Gen.Variant.Ursu.236140_c58166dec3
Gen:Variant.Ursu.236140 (BitDefender), VirTool:Win32/Vigorf.A (Microsoft), Trojan.Win32.Bicololo.biml (Kaspersky), Trojan.DownLoader26.49573 (DrWeb), Gen:Variant.Ursu.236140 (B) (Emsisoft), GenericRXFV-KC!C58166DEC37B (McAfee), ML.Attribute.HighConfidence (Symantec), Trojan.Win32.Injector (Ikarus), Gen:Variant.Ursu.236140 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast)
Behaviour: Trojan, VirTool, Malware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: c58166dec37b64b35d42d0702135d399
SHA1: 6dcfb13e1ab2bf0ac46cac199b3a600e16e6d532
SHA256: 42f2d8f3b7cdd35f4be0d6737d4b1f5ef310a7264ae86fcb5c498a16797be3e8
SSDeep: 24576:NIGeDgrmRPUZBQxsAZLRckcIKftGyoKRt/f9JdlFkkrq1ZITaOvi78NLELgh:KMrm BKRckcIK6K9JdlHTaObV
Size: 1460224 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Crawler.com, LLC
Created at: 2018-06-18 23:37:31
Analyzed on: Windows7 SP1 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
certutil.exe:3736
certutil.exe:4032
certutil.exe:2256
run.exe:3576
dist.exe:2736
regedit.exe:2440
%original file name%.exe:1780
2dREb.exe:1788
The Trojan injects its code into the following process(es):
No processes have been created.
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process certutil.exe:3736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (2 bytes)
The Trojan deletes the following file(s):
C:\Windows\cer50F0.tmp (0 bytes)
The process certutil.exe:4032 makes changes in the file system.
The Trojan deletes the following file(s):
C:\Windows\cer50B2.tmp (0 bytes)
The process certutil.exe:2256 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (36 bytes)
The Trojan deletes the following file(s):
C:\Windows\cer514E.tmp (0 bytes)
The process run.exe:3576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (647 bytes)
The process dist.exe:2736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rr.vbe (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.bat (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.json (201 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (7071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (4 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (0 bytes)
The process %original file name%.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (11367 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\data.aac (2584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.exe (22079 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\data.aac (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP (0 bytes)
The process 2dREb.exe:1788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\4d6629d6a7d5185ca5557446b928cfd8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (87 bytes)
Registry activity
The process certutil.exe:4032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\620AD32A386853E5BC0F76E7EFA86444DB4E0129]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 62 0A D3 2A"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"620AD32A386853E5BC0F76E7EFA86444DB4E0129"
The process regedit.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList]
"1" = "ocinjdjondmhheihhgkbmjkofmomnppd;https://clients2.google.com/service/update2/crx"
[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist]
"1" = "ocinjdjondmhheihhgkbmjkofmomnppd"
[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.ww.fm]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ww.fm\ww.json"
The process %original file name%.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process 2dREb.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\D4A090F7C4B9D22E9BFD1D2E991CF938A79458E4]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 D4 A0 90 F7"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates]
"D4A090F7C4B9D22E9BFD1D2E991CF938A79458E4"
Dropped PE files
| MD5 | File path |
|---|---|
| aeea9d090117d63ad4d63bcc2c3e0b9c | c:\Users\"%CurrentUserName%"\AppData\Roaming\ww.fm\ww.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 905 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | validation.sls.microsoft.com |
| 104.251.211.173 | clients2.google.com |
Rootkit activity
No anomalies have been detected.
Propagation
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 395112 | 395264 | 4.27911 | a6c2468f93e842977516713e5e425bc1 |
| .data | 401408 | 781528 | 781824 | 5.49938 | 4d445410d89dac7c593620f360c2b9fd |
| .rdata | 1183744 | 28244 | 28672 | 3.65379 | 80634d867605a2907f81f847aeccbd7d |
| .bss | 1212416 | 4032 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 1216512 | 3484 | 3584 | 3.58438 | 8e02033c4d20513d0c76724f1f68ca40 |
| .CRT | 1220608 | 56 | 512 | 0.214916 | 427ec82f7ba2a0ca130a2ec1726de1c1 |
| .tls | 1224704 | 32 | 512 | 0.14174 | ea73d3c1cbad9a6edddafe8f49ab6aea |
| /4 | 1228800 | 1624 | 2048 | 1.46278 | 8455cd91c5e3d5aad163f1157e990bca |
| /19 | 1232896 | 113776 | 114176 | 4.16601 | 02f571aea755b7fbadf593eef567ac67 |
| /31 | 1347584 | 18860 | 18944 | 3.23582 | 9d8c5ebab661e7d45985b298671c0633 |
| /45 | 1368064 | 23962 | 24064 | 4.32069 | 09107181a94c4bf0a7a26871e98b010e |
| /57 | 1392640 | 9052 | 9216 | 3.36277 | 1353c23c051d63f8441fa54c1966dd5b |
| /70 | 1404928 | 1030 | 1536 | 2.68856 | 38cd20125837406013fd94c762a8a424 |
| /81 | 1409024 | 72949 | 73216 | 3.08514 | 344bb1d013abac79d8c2b9019ab370fe |
| /92 | 1482752 | 3584 | 3584 | 2.24731 | 4259d254b831e5f0558081d2160bdfb4 |
| .rsrc | 1486848 | 1620 | 2048 | 3.68357 | c9470da8bb6f0a102d67af62a51410c1 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
| URL | IP |
|---|---|
| hxxp://185.148.147.134/trk/e0 |  |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Trojan connects to the servers at the folowing location(s):
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
certutil.exe:3736
certutil.exe:4032
certutil.exe:2256
run.exe:3576
dist.exe:2736
regedit.exe:2440
%original file name%.exe:1780
2dREb.exe:1788 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (647 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rr.vbe (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.bat (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.json (201 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (7071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\data.aac (2584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.exe (22079 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\4d6629d6a7d5185ca5557446b928cfd8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (87 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
