Trojan.Win32.Swrort.3_05247c0858

by malwarelabrobot on October 23rd, 2013 in Malware Descriptions.

InstallBrain (fs) (VIPRE), Win32.SuspectCrc!IK (Emsisoft), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 05247c08586d747ce98ba5f6d984fd79
SHA1: 5e4c5eb60a123901d316d2aee8d834496577f9fb
SHA256: a371335a3cfb8a99d37049dcd006b367f28909efa37b36296faf8344a1c3d14c
SSDeep: 12288:ZiM//mmvnmltduTdsySnfdN7Gmc1BqoBzydLZZnU TrEVTNt7FEuNLRz0lxZ4n03:zmt4TOySfu18oYLZZU TIlE1l/4nEhgU
Size: 718624 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: SummerSoft
Created at: 2013-08-16 14:53:19


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

The Trojan injects its code into the following process(es):

05247c08586d747ce98ba5f6d984fd79.exe:644

File activity

The process 05247c08586d747ce98ba5f6d984fd79.exe:644 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3596_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\4068.html (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3736.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3741.html (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3407_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3407_feature_.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3407_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\smart.js (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\btn2_old.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Install RocketPDF344019.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3735.html (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3253_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3407.html (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3255_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3261_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3408_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3255_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\config.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3741_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3261_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_618.part (12003 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3253_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3741_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Desktop\Continue Install RocketPDF installation.lnk (825 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3408.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3735_feature_835.png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\check.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3967_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3261.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3255.html (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ajax-loader2.gif (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_640.part (10645 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3596.html (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3735_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3735_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3253.html (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\lbg-bottom.gif (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\conditions\conditions.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3262_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\utils.js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3262.html (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_4068_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3736_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_600.part (3308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_4068_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_637.part (2808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3967_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\locale.js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\jquery-1.7.min.js (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\lbg.gif (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BW9QJCB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_613.part (11273 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3408_attr_3.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3262_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ajax-loader.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CT6FC9Q7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\speedanalysis.ico (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\red-pb-act.jpg (380 bytes)
%System%\wbem\Logs\wbemprox.log (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3736_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5JK4FTFG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_612.part (6560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3967.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3596_attr_46.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3255_attr_15.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\lbg-top.gif (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\events\events.js (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SLMLS5WJ\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)

Registry activity

The process 05247c08586d747ce98ba5f6d984fd79.exe:644 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013102220131023]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013102220131023]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013102220131023]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 1F 89 7A 86 03 61 FB 3D 82 C1 4B ED CD B2 DD"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013102220131023]
"CachePrefix" = ":2013102220131023:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013102220131023]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013102220131023\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:]
"05247c08586d747ce98ba5f6d984fd79.exe" = "C:\05247c08586d747ce98ba5f6d984fd79.exe:*:Enabled:05247c08586d747ce98ba5f6d984fd79.exe (in)"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Install RocketPDF344019.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Install RocketPDF344019.exe /XML=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1.tmp /ROS /STP=0:2"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

Network activity (URLs)

URL IP
hxxp://50.97.37.140/files/components/Cloud_Backup_Setup_Adwards.exe
hxxp://50.97.37.140/files/products/RocketPDF.exe


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original Trojan's process (How to End a Process With the Task Manager).
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\corn4.png (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3596_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\4068.html (17 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3736.html (19 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3741.html (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3407_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3407_feature_.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\pb-bg-right.jpg (468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\corn1.png (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3407_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\smart.js (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\b3.gif (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\mid.jpg (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\template_40.png (110 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\btn2_old.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Install RocketPDF344019.exe (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1.tmp (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3735.html (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3253_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3407.html (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3255_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3261_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3408_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3255_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\pb-bg-left.jpg (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\config.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3741_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3261_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\corn2.png (136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\arrow.png (911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_618.part (12003 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3253_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3741_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\red-pb-act-left.jpg (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\btn2.png (402 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\corn3.png (138 bytes)
    %Documents and Settings%\%current user%\Desktop\Continue Install RocketPDF installation.lnk (825 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3408.html (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3735_feature_835.png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\check.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3967_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\trust.gif (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3261.html (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3255.html (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\pb-bg.jpg (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ajax-loader2.gif (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_640.part (10645 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3596.html (62 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\b4.gif (661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3735_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\arrow.gif (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3735_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3253.html (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\lbg-bottom.gif (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\conditions\conditions.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3262_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\utils.js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3262.html (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\b-bg.gif (295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_4068_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3736_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_600.part (3308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\center2.jpg (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_4068_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_637.part (2808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3967_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\locale.js (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\jquery-1.7.min.js (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\lbg.gif (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0BW9QJCB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_613.part (11273 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3408_attr_3.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3262_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\main.css (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ajax-loader.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CT6FC9Q7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\speedanalysis.ico (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\red-pb-act.jpg (380 bytes)
    %System%\wbem\Logs\wbemprox.log (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3736_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\red-pb-act-right.jpg (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\js\jquery.noselect.min.js (299 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5JK4FTFG\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\component_612.part (6560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\3967.html (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3596_attr_46.bmp (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\page_3255_attr_15.png (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\lbg-top.gif (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\ib\btn.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810632\config\events\events.js (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SLMLS5WJ\desktop.ini (67 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Install RocketPDF344019.exe" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\Install RocketPDF344019.exe /XML=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\1.tmp /ROS /STP=0:2"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now