Trojan.Win32.Swrort.3_2a5eac291a

by malwarelabrobot on November 12th, 2013 in Malware Descriptions.

not-a-virus:AdWare.Win32.BrainInst.t (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 2a5eac291a7dc6707c2ab18c55d091c0
SHA1: 502dcfa1bf69caf6bdc439e9e81cb83e928177fd
SHA256: fc5d11f849eb9a01bed8e22c449897387e62e773e7117eb0c026931dba30a4b0
SSDeep: 12288:7HJlFXkWnC3AKmimLngtsOzmuG9qMwwLSUwIJiGeOb7cv4AAf5WER:xQVmbO2PwQlcObG4ZWER
Size: 704336 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-05-24 12:21:29


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ctfmon.exe:1224

The Trojan injects its code into the following process(es):

%original file name%.exe:1216

File activity

The process %original file name%.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3580_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (161656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3590_feature_646.png (2700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\lbg-top.gif (13909 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013111120131112\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3590_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3579.html (6588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3583.html (5740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\conditions\conditions.js (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3586_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UnfriendCheck1024108.exe (704336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3584_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3586.html (19620 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3587_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3577_feature_.png (7862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3580.html (7485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3587_attr_15.png (13027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3577_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3587_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\check.jpg (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3585_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3952.html (20059 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3580_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3952_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3581_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\component_358.part (8251333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3590_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ajax-loader.gif (3208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3588_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3578_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3579_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\js\config.js (1037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\events\events.js (14575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3606_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\component_640.part (4115674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3578_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3589.html (2884 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3589_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\js\jquery-1.7.min.js (94020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3583_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3581_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3586_attr_15.png (13027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3606_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3590.html (19570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3589_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\lbg.gif (5373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3577_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\js\smart.js (23124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3952_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\component_627.part (3357629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3585.html (8510 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3582_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\component_613.part (4590295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3588_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\seesimilar.ico (99678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3582.html (27444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (12098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3583_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3585_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\~66.tmp (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3582_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\lbg-bottom.gif (9289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3586_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\speedanalysis.ico (30894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3588.html (3845 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3584_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ajax-loader2.gif (6820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\b-bg.gif (295 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\main.css (8473 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3587.html (5339 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3579_attr_3.png (5217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3584.html (20060 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3581_feature_405.png (5608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3581.html (5697 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Рабочий стол\Continue UnfriendCheck installation.lnk (719 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111120131112]
"CacheLimit" = "8192"
"CachePrefix" = ":2013111120131112:"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013111120131112\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111120131112]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111120131112]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 3C D3 A6 58 49 10 79 FF 60 1A 1B 79 61 BA 72"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"UnfriendCheck1024108.exe" = "C:\DOCUME~1\test\LOCALS~1\Temp\UnfriendCheck1024108.exe /XML=C:\DOCUME~1\test\LOCALS~1\Temp\48.tmp /ROS /STP=0:2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013093020131001]

The process ctfmon.exe:1224 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

URL IP
hxxp://ibbalancer.com/installer/663/start.cf?cmp=102&sub=4108&rkey={26515DD5-7FB0-454A-BE30-6458ECC74C59}
hxxp://www.softisto.com/installer/663/startgui.cf?rkey={880FA581-834F-4DBE-B775-0289055B30D1} (Malicious) 173.192.190.224
hxxp://stats1-1013604270.us-east-1.elb.amazonaws.com/service/stats.php?sv=1 107.20.137.62
hxxp://www.softisto.com/files/components/conduit_checker.exe (Malicious)
hxxp://www.softisto.com/files/components/TikaTB.cf (Malicious)
hxxp://www.softisto.com/files/components/conduitinstaller.exe (Malicious)
hxxp://www.softisto.com/files/components/SpeedanAlysisSetup.exe (Malicious)
hxxp://www.softisto.com/files/components/yandex_downloader_v3.exe (Malicious)
hxxp://www.softisto.com/files/components/Cloud_Backup_Setup.exe (Malicious)
hxxp://www.softisto.com/files/components/LizardLink_rh.exe (Malicious)
hxxp://www.softisto.com/files/products/seesimilarSetupv2.exe (Malicious)
hxxp://www.softisto.com/files/products/PCPerformerSetup_genericv3.cf (Malicious)
hxxp://www.softisto.com/files/products/UnfriendCheckSetup.exe (Malicious)
hxxp://www.softisto.com/files/components/ZulaGamesSetup.exe (Malicious)
www.softologic.com 50.97.37.140


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original Trojan's process (How to End a Process With the Task Manager).
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3580_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (161656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\corn2.png (136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3590_feature_646.png (2700 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\lbg-top.gif (13909 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013111120131112\index.dat (32768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3590_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3579.html (6588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\corn4.png (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\btn.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3583.html (5740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\mid.jpg (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\conditions\conditions.js (1740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\pb-bg-left.jpg (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3586_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UnfriendCheck1024108.exe (704336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3584_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3586.html (19620 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3587_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3577_feature_.png (7862 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3580.html (7485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3587_attr_15.png (13027 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3577_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\arrow.gif (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3587_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\check.jpg (1039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\red-pb-act-right.jpg (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3585_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3952.html (20059 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3580_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\red-pb-act-left.jpg (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\template_40.png (110 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3952_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3581_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\component_358.part (8251333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3590_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ajax-loader.gif (3208 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3588_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3578_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3579_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\js\config.js (1037 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\events\events.js (14575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3606_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\component_640.part (4115674 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3578_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3589.html (2884 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3589_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\js\jquery-1.7.min.js (94020 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3583_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3581_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3586_attr_15.png (13027 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3606_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3590.html (19570 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\b4.gif (661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3589_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\lbg.gif (5373 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3577_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\js\smart.js (23124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3952_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\component_627.part (3357629 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3585.html (8510 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3582_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\component_613.part (4590295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3588_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\b3.gif (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\seesimilar.ico (99678 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3582.html (27444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (12098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\js\jquery.noselect.min.js (299 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\btn2.png (402 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3583_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3585_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\~66.tmp (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3582_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\lbg-bottom.gif (9289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3586_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\speedanalysis.ico (30894 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\corn3.png (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3588.html (3845 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3584_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ajax-loader2.gif (6820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\pb-bg.jpg (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\b-bg.gif (295 bytes)
    %System%\wbem\Logs\wbemprox.log (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\main.css (8473 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\pb-bg-right.jpg (468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3587.html (5339 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3579_attr_3.png (5217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3584.html (20060 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\arrow.png (911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\page_3581_feature_405.png (5608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\trust.gif (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\corn1.png (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\3581.html (5697 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\ib\center2.jpg (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmp9726663\config\red-pb-act.jpg (380 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\Continue UnfriendCheck installation.lnk (719 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "UnfriendCheck1024108.exe" = "C:\DOCUME~1\test\LOCALS~1\Temp\UnfriendCheck1024108.exe /XML=C:\DOCUME~1\test\LOCALS~1\Temp\48.tmp /ROS /STP=0:2"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now