Trojan.Win32.Bicololo.biov_c7a587c9d7

by malwarelabrobot on June 24th, 2018 in Malware Descriptions.

Trojan.Win32.Bicololo.biov (Kaspersky), Trojan.DownLoader26.49573 (DrWeb), Gen:Variant.Ursu.236140 (B) (Emsisoft), GenericRXFV-KC!C7A587C9D72E (McAfee), ML.Attribute.HighConfidence (Symantec), Win32.Outbreak (Ikarus), Gen:Variant.Ursu.236140 (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast)
Behaviour: Trojan, Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: c7a587c9d72e8b2e2687a08571254561
SHA1: b056382e9dcbbe8318133cae0ed6d0f3c8aa8bc4
SHA256: f0aad8cf43f2caadfab3a681b77e49fe9a3683173a2265974adf45e96b53be2b
SSDeep: 24576:s42BcPbsre9DY5BEhYA QDckcIKfDrkPJhwVtOgMBoxeNV6jqaNqGMuVsj8h:hYreSBEDckcIKrrk7wteQqa8GMM5
Size: 1461248 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2018-06-19 22:11:10
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

certutil.exe:3940
certutil.exe:1272
certutil.exe:772
run.exe:2088
%original file name%.exe:2996
dist.exe:1576
regedit.exe:2440
2dREb.exe:3696

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process certutil.exe:3940 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Windows\cer2A0F.tmp (0 bytes)

The process certutil.exe:1272 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (36 bytes)

The Trojan deletes the following file(s):

C:\Windows\cer2AAB.tmp (0 bytes)

The process certutil.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (2 bytes)

The Trojan deletes the following file(s):

C:\Windows\cer2A5D.tmp (0 bytes)

The process run.exe:2088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (647 bytes)

The process %original file name%.exe:2996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (11367 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\data.aac (2584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.exe (22079 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\data.aac (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP (0 bytes)

The process dist.exe:1576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rr.vbe (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.bat (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.json (201 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (7071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (4 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (0 bytes)

The process 2dREb.exe:3696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\4d6629d6a7d5185ca5557446b928cfd8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (87 bytes)

Registry activity

The process certutil.exe:3940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\66\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\620AD32A386853E5BC0F76E7EFA86444DB4E0129]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 62 0A D3 2A"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"620AD32A386853E5BC0F76E7EFA86444DB4E0129"

The process %original file name%.exe:2996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

The process regedit.exe:2440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList]
"1" = "ocinjdjondmhheihhgkbmjkofmomnppd;https://clients2.google.com/service/update2/crx"

[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallWhitelist]
"1" = "ocinjdjondmhheihhgkbmjkofmomnppd"

[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.ww.fm]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Roaming\ww.fm\ww.json"

The process 2dREb.exe:3696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates\D4A090F7C4B9D22E9BFD1D2E991CF938A79458E4]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 D4 A0 90 F7"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates]
"D4A090F7C4B9D22E9BFD1D2E991CF938A79458E4"

Dropped PE files

MD5	File path
aeea9d090117d63ad4d63bcc2c3e0b9c	c:\Users\"%CurrentUserName%"\AppData\Roaming\ww.fm\ww.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 905 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1	validation.sls.microsoft.com
104.251.211.173	clients2.google.com

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	395112	395264	4.27782	6b2a807974bd0bd0361ac64e46bded34
.data	401408	782552	782848	5.49942	a19f9e2066e483c2b015c2f1bddadfac
.rdata	1187840	28244	28672	3.64974	42e6048d3e452d4ba65af2534bd9712a
.bss	1216512	4032	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	1220608	3484	3584	3.58061	71c0ffac1d23d7ea07d1356e01a57adf
.CRT	1224704	56	512	0.214916	427ec82f7ba2a0ca130a2ec1726de1c1
.tls	1228800	32	512	0.14174	28b9a9738b6616644361d64311fe6915
/4	1232896	1624	2048	1.46278	8455cd91c5e3d5aad163f1157e990bca
/19	1236992	113776	114176	4.16486	4f38b9266d705001ab9263dfe3d74633
/31	1351680	18860	18944	3.23582	9d8c5ebab661e7d45985b298671c0633
/45	1372160	23962	24064	4.32069	09107181a94c4bf0a7a26871e98b010e
/57	1396736	9052	9216	3.36277	1353c23c051d63f8441fa54c1966dd5b
/70	1409024	1030	1536	2.68856	38cd20125837406013fd94c762a8a424
/81	1413120	72949	73216	3.08512	484c4c46f23904d37f91da24fc4ff1a2
/92	1486848	3584	3584	2.24731	4259d254b831e5f0558081d2160bdfb4
.rsrc	1490944	1620	2048	3.68357	ba2d6443307d0db00561a5e230361f91

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
51d550b27296f95cd3d97486f114544f

URLs

URL	IP
hxxp://185.148.147.134/trk/e0

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

certutil.exe:3940
certutil.exe:1272
certutil.exe:772
run.exe:2088
%original file name%.exe:2996
dist.exe:1576
regedit.exe:2440
2dREb.exe:3696
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.exe (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.pfx (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\dist.exe (647 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\run.exe (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\data.aac (2584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.exe (22079 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YGxlSXPtL.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rpMCARCr.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rr.vbe (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BPh71Ye.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\B6kzM.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\QF69AzB.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\MeAjSWf.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\EDNhm3so.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.bat (62 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hVOfo.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\F6cI6NX8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ax3CF.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YdD3ojxS.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\Tiizs2t.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\xRrJBdT.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\k8R6BEuZM.reg (633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\DCdJOyapn.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\crgRY.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\ww.json (201 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\qPTGfRyil.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\hoZYFYZ.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\2dREb.txt (7071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\YFOGK.vbs (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\sa1xVPfv.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\BDKsMla.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\TXC1O.vbs (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\SqWy6yhK.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\zdGc81.vbs (146 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\uieao.crt (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\rAQBc8.vbs (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\iIgxIX4.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-732923889-1296844034-1208581001-1000\4d6629d6a7d5185ca5557446b928cfd8_88dcd395-b062-45b3-a6cd-79f37c0eba08 (87 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IXP000.TMP\"
Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
127.0.0.1 localhost
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).