp://pay.qq.com/cgi-bin/account/account_qqcard_save_qbqd.cgi

&CardPassword=

hXXp://shen3.ys168.com

hXXp://ys-g.ys168.com/1.0/361467318/i733L371L6PLHKiseSNJ/800.jpg

VVV.paysqb.com/p/video.asp

862973108

Windows 95

Windows 98

Windows Mellinnium

Windows NT 3.51

Windows NT 4.0

Windows 2000

Windows XP

Windows 2003

hXXp://wpa.qq.com/msgrd?V=!&Uin=1330145522&Site=ioshenmue&Menu=yes

hXXp://ys-e.ys168.com/1.0/361467347/jubSMOh581K536434Q25/lvzuan.jpg

VVV.paysqb.com/s/video.asp

hXXp://ys-e.ys168.com/1.0/361467353/mqcUOJj371J572652P2H/qzone.jpg

hXXp://ys-e.ys168.com/1.0/361467331/lrfRKMg462M235923OK/dushu.jpg

hXXp://888.qq.com/promote/party/2012/20120517_pay/?bc_tag=10108.1.3

hXXp://ys-e.ys168.com/1.0/361467344/h632L724735L35jubSMO/lanzuan.jpg

TC TC TC TC TD TD TD TD TD TD TD TD TD TD UE!UE!UE!UE!UE"UE"UE"UE"TF!TF!TF!TF!UF"UF"UF"UF"UF#UF#UF#UF#UF#VF#VF#VF#VF#VF#VG#VG#VG#VG#VG$VG$WH$WH$WH$WH$WH$WH%WH%WH%WH%WH%WH%WH%WH%WI%WI%WI%WI%WI%WJ&WJ&WJ&WJ&XJ&XJ&WI'XJ'XJ'XJ'XJ'XJ'XJ'XJ'WJ'WJ'WJ'XJ(XJ(XJ(XJ(XJ(XK(XK(XK(XK(XK)XK)XK)XK)XK)XK)YK)YK)YK)YK)YL*YL*YL*YL*YL*YL*ZL*ZL*ZL*ZL*YL*YL*YL*YM YM YM YM ZM ZM ZM ZM ZM ZM ZN ZN ZN ZM,ZM,ZM,ZM,ZN,ZN,ZN,ZN,ZN,ZN,ZN,ZN,ZN,ZN-ZN-ZN-ZN.ZN-NC'OD'OD'OD(OD(OD(OD(OD(OD(PD)PD)PD)PD)PD)PE)PE)OD)OD)PE)\P/\P/\Q0\Q0\Q0\Q0\Q0\Q0\Q0\Q0\Q0\Q0\Q0\Q0]Q1]Q1]Q1yi@

1330145522

%uZqT

VVV.meitu.com

>.hzm

2|-G}U

I.k.XrE

.iBJV

6Sm%C

.NnZ0

5|M%U8

r}}

ûZQ&

http:kcr.cccpan.com

QCu.ei

VVV.payl88.com/huiyuan.htmls

hXXp://VVV.yuzi.net

%5u{&

(7),01444

'9=82<.342

hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=payjump&ptcss=¶m=url%3Dhttp%253A%2F%2Fmy.pay.qq.com%2Faccount%2Faccount_general_query.shtml&css=&mibao_css=&low_login=

.dv .s

h.It8

R-h}O

f^s.ih|

Pi.Mx

z.kKuk

ViX.FFv

1330145522

.wy"H

<"V

r-1}0W

"v.XA4

@.BhA

H2IpNsqL

.vsx]

eVfTpfT`

@.rI1x

TTS%UTVA

%xf`p

]P%UWeUY

=2J.GT

.uPha

5>?%S

K-5}9

$Xv%8x&

D%4x[c

VVV.paysqb.com/p/video.asp)

F%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

ole32.dll

__MSVCRT_HEAP_SELECT

RASAPI32.dll

iphlpapi.dll

SHLWAPI.dll

MPR.dll

WINMM.dll

WS2_32.dll

VERSION.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

GetViewportOrgEx

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

OLEAUT32.dll

oledlg.dll

WSOCK32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

\\.\Scsi0:

\\.\PhysicalDrive0

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

HELO %s

SMTP

AUTH LOGIN

LOGIN

AUTH=LOGIN

EHLO %s

Content-Type: application/octet-stream; name=%s

Content-Disposition: attachment; filename=%s

MAIL FROM:<%s>

RCPT TO:<%s>

(*.htm;*.html)|*.htm;*.html

VVV.dywt.com.cn

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.PAVCOleDispatchException@@

zcÁ

.qq.com

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

1, 0, 6, 6

- Skin.dll

(*.*)

1.0.8.8

1005505333

hXXp://qqb88.cccpan.com/

%original file name%.exe_800_rwx_01050000_0003E000:

`.rsrc

L$(h%f

SSh0j

msctls_hotkey32

TVCLHotKey

THotKey

\skinh.she

}uo,x6l5k%x-l h

9p%s m)t4`#b

e"m?c&y1`Ð<

SetViewportOrgEx

SetViewportExtEx

SetWindowsHookExA

UnhookWindowsHookEx

EnumThreadWindows

EnumChildWindows

`c%US.4/

!#$<#$#=

.text

`.rdata

@.data

.rsrc

@.UPX0

`.UPX1

`.reloc

hJK.ZH

O.qt0

KERNEL32.DLL

COMCTL32.dll

GDI32.dll

MSIMG32.dll

MSVCRT.dll

MSVFW32.dll

USER32.dll

SkinH_EL.dll

1, 0, 6, 6

- Skin.dll

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ST23GP6F\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SXY3KHQB\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VPB7R0AS\getimage[1].jpg (2144 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9R60NKE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VPB7R0AS\desktop.ini (67 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.