Trojan.Win32.Swrort.3_6f8736792f
not-a-virus:AdWare.Win32.BrainInst.o (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 6f8736792fe3d7609cf1bdd20c27dd55
SHA1: a1d1b26fae7e57bbb969abe368b0c8589da30e42
SHA256: b5f60206039908186b184a12bd6c9456fedd923956527bfbbac5fd15b891eae4
SSDeep: 12288:pdj/H5k5pVo EbzSaTsGpvZvJFhhDrdDdeuF7IYy0LZThi/0erAteY1V2AqEmmQh:BADEnhTJvZfhJdhZBrLPiMrteiNqEQ o
Size: 810944 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-10-31 13:12:05
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ctfmon.exe:536
The Trojan injects its code into the following process(es):
6f8736792fe3d76:1084
File activity
The process 6f8736792fe3d76:1084 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3746_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3125_feature_835.png (7862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_637.part (88627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3124_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3128.html (6033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\conditions\conditions.js (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\jquery-1.7.min.js (94020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3894_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_4067_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\check.jpg (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3916_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\config.js (1066 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\main.css (8434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3917_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3126_attr_15.png (13027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\locale.js (8464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3936_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Рабочий Ñтол\Continue Install PDF Speed installation.lnk (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3128_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3124_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (10348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\speedanalysis.ico (30894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3126.html (8095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\smart.js (22961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3128_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3125_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3935_feature_.png (7862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\utils.js (2205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3129_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3936.html (7948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3917.html (19573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_605.part (1464325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3125_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3124.html (29827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3894_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\zulagames.ico (81582 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_640.part (4115674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3935.html (15879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Install PDF Speed973868.exe (810944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_613.part (4590295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\lbg-bottom.gif (9289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3935_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3746.html (20249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\lbg.gif (5373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_636.part (98121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\events\events.js (21570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ajax-loader.gif (3208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\4067.html (17756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3894.html (5401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3125.html (29341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_4067_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013110820131109\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\lbg-top.gif (13909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3129_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3936_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3126_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3129.html (4060 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3916.html (19681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (157310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3746_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3935_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3916_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_656.part (61382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ajax-loader2.gif (6820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3126_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3917_attr_3.png (3710 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (0 bytes)
Registry activity
The process 6f8736792fe3d76:1084 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013110820131109]
"CachePrefix" = ":2013110820131109:"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Документы\ÐœÐ¾Ñ Ð¼ÑƒÐ·Ñ‹ÐºÐ°"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий Ñтол"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои риÑунки"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013110820131109]
"CacheOptions" = "11"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013110820131109\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозапиÑи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои риÑунки"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 85 39 B3 54 52 F5 D2 1F D7 FF E4 46 C9 6A 51"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий Ñтол"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013110820131109]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013110820131109]
"CacheLimit" = "8192"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Install PDF Speed973868.exe" = "C:\DOCUME~1\test\LOCALS~1\Temp\Install PDF Speed973868.exe /XML=C:\DOCUME~1\test\LOCALS~1\Temp\2.tmp /ROS /STP=0:2"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013093020131001]
The process ctfmon.exe:536 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://ibbalancer.com/installer/620/start.cf?cmp=97&sub=3868&rkey={8F8A82EB-5792-480D-982C-756EF972AE49} (Malicious) |  |
| hxxp://ibbalancer.com/ | |
| hxxp://ibbalancer.com/installer/620/startgui.cf?rkey={A66381D6-D438-4D06-8426-A830B1BA00A9} (Malicious) | |
| hxxp://api.ibario.com/track/ib-start?cid=3868 | 174.36.241.169 |
| hxxp://api.ibario.com/track/ib-show?cid=3868&componentid=605 | |
| hxxp://ibbalancer.com/files/components/DeltaTB.cf (Malicious) | |
| hxxp://ibbalancer.com/files/components/ZulaGamesSetup.exe (Malicious) | |
| hxxp://ibbalancer.com/files/components/conduit_checker.exe (Malicious) | |
| hxxp://ibbalancer.com/files/components/conduitinstaller.exe (Malicious) | |
| hxxp://ibbalancer.com/files/components/MyBabylonTB3.cf (Malicious) | |
| hxxp://ibbalancer.com/files/components/yandex_downloader_v3.exe (Malicious) | |
| hxxp://ibbalancer.com/files/components/Cloud_Backup_Setup_Adwards.exe (Malicious) | |
| hxxp://ibbalancer.com/files/products/PCPerformerSetup_genericv3.cf (Malicious) | |
| hxxp://ibbalancer.com/files/components/SpeedanAlysisSetup.exe | |
| hxxp://ibbalancer.com/files/products/pdfspeed.exe (Malicious) | |
| www.softologicse.com | 50.97.37.140 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate the original Trojan's process (How to End a Process With the Task Manager).
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3746_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3125_feature_835.png (7862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_637.part (88627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3124_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3128.html (6033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\conditions\conditions.js (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\jquery-1.7.min.js (94020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3894_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_4067_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\check.jpg (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3916_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\config.js (1066 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\main.css (8434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3917_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3126_attr_15.png (13027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\locale.js (8464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3936_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Рабочий Ñтол\Continue Install PDF Speed installation.lnk (734 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3128_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3124_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2.tmp (10348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\speedanalysis.ico (30894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3126.html (8095 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\smart.js (22961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3128_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3125_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3935_feature_.png (7862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\utils.js (2205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3129_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3936.html (7948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3917.html (19573 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_605.part (1464325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3125_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3124.html (29827 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3894_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\zulagames.ico (81582 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_640.part (4115674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3935.html (15879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Install PDF Speed973868.exe (810944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_613.part (4590295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\lbg-bottom.gif (9289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3935_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3746.html (20249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\lbg.gif (5373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_636.part (98121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\events\events.js (21570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ajax-loader.gif (3208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\4067.html (17756 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3894.html (5401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3125.html (29341 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_4067_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013110820131109\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\lbg-top.gif (13909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3129_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3936_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3126_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3129.html (4060 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\3916.html (19681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3.tmp (157310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3746_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3935_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3916_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\component_656.part (61382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\ajax-loader2.gif (6820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3126_attr_3.png (3710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810620\config\page_3917_attr_3.png (3710 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Install PDF Speed973868.exe" = "C:\DOCUME~1\test\LOCALS~1\Temp\Install PDF Speed973868.exe /XML=C:\DOCUME~1\test\LOCALS~1\Temp\2.tmp /ROS /STP=0:2" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
