Trojan.Win32.Swrort.3_d2c5bc5366

by malwarelabrobot on March 7th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Agent (VIPRE), Trojan.Win32.Swrort.3.FD (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Relationships
Map
Strings from Dumps
Removals

MD5: d2c5bc5366f318fd80ce0fcbe693a0e6
SHA1: 12ee9dd23565865e49369d67dce187d114764519
SHA256: f5c4d587a277a6749a2578fa119fada9286fd1953aea283ee225efd448a6e0ff
SSDeep: 12288:LTHiFlkI9s6dRi7X4 C9rr5TLeqvkQnoSNo8x:LTHEkBORij4 yrrlL 0oe
Size: 401768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Softonic
Created at: 2013-11-12 11:47:15
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:1856

File activity

The process %original file name%.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\CAQR4LMZ.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\universaldownloader-prefetch[1].htm (39566 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@softonic[2].txt (883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\blank[1].gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft-security-essentials-64-bit.sd.softonic[2].txt (3140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sd_100401_ae4b9[1].jpg (41945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\gpt[1].js (17480 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@softonic[1].txt (1190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CA7YO3JP.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CAS1M95Y.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\f06de-97197[1].js (391011 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sd_100710_46b91[1].jpg (60766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pubads_impl_32[1].js (26947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\fec0e-b109c[1].css (4893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CASD6DL2.gif (35 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sd.softonic[1].txt (97 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CAWT2BW9.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pubads_impl_32[2].js (74317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\CATS7EZB.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\gradientbg[1].png (2958 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft-security-essentials-64-bit.sd.softonic[1].txt (3007 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\sd_sprite[1].png (6811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\gpt[1].js (56547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\campaign-100401,100710[1].htm (71056 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\microsoft-security-essentials-32[1].png (18593 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sd.softonic[2].txt (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\sd_100401_ae4b9[1].jpg (44883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\fec0e-b109c[2].css (20205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\campaign-100401,100710[1] (20949 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (323584 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014030620140307\index.dat (32768 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\loading[1].gif (1553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sd_icon_100401_907c2[1].jpg (1370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\sd_100710_46b91[1].jpg (63703 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@sd.softonic[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft-security-essentials-64-bit.sd.softonic[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\gpt[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CAWT2BW9.gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@softonic[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041120130412\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\fec0e-b109c[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pubads_impl_32[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@softonic[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CAS1M95Y.gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@microsoft-security-essentials-64-bit.sd.softonic[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\CAQR4LMZ.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\CATS7EZB.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CA7YO3JP.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041120130412 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CASD6DL2.gif (0 bytes)

Registry activity

The process %original file name%.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Softonic\Universal Downloader]
"uuid" = "DDE7EAB3-E383-4E63-AE72-C63846EB22C8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014030620140307]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Диагностика проблем подключения..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014030620140307]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014030620140307\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014030620140307]
"CachePrefix" = ":2014030620140307:"
"CacheOptions" = "11"
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 84 DF 9C 9D 99 5B 40 75 72 45 9F 59 62 23 2A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041120130412]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://microsoft-security-essentials-64-bit.sd.softonic.pl/universaldownloader-prefetch 46.28.209.70
hxxp://microsoft-security-essentials-64-bit.sd.softonic.pl/pl/js/generated/f06de-97197.js
hxxp://microsoft-security-essentials-64-bit.sd.softonic.pl/universaldownloader-track
hxxp://softonic-analytics.net/blank.gif?product=st_activity&event=prefetch:campaigns:selected&id_session=DDE7EAB3-E383-4E63-AE72-C63846EB22C8t1394081411f93642&params={"1":{"id_campaign":"100401"},"2":{"id_campaign":"100710"}}&ts=1394081411735 46.28.209.74
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=1&utmn=777558618&utmhn=microsoft-security-essentials-64-bit.sd.softonic.pl&utmcs=utf-8&utmsr=1280x768&utmvp=650x450&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmhid=751557666&utmr=-&utmp=/prefetch:session:create&utmht=1394081411563&utmac=UA-20034990-2&utmcc=__utma=255397524.2008969847.1394081411.1394081411.1394081411.1;+__utmz=255397524.1394081411.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACg~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=2&utmn=16110555&utmhn=microsoft-security-essentials-64-bit.sd.softonic.pl&utmcs=utf-8&utmsr=1280x768&utmvp=650x450&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmhid=751557666&utmr=http://unknown_browser_unknown_version&utmp=/prefetch:campaigns:selected&utmht=1394081411719&utmac=UA-20034990-2&utmcc=__utma=255397524.2008969847.1394081411.1394081411.1394081411.1;+__utmz=255397524.1394081411.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://microsoft-security-essentials-64-bit.sd.softonic.pl/universaldownloader/campaign-100401,100710?sd_timestamp=1394081411
hxxp://microsoft-security-essentials-64-bit.sd.softonic.pl/pl/css/generated/fec0e-b109c.css
hxxp://microsoft-security-essentials-64-bit.sd.softonic.pl/shared/img/universaldownloader/gradientbg.png
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100401/sd_100401_ae4b9.jpg 46.28.209.52
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100401/sd_icon_100401_907c2.jpg
hxxp://microsoft-security-essentials-64-bit.sd.softonic.pl/shared/img/universaldownloader/sd_sprite.png
hxxp://microsoft-security-essentials-64-bit.sd.softonic.pl/shared/img/universaldownloader/loading.gif
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100710/sd_100710_46b91.jpg
hxxp://zdjecia.pl.sftcdn.net/pl/scrn/93000/93642/microsoft-security-essentials-32.png 46.28.209.56
hxxp://pagead46.l.doubleclick.net/tag/js/gpt.js
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=3&utmn=1752948993&utmhn=microsoft-security-essentials-64-bit.sd.softonic.pl&utmcs=utf-8&utmsr=1280x768&utmvp=650x450&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmdt=Microsoft Security Essentials installation assistant&utmhid=2057003581&utmr=http://unknown_browser_unknown_version&utmp=/init_startup&utmht=1394081413298&utmac=UA-20034990-2&utmcc=__utma=255397524.2008969847.1394081411.1394081411.1394081411.1;+__utmz=255397524.1394081411.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=4&utmn=820694362&utmhn=microsoft-security-essentials-64-bit.sd.softonic.pl&utmcs=utf-8&utmsr=1280x768&utmvp=650x450&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmdt=Microsoft Security Essentials installation assistant&utmhid=2057003581&utmr=http://unknown_browser_unknown_version&utmp=/start_api&utmht=1394081413329&utmac=UA-20034990-2&utmcc=__utma=255397524.2008969847.1394081411.1394081411.1394081411.1;+__utmz=255397524.1394081411.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=5&utmn=913352265&utmhn=microsoft-security-essentials-64-bit.sd.softonic.pl&utmcs=utf-8&utmsr=1280x768&utmvp=650x450&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmdt=Microsoft Security Essentials installation assistant&utmhid=2057003581&utmr=http://unknown_browser_unknown_version&utmp=/legal_start&utmht=1394081413391&utmac=UA-20034990-2&utmcc=__utma=255397524.2008969847.1394081411.1394081411.1394081411.1;+__utmz=255397524.1394081411.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=6&utmn=391522108&utmhn=microsoft-security-essentials-64-bit.sd.softonic.pl&utmcs=utf-8&utmsr=1280x768&utmvp=650x450&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmdt=Microsoft Security Essentials installation assistant&utmhid=2057003581&utmr=http://unknown_browser_unknown_version&utmp=/legal_timestamp&utmht=1394081413423&utmac=UA-20034990-2&utmcc=__utma=255397524.2008969847.1394081411.1394081411.1394081411.1;+__utmz=255397524.1394081411.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100401/sd_100401_ae4b9.jpg?v=0.4160054477168598
hxxp://screenshots.en.sftcdn.net/campaign/scrn/100000/100710/sd_100710_46b91.jpg?v=0.9426370369099961
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=7&utmn=665252804&utmhn=microsoft-security-essentials-64-bit.sd.softonic.pl&utmcs=utf-8&utmsr=1280x768&utmvp=650x450&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmdt=Microsoft Security Essentials installation assistant&utmhid=2057003581&utmr=http://unknown_browser_unknown_version&utmp=/C100401--load1&utmht=1394081413454&utmac=UA-20034990-2&utmcc=__utma=255397524.2008969847.1394081411.1394081411.1394081411.1;+__utmz=255397524.1394081411.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://www-google-analytics.l.google.com/__utm.gif?utmwv=5.4.6&utms=8&utmn=1014515039&utmhn=microsoft-security-essentials-64-bit.sd.softonic.pl&utmcs=utf-8&utmsr=1280x768&utmvp=650x450&utmsc=32-bit&utmul=ru&utmje=1&utmfl=6.0 r79&utmdt=Microsoft Security Essentials installation assistant&utmhid=2057003581&utmr=http://unknown_browser_unknown_version&utmp=/C100710--load2&utmht=1394081413485&utmac=UA-20034990-2&utmcc=__utma=255397524.2008969847.1394081411.1394081411.1394081411.1;+__utmz=255397524.1394081411.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none);&utmmt=1&utmu=qACgAAAAC~
hxxp://partnerad.l.doubleclick.net/gpt/pubads_impl_32.js
static.sd.softonic.pl 46.28.209.70
www.googletagservices.com 74.125.226.154
www.google-analytics.com 204.9.80.20
partner.googleadservices.com 74.125.226.109


IDS verdicts

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Screenshot

VersionInfo

Company Name: Softonic
Product Name: Softonic Downloader
Product Version: 1, 40, 1, 0
Legal Copyright: Copyright (C) 2013
Legal Trademarks:
Original Filename: SoftonicDownloader.exe
Internal Name: Softonic Downloader
File Version: 1, 40, 1, 0
File Description: Softonic Downloader
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
fuW714gk 4096 1081344 0 0 d41d8cd98f00b204e9800998ecf8427e
G236u756 1085440 360448 357376 5.54398 2c489e12caa702c2dfa7f44dc2c4edb1
.rsrc 1445888 16384 15872 3.56349 e390b951e5ed8da27bbe035a8e2a5d07

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

`.rsrc
j;j.htzR
j;j.hD}R
G><.tN<[tJ<\tF<*tB<|t><^t:<$t6
II I!"II#$IIII%&'III(I)*I+III,-.II/0123IIII4I5IIIIIII6IIIIII789:;II?@ABCDEFIIIIGIIIIH
88888888888888888
%u$Vj%
t.Gj:W
.tMHtJH
xSSSh
FTPjKS
FtPj;S
C.PjRV
j;j.hh
hTCP
%s:%d
WARNING: failed to save cookies in %s
About to connect() to %s%s port %d (#%d)
Connected to %s (%s) port %d (#%d)
malformed
:]://%[^
%15[^:]:%[^
Protocol %s not supported or disabled in libcurl
http_proxy
%255[^:@]:%255[^@]
%255[^:]:%255[^
:%255[^@]
Port number too large: %lu
%s://%s%s%s:%d%s%s
ftps
[%*39[0123456789abcdefABCDEF:.%]%c
Couldn't find host %s in the _netrc file; using defaults
ftp@example.com
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
User-Agent: %s
Connection #%d seems to be dead!
Connection (#%d) was killed to make room (holds %d)
Re-using existing connection! (#%ld) with host %s
%s://%s
Connection #%ld to host %s left intact
operation aborted by callback
HTTP/
ioctl callback returned error %d
the ioctl callback returned %d
seek callback returned error %d
The requested URL returned error: %d
HTTP/1.0 connection set to keep alive!
HTTP/1.1 proxy connection set close!
HTTP/1.0 proxy connection set to keep alive!
HTTP 1.0, assume close after body
HTTP %3d
HTTP/%d.%d %3d
No URL set!
%15[^?&/:]://%c
Violate RFC 2616/10.3.2 and switch from POST to GET
Disables POST, goes with %s
Issue another request to this URL: '%s'
Maximum (%d) redirects followed
Received problem %d in the chunky parser
HTTP server doesn't seem to support byte ranges. Cannot resume.
Rewinding stream by : %d bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %d)
Leftovers after chunking. Rewinding %d bytes
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %d
#HttpOnly_
httponly
%4999[^;
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
%1023[^;=]=%4999[^;
%s%s%s
# Fatal libcurl error
# Netscape HTTP Cookie File
# http://curl.haxx.se/rfc/cookie_spec.html
# This file was generated by libcurl! Edit at your own risk.
[%s %s %s]
Send failure: %s
Failed writing body (%d != %d)
bind failure: %s
Local port: %d
Bind to local port %d failed, trying next
couldn't find my own IP address (%s)
Bind local address to %s
Couldn't bind to '%s'
TCP_NODELAY set
Could not set TCP_NODELAY: %s
Failed to connect to %s: %s
Trying %s...
Resolving host timed out: %s
Could not resolve host: %s; %s
Could not resolve proxy: %s; %s
Could not resolve host: %s
gethostbyname(2) failed for %s:%d; %s
init_resolve_thread() failed for %s; %s
TFTP
set timeouts for state %d; Total %d, retry %d maxtry %d
tftp_rx: giving up waiting for block %d
Received unexpected DATA packet block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
tftp_tx: giving up waiting for block %d ack
Received ACK for block %d, expecting %d
tftp_tx: internal error
bind() failed; %s
tftp_send_first: internal error
%s%c%s%c
TFTP finished
Can't get the size of %s
Can't open %s for writing
Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT
Couldn't open file %s
There are more than %d entries
LDAP remote: %s
LDAP local: ldap_simple_bind_s %s
LDAP local: Cannot connect to %s:%d
LDAP local: trying to establish %s connection
LDAP local: %s
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
CLIENT libcurl 7.19.0
MATCH %s %s %s
DEFINE %s %s
insufficient winsock version to support telnet
WSAStartup failed (%d)
%s %d %d
%s %s %d
%s %s %s
%s IAC %d
%s IAC %s
Sending data failed (%d)
%d (unknown)
%s (unsupported)
%s IAC SB
Syntax error in telnet option: %s
Unknown telnet option %s
%127[^= ]%*[ =]%255s
USER,%s
%c%c%c%c%s%c%c
%c%s%c%s
%127[^,],%127s
%c%c%c%c
FreeLibrary(wsock2) failed (%d)
WSACloseEvent failed (%d)
WSACreateEvent failed (%d)
failed to find WSAEnumNetworkEvents function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSACreateEvent function (%d)
failed to load WS2_32.DLL (%d)
WS2_32.DLL
Excessive FTP response line length received, %zd bytes. Stripping
FTP response reading failed
FTP response aborted due to select/poll error: %d
FTP response timeout
Failed FTP upload: %0d
RETR response: %03d
Connecting to %s (%s) port %d
Uploading to a URL without a file name!
FTPS not supported!
USER %s
socket(2) failed (%s)
PORT %d,%d,%d,%d,%d,%d
Telling server to connect to %d.%d.%d.%d:%d
Failed to resolve host name %s
getsockname() failed: %s
Connect data stream passively
REST %d
SIZE %s
STOR %s
APPE %s
Bad PASV/EPSV response: %03d
Can't resolve new host %s:%d
%d.%d.%d.%d
Skips %d.%d.%d.%d for data connection, uses %s instead
%d,%d,%d,%d,%d,%d
%c%c%c%u%c
Failed to do PORT
Got a %03d response code instead of the assumed 200
RETR %s
ftp server doesn't support SIZE
PBSZ %d
Access denied: %03d
ACCT %s
PASS %s
ACCT rejected by server: %03d
QUOT string not accepted: %s
TYPE %c
MDTM %s
%04d%02d%02d %02d:%02d:%02d GMT
%04d%02d%02d%02d%02d%02d
unsupported MDTM reply format
server did not report OK, got %d
Remembering we are in dir "%s"
CWD %s
Failed to MKD dir: %03d
MKD %s
QUOT command failed with %03d
Entry path is '%s'
PROT %c
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
AUTH %s
Got a %03d ftp-server response when 220 was expected
%sAuthorization: Basic %s
%s:%s
Server auth using %s with user '%s'
Proxy auth using %s with user '%s'
Failed sending HTTP POST request
Content-Type: application/x-www-form-urlencoded
Internal HTTP POST error!
Failed sending HTTP request
If-Unmodified-Since: %s
Last-Modified: %s
If-Modified-Since: %s
%s, %02d %s %4d %02d:%02d:%02d GMT
%s%s=%s
%s %s%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
Content-Range: bytes %s/%lld
Content-Range: bytes %s%lld/%lld
Range: bytes=%s
;type=%c
ftps://
ftp://
Host: %s%s%s:%d
Host: %s%s%s
Accept-Encoding: %s
Referer: %s
Received HTTP code %d from proxy after CONNECT
%d bytes of chunk left
HTTP/1.%d %d
Read %d bytes of chunk, continue
CONNECT %s:%d HTTP/1.0
%s%s%s%s
Host: %s
Establish HTTP proxy tunnel to %s:%d
Internal error removing splay node = %d
Internal error clearing splay node = %d
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Failed to resolve "%s" for SOCKS4 connect.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
SOCKS5 GSSAPI per-message authentication is not supported.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Failed to resolve "%s" for SOCKS5 connect.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%d]
--:--:--
%3d %s %3d %s %3d %s %s %s %s %s %s %s
password
login
Operation too slow. Less than %d bytes/sec transfered the last %d seconds
%s, algorithm="%s"
%s, opaque="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=%08x, qop="%s", response="%s"
%s:%s:%08x:%s:%s:%s
%s:%s:%s
%255[^=]=%1023[^
%255[^=]="%1023[^"]"
%02d:%02d:%02d
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Access Violation
TFTP: File Not Found
Login denied
Issuer check against peer certificate failed
Invalid LDAP URL
Unrecognized HTTP Content-Encoding
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with known CA certificates
Problem with the local SSL certificate
SSL peer certificate or SSH md5 fingerprint was not OK
A libcurl function was given a bad argument
Operation was aborted by an application callback
FTP: command REST failed
FTP: command PORT failed
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: weird server reply
URL using bad/illegal format or missing URL
Unsupported protocol
Winsock version not supported
Protocol family not supported
Address family not supported
Operation not supported
Socket is unsupported
Protocol is unsupported
Protocol option is unsupported
Unknown error %d (%#x)
%c%c==
%c%c%c=
.html
.jpeg
--%s--
Content-Type: %s
; filename="%s"
Content-Disposition: attachment; filename="%s"
Content-Type: multipart/mixed, boundary=%s
%s; boundary=%s
Kernel32.DLL
()$^.*+?[]|\-{},:=!
:/-_.!~*'()
%08x%08x%08x%08x%08x
Writing %u bytes to 0x%08X...
Error: can't add tag '%s', tag section is full.
Target location is offset %u (%04X)
Visual C++ CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
portuguese-brazilian
operator
NOINT_MSG
inflate 1.1.3 Copyright 1995-1998 Mark Adler
-1.1.3
1.1.3
Downloading... [%lld/%lld] (%f%%) @%d KBps
http/
waOnMsgFromAnotherInstance
WAIT_WEB
urls_to_restore_on_startup
keyword
search_url
zc%C1
.?AV?$EventTSpecificFunctor@VWindowsAPI@@@@
.?AVFirefoxBrowserHandler@Browser@Lib@Softonic@@
.?AVChromeBrowserHandler@Browser@Lib@Softonic@@
.?AV?$TSpecificFunctor@VWindowsAPI@@@@
.?AVWindowsAPI@@
.?AUDWebBrowserEvents2@@
.?AUIHttpNegotiate@@
.?AVCustomIHttpNegotiate@@
.?AV?$EventTSpecificFunctor@VCurlMultiDownloadJob@@@@
.?AVCurlMultiDownloadJob@@
c:\d2c5bc5366f318fd80ce0fcbe693a0e6.exe
GetCPInfo
GetProcessHeap
PeekNamedPipe
RegQueryInfoKeyW
RegOpenKeyExW
RegDeleteKeyW
RegCloseKey
RegEnumKeyExW
RegCreateKeyExW
ShellExecuteW
ShellExecuteExW
UrlMkSetSessionOption
URLDownloadToFileW
GetAsyncKeyState
GetKeyState
EnumDesktopWindows
EnumChildWindows
InternetOpenUrlA
.text
`.rdata
@.data
.rsrc
Universal Downloader Download Helper.



KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
GDI32.dll
gdiplus.dll
IPHLPAPI.DLL
ole32.dll
OLEAUT32.dll
PSAPI.DLL
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
urlmon.dll
USER32.dll
VERSION.dll
WININET.dll
WLDAP32.dll
WSOCK32.dll
%08x%04x%04x%02x%02x%02x%02x%02x%02x%02x%02x
%s\*.*
.temp
P%04d-%02d-%02d
%c%02d:00
%04d-%02d-%02d %02d:%02d:%02d
P%02d:%02d:%02d
[%s] %s
[%d][%s|%s][%s][%s]
[%d][%s|%s][%s][%s][%s]
log.txt
yKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
ParentKeyName
*.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Microsoft Visual Studio Web Authoring
Microsoft SQL Server
Microsoft Windows SDK for
Microsoft .NET Framework
Microsoft .NET ([\s\S])* Framework
Received message %s
1.40.2
Correct password required
Hash check OK [%s]
Downloading [%s]...
result: [%s]
expected: [%s]
**Downloading to temporary file [%s]
CurlDownloadJob::Start
Encoding URL
- URL:
URL won't be encoded
%d - [%d][%lld/%lld][%lld]
[%d] Starting thread...
[%d] Thread Creation OK!
[%d] Error creating thread! trying again...
[%d] Thread started...
explorer.exe "
[%d %d]
%s\%s
Proxy by URL are not supported.
Automatic proxy discovery are not supported.
http=
https=
-1.40.2
%d%d%d%d%d%d%d%d
.swf?
.jpg?
.gif?
.png?
Value: %d
%s(%s)
%s --> (%s)
errorUrl
Web View
Web Host
%d|%d|%d
firefox
chrome
.desklink\PersistentHandler
.DEFAULT\EUDC\949
.DEFAULT\Policies\Microsoft\Office\12.0
.DVR-MS\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}
BCD00000000\Objects\{1afa9c49-16ab-4a5c-901b-212802da9460}\Description
CAPICOM.Settings.1\CLSID
Keyboard Layout\Substitutes
COMPONENTS\DerivedData\Components\amd64_.netframework_31bf3856ad364e35_6.1.7600.16385_none_34b78d5c105d8b49
.DEFAULT\Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}
DSRefObject8.Simple\CLSID
00000000
COMPONENTS\Installers\RegKeySDTable
.DEFAULT\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0
System\CurrentControlSet\Control\VIDEO\{2D5BA881-99A8-4757-A06E-CB5493B97A39}\0000\Mon12345678
FBiblio.Factoid
Printers\Connections\,,172.20.60.249,P12_NRG_B&W_4ALL
.DEFAULT\Software\Microsoft\ADs\Providers\LDAP\CN=Aggregate,CN=Schema,CN=Configuration,DC=domino,DC=softonic,DC=com
DefaultSettings.FixedOutput
System\CurrentControlSet\Control\VIDEO\{4245DE9B-6B89-4598-9438-882C0E0E93FB}\0000\Mon12345678
ftp\shell\open\ddeexec
font.size
.DEFAULT\Software\Microsoft\MediaPlayer\Setup\CreatedLinks
DefaultSettings.YPanning
URL Protocol
System\CurrentControlSet\Control\VIDEO\{795890FD-41FC-48B6-B402-BA484E0B82EC}\0000
asl.log
Attach.ToDesktop
.DEFAULT\Software\Microsoft\Office\11.0\Common\PersonaMenu
System\CurrentControlSet\Control\VIDEO\{B55EA300-EECB-4201-9CC2-E88DC80A835F}\0000
QuickTime.kar
.KAR\OpenWithProgIds
SOFTWARE\Google\Chrome\Extensions\bboaafafoijjpegaghkniifdlapncebg
.DEFAULT\Software\Microsoft\SBE\SAL
DefaultSettings.BitsPerPel
System\CurrentControlSet\Control\VIDEO\{CF088C39-60FF-4B54-9C0F-80345F8AE401}\0000\Mon12345678
DefaultSettings.XResolution
\172.20.60.249\P13_Tech_B&W
System\CurrentControlSet\Control\VIDEO\{F92BFB9B-59E9-4B65-8AA3-D004C26BA193}\0000\Mon12345678
{B8BF51A6-0AB3-48F2-A38E-4E36CADC41AD}
SYSTEM\CurrentControlSet\Control\DeviceClasses\{0a4252a0-7e70-11d0-a5d6-28db04c10000}\##?#Root#SYSTEM#0000#{0a4252a0-7e70-11d0-a5d6-28db04c10000}\Control
rsa2@22:base.mmartos.coretonic
Software\SimonTatham\PuTTY\SshHostKeys
LGot Elevation URL. [%s]
New URL was not valid.
D0.0.0.0
C[%d] [%lld|%lld]
Software\Classes\http\shell\open\command\
http\shell\open\command\
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\
chrome.exe
iexplore.exe
firefox.exe
opera.exe
opera
safari.ex
browser.startup.homepage
prefs.js
user.js
user_pref("browser.startup.homepage", "
"browser.startup.homepage", "
\"browser.startup.homepage\". \"(.)*\"
browser.search.order.1
browser.search.order.2
browser.search.order.3
\"(.)*.;
browser.search.selectedEngine
browser.search.defaultenginename
browser.search.useDBForOrder
user_pref("browser.search.useDBForOrder", "false");
browser.search.useDBForOrder", "false");
browser.search.useDBForOrder.*
%s*.*
Software\Mozilla\Mozilla Firefox\
\Google\Chrome
SOFTWARE\Mozilla\Mozilla Firefox
SOFTWARE\Mozilla\Mozilla Firefox\
PathToExe
\Mozilla\Firefox\profiles.ini
\Mozilla\Firefox\
\search-metadata.json
json_value.cpp
ljson_reader.cpp
Applications\iexplore.exe\shell\open\command
Software\Microsoft\Windows\CurrentVersion\Uninstall
Assertion failed: %s, file %s, line %d
1, 40, 1, 0
SoftonicDownloader.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\CAQR4LMZ.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\universaldownloader-prefetch[1].htm (39566 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@softonic[2].txt (883 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\blank[1].gif (35 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft-security-essentials-64-bit.sd.softonic[2].txt (3140 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sd_100401_ae4b9[1].jpg (41945 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\gpt[1].js (17480 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@softonic[1].txt (1190 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CA7YO3JP.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CAS1M95Y.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\f06de-97197[1].js (391011 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sd_100710_46b91[1].jpg (60766 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pubads_impl_32[1].js (26947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\fec0e-b109c[1].css (4893 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CASD6DL2.gif (35 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sd.softonic[1].txt (97 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\CAWT2BW9.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\pubads_impl_32[2].js (74317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\CATS7EZB.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\gradientbg[1].png (2958 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@microsoft-security-essentials-64-bit.sd.softonic[1].txt (3007 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\sd_sprite[1].png (6811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\gpt[1].js (56547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\campaign-100401,100710[1].htm (71056 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\microsoft-security-essentials-32[1].png (18593 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sd.softonic[2].txt (108 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\sd_100401_ae4b9[1].jpg (44883 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\XWHK1GPI\fec0e-b109c[2].css (20205 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (323584 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014030620140307\index.dat (32768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\loading[1].gif (1553 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\R5BRBDUV\sd_icon_100401_907c2[1].jpg (1370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OEBBOQ59\sd_100710_46b91[1].jpg (63703 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.