Trojan.Win32.Swrort.3_73cf839b18

by malwarelabrobot on November 13th, 2013 in Malware Descriptions.

not-a-virus:AdWare.Win32.BrainInst.t (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 73cf839b18a1c016bcd9a5a36e8489f8
SHA1: c1bb8f4bbcf6fbd7869f3193fff80ae29b37aedd
SHA256: ca75c18fa9768eb3de1ca830af12b14f4261d4b6cb5ab42b776874fd85a35a28
SSDeep: 12288:3k6WxXcEOClI3rWKQsxMQlMBbqJZ chwPsZxJVg5wgVFk:pecrWKQsxMQlMBelr4/VFk
Size: 604192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-05-16 16:22:10


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ctfmon.exe:1224

The Trojan injects its code into the following process(es):

%original file name%.exe:316

File activity

The process %original file name%.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3330_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_656.part (61382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3384_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3330.html (8664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_358.part (8251333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3384_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (168830 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2972.html (16864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2979_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3940_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Video Performer793863.exe (604192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2978.html (3848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2973.html (5894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2973_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2998.html (6942 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3143.html (7987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg.gif (5373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_514.part (98121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3389.html (20291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_625.part (88598 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2998_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3598.html (8248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2978_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013111220131113\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\smart.js (24801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3878_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2979_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3940.html (20290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3330_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3878.html (19761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_613.part (4590295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3878_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_640.part (4115674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3143_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3143_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ajax-loader2.gif (6820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2978_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_feature_.png (7862 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_feature_646.png (2700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2976.html (3831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2998_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\events\events.js (24699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\conditions\conditions.js (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3363_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3384.html (5709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\old_smart.js (23124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2979.html (2886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2973_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\check.jpg (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3940_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3231.html (6179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3598_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3598_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ajax-loader.gif (3208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (14104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3363.html (5780 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_369.part (29056876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_feature_405.png (5608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2977.html (5570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3389_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Рабочий стол\Continue Video Performer installation.lnk (724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3363_attr_3.png (10529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\arrow.gif (207 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\seesimilar.ico (99678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\speedanalysis.ico (30894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\jquery-1.7.min.js (94020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\config.js (1037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg-bottom.gif (9289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_15.png (13027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3597.html (19832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg-top.gif (13909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\main.css (8524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3389_attr_46.bmp (42546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_15.png (13027 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013093020131001\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (0 bytes)

Registry activity

The process ctfmon.exe:1224 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process %original file name%.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111220131113]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111220131113]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013111220131113\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111220131113]
"CachePrefix" = ":2013111220131113:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111220131113]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111220131113]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE DB 44 42 E5 80 2B 31 27 64 62 62 F6 95 8C 3E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Video Performer793863.exe" = "C:\DOCUME~1\test\LOCALS~1\Temp\Video Performer793863.exe /XML=C:\DOCUME~1\test\LOCALS~1\Temp\48.tmp /ROS /STP=0:2"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013093020131001]

Network activity (URLs)

URL IP
hxxp://www.softisto.com/files/components/SpeedanAlysisSetup.exe (Malicious) 174.37.181.28
hxxp://www.softisto.com/files/products/VideoPerformerSetup.exe (Malicious)
hxxp://www.softisto.com/files/components/Cloud_Backup_Setup.exe (Malicious)
hxxp://www.softisto.com/files/products/PCPerformerSetup_genericv3.cf (Malicious)
hxxp://www.softisto.com/files/components/ZulaGamesSetup.exe (Malicious)


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate the original Trojan's process (How to End a Process With the Task Manager).
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3330_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_656.part (61382 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3384_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3330.html (8664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_358.part (8251333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3384_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\49.tmp (168830 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2972.html (16864 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2979_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3940_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg-left.jpg (460 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Video Performer793863.exe (604192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2978.html (3848 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2973.html (5894 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2973_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act.jpg (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act-left.jpg (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2998.html (6942 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3143.html (7987 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg.gif (5373 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\template_40.png (110 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_514.part (98121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\center2.jpg (305 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3389.html (20291 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_625.part (88598 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2998_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3598.html (8248 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2978_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013111220131113\index.dat (32768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\smart.js (24801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3878_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg.jpg (333 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2979_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3940.html (20290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b3.gif (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\pb-bg-right.jpg (468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\btn.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\mid.jpg (403 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3330_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3878.html (19761 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_613.part (4590295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3878_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_640.part (4115674 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3143_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn3.png (138 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3143_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ajax-loader2.gif (6820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2978_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_feature_.png (7862 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn1.png (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_feature_646.png (2700 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\trust.gif (437 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2976.html (3831 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2998_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\events\events.js (24699 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\conditions\conditions.js (1740 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3363_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\btn2.png (402 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3384.html (5709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\old_smart.js (23124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\red-pb-act-right.jpg (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2979.html (2886 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b-bg.gif (295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3597_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\arrow.png (911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2973_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\check.jpg (1039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3940_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3231.html (6179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3598_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn4.png (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3598_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ajax-loader.gif (3208 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\48.tmp (14104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3363.html (5780 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\component_369.part (29056876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\jquery.noselect.min.js (299 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_feature_405.png (5608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\b4.gif (661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\2977.html (5570 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3389_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\Continue Video Performer installation.lnk (724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2972_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3363_attr_3.png (10529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\corn2.png (136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\arrow.gif (207 bytes)
    %System%\wbem\Logs\wbemprox.log (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\seesimilar.ico (99678 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\speedanalysis.ico (30894 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\jquery-1.7.min.js (94020 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\js\config.js (1037 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg-bottom.gif (9289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2977_attr_15.png (13027 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\3597.html (19832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\lbg-top.gif (13909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3231_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\ib\main.css (8524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_3389_attr_46.bmp (42546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpc810551\config\page_2976_attr_15.png (13027 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Video Performer793863.exe" = "C:\DOCUME~1\test\LOCALS~1\Temp\Video Performer793863.exe /XML=C:\DOCUME~1\test\LOCALS~1\Temp\48.tmp /ROS /STP=0:2"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now