MD5: 6936adddce5bab89a86959fcf2f33d36
SHA1: 1fe40088ea87e28aaf7e2e0d7e3de57a5fba4ac4
SHA256: 2610aa4a6c334c834730b8df519c752960eb57f9a7290dc9b537f587b9645c9a
SSDeep: 3072:EgXdZt9P6D3XJGCG5Ky/9XO3jR0eWSzUu/0Wb:Ee341GUQ9OzRgW/cM
Size: 104376 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2004
wmic.exe:512

The Trojan injects its code into the following process(es):

DM1391965868.exe:464

File activity

The process %original file name%.exe:2004 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\Banner.dll (4096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\NSISdl.dll (14848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DM1391965868.exe (1410840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructions.dat (1423908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\Convert.dll (145326 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructions.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp (0 bytes)

The process wmic.exe:512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (33480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (2652570 bytes)
%System%\wbem\Logs\mofcomp.log (582 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (37088 bytes)
%System%\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof (58770 bytes)
%System%\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof (7496502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)
%System%\wbem\AutoRecover\23BDE61F1F4FACE17E9B0C01F2A1FD9B.mof (65986 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (0 bytes)

The process DM1391965868.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@ppdownload[2].txt (577 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014030420140305\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\dc[1].js (54775 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (61440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\bodyImg[1].png (109767 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ppdownload[1].txt (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\DynamicOfferScreen[1].htm (16256 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@ppdownload[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041120130412\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ppdownload[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041120130412 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (0 bytes)

Registry activity

The process %original file name%.exe:2004 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 78 86 B5 F8 90 57 65 70 F1 68 03 81 DF 10 EF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

The process wmic.exe:512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A FA AC DC A6 22 9E 4D 58 58 FD 8B 79 F6 6D AB"

[HKLM\SOFTWARE\Microsoft\WBEM\CIMOM]
"Autorecover MOFs timestamp" = "130384110045693750"

[HKCU\Software\Microsoft\Wbem\WMIC]
"WMICLC" = "0"
"mofcompMUIStatus" = "0"

[HKLM\SOFTWARE\Microsoft\WBEM\WMIC]
"CliEgAliases.mof" = "127360404460000000"
"Cli.mof" = "127360404460000000"
"CliEgAliases.mfl" = "127345749920000000"
"mofcompstatus" = "1"

The process DM1391965868.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DM1391965868.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Диагностика проблем подключения..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014030420140305]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014030420140305\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014030420140305]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014030420140305]
"CachePrefix" = ":2014030420140305:"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DM1391965868.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014030420140305]
"CacheLimit" = "8192"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DM1391965868.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B E8 F1 AC FE 50 0D 94 2E F9 43 D2 65 2F 62 A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014030420140305]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041120130412]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL	IP
hxxp://getfilesresources.outbrowse.netdna-cdn.com/dmresources/instructions.dat
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=301&distid=3746&productid=3578&subpubid=-1&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=&netv=&d1=5010&d2=-1&d3=-1&d4=-1&d5=34094&cookieproductname=105-84-117-110-101-115&cookieeula=&cookieprivacy=&hb=1&systembit=32&vm=1&version=3.0
hxxp://ppdownloadoffers.outbrowse.netdna-cdn.com/offers/DynamicOfferScreen?offerid=5&distid=3746&leadp=3578&cookieproductname=105-84-117-110-101-115&dfb=0&hb=1&
hxxp://stats.l.doubleclick.net/dc.js
hxxp://getfilesresources.outbrowse.netdna-cdn.com/offers/images/Theme10/topLine.jpg
hxxp://getfilesresources.outbrowse.netdna-cdn.com/offers/images/Theme10/topComp.png
hxxp://getfilesresources.outbrowse.netdna-cdn.com/offers/images/Theme10/bgImg.jpg
hxxp://getfilesresources.outbrowse.netdna-cdn.com/offers/images/Theme10/bodyImg.png
hxxp://getfilesresources.outbrowse.netdna-cdn.com/offers/images/Theme10/bottomLine.jpg
hxxp://getfilesresources.outbrowse.netdna-cdn.com/offers/images/Theme10/nextCase.jpg
hxxp://stats.l.doubleclick.net/__utm.gif?utmwv=5.4.7dc&utms=1&utmn=1247947545&utmhn=offers.ppdownload.com&utmcs=utf-8&utmsr=1280x768&utmvp=590x395&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmdt=5 - NonProduct (SoftWorld Download Manager)&utmhid=1041594202&utmr=-&utmp=/offers/DynamicOfferScreen?offerid=5&distid=3746&leadp=3578&cookieproductname=105-84-117-110-101-115&dfb=0&hb=1&&utmht=1393937419272&utmac=UA-37348037-1&utmcc=__utma=81742934.871961272.1393937419.1393937419.1393937419.1;+__utmz=81742934.1393937419.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmu=qh~
hxxp://getfilesresources.outbrowse.netdna-cdn.com/offers/images/Theme10/button_over.png
hxxp://getfilesresources.outbrowse.netdna-cdn.com/offers/images/Theme10/button.png
installer.apps-track.com	50.17.255.198
get.getfilesresources.com	198.232.124.224
stats.g.doubleclick.net	74.125.142.157
offers.ppdownload.com	108.161.189.33
static.revenyou.com	198.232.124.224

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot

VersionInfo

Company Name:
Product Name: iTunes
Product Version: 3.0
Legal Copyright: iTunes
Legal Trademarks: iTunes
Original Filename:
Internal Name:
File Version:
File Description: iTunes
Comments: Installer
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 94
ad987a179c03370db0a1386816158695
0ce718dd101a1ae21d0f568d9206316a
54a0642022cac5e7800b5fae8d9d0c75
ac05dfc423e9baf9a8e622fa48c2e5f3
c5df030c75a6d2541dad5e95d49bf4c2
9dd01e7fd8cdcb2347456c3026d38ecb
c58b54138a999e6ec0e9a4d5973b296f
1e780968d024cda256be7aade20e000c
ca7c1050279cd9a7ed860fe102a59fdb
89109382605016b29906331f511bf08b
69edf6d88d2f536f899ea90a4e6b5211
9767a3830e050dda069ddcf5b1c34d9f
2b08e81a3ead67a5e434eed34e777529
a9c5ccb47531e720d48d4ac5dbf8a12d
66513aa4a6da3bebb8adc1151942922f
bdef49efd5b5a7588894c8e99187c340
c11653c06ba10be015d1e973e7f5332f
a59e4bddec03f916c96a3484c462a120
84b0cd2c3239f089aba849cb5435416f
491d994295b7eef338dac9d28dea0fde
54c6883eda5cd3aadd6d6e87a4ea0a2f
a5b41ab17babc03b6a49fdb2d3729e40
72729495d9ddaffc813ead9fcd82b074
4b9ac531fdb2f0e2acf9da07711d7c03
4663aec7e0c6cb4153f33094e5ace00d

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2004
   wmic.exe:512
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\Banner.dll (4096 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\NSISdl.dll (14848 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\DM1391965868.exe (1410840 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\instructions.dat (1423908 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsi2.tmp\Convert.dll (145326 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp3.tmp (33480 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp4.tmp (2652570 bytes)
   %System%\wbem\Logs\mofcomp.log (582 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\tmp5.tmp (37088 bytes)
   %System%\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof (58770 bytes)
   %System%\wbem\AutoRecover\C8463ECBE33BC240263A0B094E46D510.mof (7496502 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\obhhelper.txt (238 bytes)
   %System%\wbem\AutoRecover\23BDE61F1F4FACE17E9B0C01F2A1FD9B.mof (65986 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@ppdownload[2].txt (577 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014030420140305\index.dat (32768 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\dc[1].js (54775 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\button_over[1].png (921 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\button[1].png (458 bytes)
   %Documents and Settings%\%current user%\Cookies\index.dat (61440 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\bodyImg[1].png (109767 bytes)
   %Documents and Settings%\%current user%\Cookies\Current_User@ppdownload[1].txt (482 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\DynamicOfferScreen[1].htm (16256 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.