MD5: ca9c1271ef481e67db63af9a07d4a378
SHA1: 4a998bcee5ec188493f298448804849a196fe941
SHA256: 8592a3c5bf845ec567d72144290c4bc9fb054ca2794914cc0d08a745485abf17
SSDeep: 98304:j7A3gwMiN1t 6dXTPaGpCvr5PTrnzVuV7CukT51lH934p:jJibt UPah5brz6ChlHl4p
Size: 3728296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: ????????????
Created at: 2012-02-24 21:19:59
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

mytime.exe:3148
%original file name%.exe:1976

The Trojan injects its code into the following process(es):

mytime.exe:3584

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process mytime.exe:3148 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\install[1].aspx (0 bytes)

The process mytime.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Ruanmei\PCMaster\config\mytime\countdown.xml (158 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1].htm (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\101010100[1].htm (14574 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\191B.tmp (196 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\weathericon\default.icn (125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\mytime[1].xml (3 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\mytimeset.cfg (11405 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\2017.xml (53 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\remind.xml (152 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\sound\remind.wav (21 bytes)
%Program Files%\Ruanmei\PCMaster\config\mytime\weatherlist.xml (152 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\MagicTray\Config\remind.xml (152 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\mytime.dll (108 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\postdata[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\mytime[1].xml (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\101010100[1].htm (0 bytes)
%Program Files%\Ruanmei\PCMaster\mytime.txt (0 bytes)

The process %original file name%.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Ruanmei\PCMaster\plugins\remind.dll (12024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\软媒时间.lnk (1950 bytes)
%Program Files%\Ruanmei\PCMaster\rmup.exe (6584 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\remind.dll (12024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\nsDialogs.dll (21 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\软媒软件\软媒魔方\卸载软媒时间.lnk (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\软媒时间.lnk (975 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\MPlugin_NSIS.dll (5199 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\notepad.dll (9608 bytes)
C:\Users\Public\Desktop\软媒时间.lnk (1 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\notepad.dll (9608 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\net.dll (10136 bytes)
%Program Files%\Ruanmei\PCMaster\uninstall_mytime.exe (6249 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\System.dll (23 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\mytimeweb.exe (12024 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\mytimeweb.exe (12024 bytes)
%Program Files%\Ruanmei\PCMaster\pcmasterdata.dll (11048 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\net.dll (10136 bytes)
%Program Files%\Ruanmei\PCMaster\mytime.exe (132503 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D1.tmp (166781 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\leisure.dll (12088 bytes)
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\软媒软件\软媒魔方\软媒时间.lnk (1 bytes)
%Program Files%\Ruanmei\PCMaster\plugins\leisure.dll (12088 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssF3C0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\nsDialogs.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\软媒时间.lnk (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\MPlugin_NSIS.dll (0 bytes)

Registry activity

The process mytime.exe:3148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process mytime.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASMANCS]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\RuanMei\MyTime]
"insupmytime" = "1"
"PluginsPath" = "%Program Files%\Ruanmei\PCMaster\plugins"

"ImportMagictray" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\RuanMei\MyTime]
"ConfigPathNew" = "%Program Files%\Ruanmei\PCMaster\config\mytime"

[HKCU\Software\RuanMei\PCMaster]
"AppStart" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\mytime_RASAPI32]
"EnableConsoleTracing" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"mytime" = "%Program Files%\Ruanmei\PCMaster\mytime.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"MagicTray"

The process %original file name%.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\RuanMei\MyTime]
"Install_File" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2]
"FavoritesVersion" = "2"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCMaster_mytime]
"URLInfoAbout" = "http://sj.ruanmei.com"

[HKCU\Software\RuanMei\MyTime]
"ins_upmytime" = "1"

[HKCU\Software\RuanMei\Component]
"InstFile_mytime" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2]
"FavoritesResolve" = "72 03 00 00 4C 00 00 00 01 14 02 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCMaster_mytime]
"UninstallString" = "%Program Files%\Ruanmei\PCMaster\uninstall_mytime.exe"
"DisplayName" = "软媒时间"
"InstallLocation" = "%Program Files%\Ruanmei\PCMaster"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2]
"Favorites" = "00 58 01 00 00 14 00 1F 80 C8 27 34 1F 10 5C 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCMaster_mytime]
"DisplayVersion" = "3.0.6.0"
"Publisher" = "软媒网络科技有限公司"
"DisplayIcon" = "%Program Files%\Ruanmei\PCMaster\mytime.exe,0"

[HKLM\SOFTWARE\RuanMei\Component]
"InstDir_mytime" = "%Program Files%\Ruanmei\PCMaster"

[HKCU\Software\RuanMei\MyTime]
"Install_Dir" = "%Program Files%\Ruanmei\PCMaster"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage2]
"FavoritesChanges" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????????????
Product Name: ????
Product Version: 3.0.6.0
Legal Copyright: Copyright (C) RuanMei. All rights reserved.
Legal Trademarks:
Original Filename: mytimesetup.exe
Internal Name:
File Version:
File Description: ????????
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://ip.6655.com/ip.aspx?area=1	180.76.158.184
hxxp://union.ruanmei.com/receive/install.aspx?uid=1BD8500A51CAACFCBF387CB7CEAC952831EBAD62A678586372E1882E19FF6D816A02CAB62D26D584499930AA3D4C0F20FB48DEC5449FA8AE7D9A4A5BF065EBE3D59D25A9912EC4FF0B639B09D1A1925E5DA77103943BCC9E3B0C33D9A09617AD3E25AD964725BE56AC6950B51634D63F5216A01BC335EC9C57D852B1170269793C076FA21133106AA0E5F69A225DAFE8A55F4713B3373EF4F8A88A0CB741B6F31CC487C83252B9A26C379DA58907CE210775C9C6A9600F75990073A2396AF16B15C1B375BD9F895F5A5CAB24D10F016DDEA397A14D75374C554F7C58AB0A3D1438DEDE07F035CE8CD7284643E9235458FD2DC0EF05E583C8E15554BA74A9D0FC6E5B4578C660C5020E761922E39F0D7698A282F4DBF0B537365A4366C70FACD524146D62AA26EF096DD158641D2C998549B0332C8E96CF773C980A5FB46B44C28B2D48C7AC23D0E64C3FF11B426ABC8FA081BE981E77C7236AB52067694592D66C2DDC22046E2E7A4EFAB13EAE9E785C329AFAE4E025CF58C68A497D5FDEDAA79A8E270FE38F49AE&a=&r=6132&t=0&t1=0&t2=0	180.76.187.11
hxxp://pc-b.bitgravity.com/pcmaster/mytime.xml?r=1313575
hxxp://ip.6655.com/api/xzs/aqi/citys/.json?t=1317038	180.76.158.184
hxxp://1st.xdwscache.ourwebpic.com/data/sk/101010100.html?_=1318005?t=13180051318005
hxxp://1st.xdwscache.ourwebpic.com/weather/101010100.shtml?_=1318926
hxxp://dat.ruanmei.com/pcmaster/mytime.xml?r=1313575	64.185.181.238
hxxp://www.weather.com.cn/data/sk/101010100.html?_=1318005?t=13180051318005	87.245.198.83
hxxp://www.weather.com.cn/weather/101010100.shtml?_=1318926	87.245.198.83
hxxp://api.ruanmei.com/api/xzs/aqi/citys/.json?t=1317038	180.76.158.184
search.weather.com.cn	61.4.185.16

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /receive/install.aspx?uid=1BD8500A51CAACFCBF387CB7CEAC952831EBAD62A678586372E1882E19FF6D816A02CAB62D26D584499930AA3D4C0F20FB48DEC5449FA8AE7D9A4A5BF065EBE3D59D25A9912EC4FF0B639B09D1A1925E5DA77103943BCC9E3B0C33D9A09617AD3E25AD964725BE56AC6950B51634D63F5216A01BC335EC9C57D852B1170269793C076FA21133106AA0E5F69A225DAFE8A55F4713B3373EF4F8A88A0CB741B6F31CC487C83252B9A26C379DA58907CE210775C9C6A9600F75990073A2396AF16B15C1B375BD9F895F5A5CAB24D10F016DDEA397A14D75374C554F7C58AB0A3D1438DEDE07F035CE8CD7284643E9235458FD2DC0EF05E583C8E15554BA74A9D0FC6E5B4578C660C5020E761922E39F0D7698A282F4DBF0B537365A4366C70FACD524146D62AA26EF096DD158641D2C998549B0332C8E96CF773C980A5FB46B44C28B2D48C7AC23D0E64C3FF11B426ABC8FA081BE981E77C7236AB52067694592D66C2DDC22046E2E7A4EFAB13EAE9E785C329AFAE4E025CF58C68A497D5FDEDAA79A8E270FE38F49AE&a=&r=6132&t=0&t1=0&t2=0 HTTP/1.1

Host: union.ruanmei.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Length: 0

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 12 Jan 2017 23:40:40 GMT

GET /data/sk/101010100.html?_=1318005?t=13180051318005 HTTP/1.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: VVV.weather.com.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 12 Jan 2017 23:40:43 GMT

Server: nginx

Content-Type: text/html

Transfer-Encoding: chunked

X-Via: 1.1 zhdx182:6 (Cdn Cache Server V2.0), 1.1 db78:8 (Cdn Cache Server V2.0)

Connection: keep-alive
da..{"weatherinfo":{"city":"......","cityid":"101010100","temp":"18","
WD":".........","WS":"1...","SD":"17%","WSE":"1","time":"17:05","isRad
ar":"1","Radar":"JC_RADAR_AZ9010_JB","njd":"............","qy":"1011",
"rain":"0"}}..0......


GET /weather/101010100.shtml?_=1318926 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.weather.com.cn

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 12 Jan 2017 23:40:43 GMT

Server: nginx

Content-Type: text/html

Transfer-Encoding: chunked

Content-Encoding: gzip

X-Via: 1.1 fuzhou187:1 (Cdn Cache Server V2.0), 1.1 db78:8 (Cdn Cache Server V2.0)

Connection: keep-alive
a........xX....5fb...W[o.D.~G.?.......l.....x....P.f..z..j..I,K...UEiD
.B[T.4\.MZ.m.@.c..l......z.......>g..;..9.;......;..{.".}...f.'..{.
........... .....E...E..V.X!.....{.....s..@.`.".."b.3... .QF.#...N{.A.
...|$.]Hm..ERep.".'s..a.&6:..rep.z....{?.....l....k.........=2.....[{.
#}.ez..J....2..iLUo1...p..lU..^9.@...n..eK...B...y....#,.M.A.......b!S
Q..._.T.......0...R.rj.j.Vd.~.-...(.......-..?/..i1....8..5X...|...?..
Em..........;..6...=M.z,6.8.,.1B..qJ..2.. .,..OW.O.I....n....k.Wo.....
/.......V7.O..b........^.....qD.'C..d.t..?P&...Y. k..w..........g.....
..X.l7d.....p.Q...A..E.ng....)=.....lW]....5..........p.Y)......../...
&z. .f....~..r C.#W..8.V..[..~z9...........l9.C........^.mF. ...($...|
.....*.B..lU.0.j~gv<c.=..G.`.-........w.............,.....VX.....n.
E.!.....4.....u....&^DFy..B.xSu...@<... ....^....0..Uk....v.K.^K(./
&...>./..C..^.......Re.Z.. g.s&r.w..q.ND.E...@4..2...N(.6......6\R.
7.a.X@.5...Z..%...9.$.c..D..........@......2..-.I.jy.(.3-B3S.S... 'f..
)....b..i{.=..D.ac.UGW.x\....U.(.......X..l..d.!...)..gc..0..''..1.4`O
.M$xR..Z._.Fa...D.Qi...bz.m.....'.:.A.x.-.v...z..v.S.E.75...3..Y*.a.X"
.... rT......X..S.......1rVx.E.....5J.u...,.:=6-..H.[...Z..<.....}.
.cm......V8(....jIVj...j1..t.c..0@.w.E.di$1bF.O..=...,......0.P....!..
..n............@...)Z....-...K.j..9.*.% z....=}>QB./..1...b.DCL.&..
................Y$.b_.bB..t......m...p..1.WYE.B1....;{"]..1.s.0..@.i..
..........=..........]Z.Z.Ue.S=G......A1.A....Q/..1&K..$..h.4K.(...B..
...e.w<.yr.....8u......TO.u.V"lz..<S...:..8..&Q..t..0....'..
<<< skipped >>>

GET /api/xzs/aqi/citys/.json?t=1317038 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: api.ruanmei.com

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

Date: Thu, 12 Jan 2017 23:40:41 GMT

Content-Length: 1163
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=gb2312"/>..<title>404 - ..
................</title>..<style type="text/css">..<!--
..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, 
sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} .
.h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0
;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;
} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family
:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#55
5555;}..#content{margin:0 0 0 2%;position:relative;}...content-contain
er{background:#FFF;width:96%;margin-top:8px;padding:10px;position:rela
tive;}..-->..</style>..</head>..<body>..<div i
d="header"><h1>..........</h1></div>..<div id=
"content">.. <div class="content-container"><fieldset>.
.  <h2>404 - ..................</h2>..  <h3>........
..............................................</h3>.. </field
set></div>..</div>..</body>..</html>..HTTP/
1.1 404 Not Found..Content-Type: text/html..Server: Microsoft-IIS/8.5.
.X-Powered-By: ASP.NET..Date: Thu, 12 Jan 2017 23:40:41 GMT..Content-L
ength: 1163..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Stric
<<< skipped >>>

GET /ip.aspx?area=1 HTTP/1.1

Host: ip.6655.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Cache-Control: private

Content-Type: text/html; charset=utf-8

Server: Microsoft-IIS/8.5

X-AspNet-Version: 4.0.30319

X-Powered-By: ASP.NET

Date: Thu, 12 Jan 2017 23:40:40 GMT

Content-Length: 25
194.242.96.218|......... HTTP/1.1 200 OK..Cache-Control: private..Cont
ent-Type: text/html; charset=utf-8..Server: Microsoft-IIS/8.5..X-AspNe
t-Version: 4.0.30319..X-Powered-By: ASP.NET..Date: Thu, 12 Jan 2017 23
:40:40 GMT..Content-Length: 25..194.242.96.218|......... ..

GET /pcmaster/mytime.xml?r=1313575 HTTP/1.1

Host: dat.ruanmei.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/xml

Content-MD5: 1Gn/AF1oDhg8k145sDZ5gw==

ETag: "d469ff005d680e183c935e39b0367983"

Expires: Sun, 15 Jan 2017 20:40:49 GMT

Last-Modified: Tue, 06 Dec 2016 03:17:48 GMT

x-bce-debug-id: MTAuMTgxLjY0LjE4OkZyaSwgMTMgSmFuIDIwMTcgMDQ6NDA6NDkgQ1NUOjI0NDkzODkyOTI=

x-bce-request-id: 12983e5b-b92f-400b-a13a-b0be19ad136d

x-bce-storage-class: STANDARD

Content-Length: 3720

Accept-Ranges: bytes

Date: Thu, 12 Jan 2017 23:40:41 GMT

Age: 10792

Connection: keep-alive

Server: v/3.3.2/3.2.2/v13fra1-www

X-Version: 1.0
....A.nr3$..L:.......#.?...#.U.B...Ve...B.....Ru&q|...@ .IK.K.I.H.....
dY......Vo&.A.......5{.z&N..."....r6w"!!?.T%.5).._6x:..d<.....t"...
.|\Q..y.t%>wq..Q...\~...5.......[.|;.D*....fl..]:%..}U...........C.
.A!\..........5.Y.2.~S...X........P.r........8.....0wh......*..`......
.....F..G.|...UG..O..&...U>h..vf.. -A.......B..*.i.4l...P -.~.0....
...FG.].DS.Q......\d.i}.......).7..gA..|.l....!.../...d/i...BJ.....%.*
../....B.6....r.W...9..hf........T..m....e..........I.K.h.\...^.Uq..z.
s8.u4..v.............QZ...H.$..O$......`..6...n.?3....^O.l..S..{.1.k0.
.,r...|..i.......)....)..fD?{V.....H....}.V....I.....r.a..#.ak=JDQ1G..
R......VHM:JY7..e...g.....2e.d.:n..R.y8F...n.c...O\....{....H.6.......
...N.......}.......e.r|o....d.&....S.F. J.\9..V..Z\.YQqL.<..i.v66z.
kT.,.....n~a..5d-m"4.....UT.0..D."&..&.3=.3]m..o. ...HF..I-...!h.?...l
......9"Kp..Sd.W. ..x.l .p....#.g{........<.............Z^VI.W.;l..
.Dly.8-...B... ..2....9.<...Zm..z.no.H...!J.%...1..'..%..#e.n..I...
b....;wG_.).r...jv.....-....A.e3B.b..].Rv.......m:....~pn..{.Ju.Ku..D.
..x.^>.j".*....D5......;.........Rh........ ...bE..w...n..d.<.'.
;4x.(..............k..mvv..).V...."..WZwhj..........w...Q$..Y........k
@.6v.z.5.0..X..s...9..Fa4./p.....[lz........). .i.d.m.k............4.d
.......pO....Be.K(.#kvP...PZ..m:....'...o...C._U0.'..7~>.....j..bU.
.A2f...P.......'.......C.X...[<R..]..;...R....K;.Z..hJ9sP.?)..aH...
....j.-...K.P.LCFYi..b...@..Cu.i="w..W..B.!...........LCFYi..bH.Iq....
....X.H.Z.....[3....C.@.?@.......j.<.F..Y.n........C......M(#..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSh

SSSh`

SSSh$

RSShx

SSSh0I8

SSSh\N8

xSSSh

FTPjKS

FtPj;S

C.PjRV

<4,$?7/'

(3-!0,1'8"5.*2$

&#xX;

</%s>

%s="%s"

%s='%s'

<!--%s-->

<![CDATA[%s]]>

version="%s"

encoding="%s"

standalone="%s"

\ruanmei\pcmaster\svc\named_pipe

 %u.u

-%u.u

-NHS}Y

MSXML2.XMLHTTP

USER32.dll

Visual C   CRT: Not enough memory to complete call to strerror.

portuguese-brazilian

Broken pipe

Inappropriate I/O control operation

Operation not permitted

operator

GetProcessWindowStation

`'\%D,3

dwmapi.dll

UxTheme.dll

inflate 1.2.5 Copyright 1995-2010 Mark Adler

deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler

1.2.5

zip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

D:\TFS_New2013\MagicTray2013\MagicTray\Bin\Release\mytime.pdb

SetWindowsHookExW

EnumChildWindows

GetKeyState

WaitNamedPipeW

KERNEL32.dll

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegFlushKey

RegCreateKeyExW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

gdiplus.dll

VERSION.dll

URLDownloadToFileW

urlmon.dll

InternetOpenUrlW

HttpEndRequestW

HttpSendRequestExW

HttpOpenRequestW

HttpQueryInfoW

WININET.dll

IPHLPAPI.DLL

WINMM.dll

dbghelp.dll

WS2_32.dll

GetProcessHeap

GetCPInfo

COMCTL32.dll

GdiplusShutdown

GdipSetImageAttributesColorKeys

IMM32.dll

.?AVCHttpFile@@

.?AVCUIWebBrowser@meiui@@

.?AVCActiveXEnum@meiui@@

zcÁ

\rm_pcmaster.config##p

%Program Files%\Ruanmei\PCMaster\mytime.exe

j%uP/

T.WH\

r%S[Y

G#.kt

m%XbA

%2xF4T-

ru.pC

-\%DOmk7|

.Gpu'!

,%ukZ<

"=.Dx

D}/d%X

.FF [

.UW<[

(Y.Uh

.DfkS

i.si.

c.oQ0

dwmapi.xTh"

.win;@

td.pdb

.if$$

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

KERNEL32.DLL

countdown.dll

hXXp://VVV.usertrust.com1

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

hXXp://ocsp.usertrust.com0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

jOôA

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

<VeriSign Class 3 Public Primary Certification Authority - G50

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

_ry.WM

M.tgE#

H.ht.

(!%Uj

l.jE/=0

;1B%sP

4]F%d

={E%Sb

%2%Sr

a/.Xp

ru.pCK

-\=wGo

.Gpu'

@2.SX

t%SZ"

XQ-5r}

@.SNO

@.ZXK

'.Wjl

.ZNu<]

(tv%f

FTp85X-

Kso%u

USER32.dll

X10`.KI

i.UNrqIn

?dwmapi.xThf

flf 1.2.5

H.hKd

Key^;1

L9.Rjb

WebBr

.QUH"

em.hover"

!.fSH

[urRjc'&%Xh(T

.rc[R?t

P#=.Ck|QU

?%D*S

remind.dll

.pdata

@.rsrc

8%u&H

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

FRegDeleteKeyExW

RegDeleteKeyW

RegQueryInfoKeyW

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="amd64" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

hXXp://sf.symcb.com/sf.crl0f

hXXps://d.symcb.com/cps0%

hXXps://d.symcb.com/rpa0

hXXp://sf.symcd.com0&

hXXp://sf.symcb.com/sf.crt0

r%f;A

D:\TFS_New2013\MagicTray2013\MagicTray\Bin\Release\mytime_x64.pdb

.WVQ_i

!.yag

9B.PT.

i.o%u

'}-6tT6}=

32.dllcT;

!"#$%&'()* ,-./

1.2.5

995-2010 _#

.com/z

mg.TBm".

#v`.rA

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>

0.png

1.png

10.png

11.png

`.Acc#]oG/

.UpYz

12.png

13.png

14.png

15.png

16.png

17.png

18.png

19.png

2.png

20.png

21.png

.jkkM

22.png

23.png

24.png

25.png

26.png

27.png

28.png

29.png

3.png

30.png

@9%u{

31.png

4.png

5.png

53.png

6.png

7.png}VgPSY

8.png

9.png

7.png

images/calendar/calendarfootball.png

images/calendar/calendartip_bg.png

images/calendar/datebg1.png

images/calendar/datebg2.png

images/calendar/day.png

images/calendar/hover.png

images/calendar/NationalHolidays.png

images/calendar/NationalHolidays_DayOff.png

images/calendar/NationalHolidays_piao.png

-wfV}

images/calendar/NationalHolidays_qiu.png

images/calendar/next_mon.png

images/calendar/pre_mon.png

images/calendar/sel.png

images/calendar/split.png

images/calendar/today.png

images/calendar/weekbg_blue.png

images/calendar/weekbg_red.png

images/common/button.png

images/common/combo.png

images/common/combo2.png

images/common/combo3.png

images/common/comboitembg.png

images/common/common_edit.png

images/common/down_process_bg.png

images/common/down_process_for.png

images/common/dropbox_bg.png

images/common/item.hover.png

images/common/item.normal.png

images/common/item.pushed.png

images/common/menuitembg.png

images/common/menu_bg.pngm

.YrYBY

images/common/scrollbar.png

images/common/setlabelbg.png

images/common/vscrollbar.png

images/common/vscrollbar1.png

images/dynamicweather/cloudy.jpg

.ZB@i

_/.if

b.VYI'r

\.LE!

;rR-.BG

Z.XWS

wk.LO

.LwhdV

images/dynamicweather/dust.jpg

 .PU)

j0G%U

images/dynamicweather/fog.jpg

images/dynamicweather/rain_big.jpg

images/dynamicweather/rain_mid.jpg

t^Yõ

images/dynamicweather/rain_small.jpg

images/dynamicweather/snow.jpg

.FH-}

9m.iS

.mR-k

.Lv_I

images/dynamicweather/suncloud.jpg

3Y.KS

%C'dga

ZnH.HP

5 R6.Dk

-o}SS3

images/dynamicweather/sunshine.jpg

V.JJQUT76

!N.hm"jY

images/flowwindow/flowwindow_dateicon.png

images/flowwindow/flowwindow_itembg.png

images/flowwindow/flowwindow_itembtn.pngm

images/flowwindow/flowwindow_timeicon.png

images/flowwindow/flowwindow_timeicon_hour.png

images/flowwindow/flowwindow_timeicon_minute.png

images/flowwindow/flowwindow_weathericon.png

images/flowwindow/flowwindow_weathericon0.png

images/flowwindow/flowwindow_weathericon1.png

images/flowwindow/flowwindow_weathericon10.png

.IDATx^

images/flowwindow/flowwindow_weathericon2.png

images/flowwindow/flowwindow_weathericon3.png

images/flowwindow/flowwindow_weathericon4.png

images/flowwindow/flowwindow_weathericon5.png

images/flowwindow/flowwindow_weathericon6.png

images/flowwindow/flowwindow_weathericon7.png

images/flowwindow/flowwindow_weathericon8.png

images/flowwindow/flowwindow_weathericon9.png

images/flowwindow/lock.png

images/flowwindow/num_big_0.png

images/flowwindow/num_big_1.png

images/flowwindow/num_big_2.png

images/flowwindow/num_big_3.png

images/flowwindow/num_big_4.png

images/flowwindow/num_big_5.png

images/flowwindow/num_big_6.png

images/flowwindow/num_big_7.png

images/flowwindow/num_big_8.png

images/flowwindow/num_big_9.png

H#Y{.dR

images/flowwindow/num_big_below.png

images/flowwindow/num_big_celsius.png

images/flowwindow/num_big_point.png

images/flowwindow/num_big_point2.png

images/flowwindow/num_small_0.png

images/flowwindow/num_small_1.png

images/flowwindow/num_small_2.png

images/flowwindow/num_small_3.png

images/flowwindow/num_small_4.png

images/flowwindow/num_small_5.png

images/flowwindow/num_small_6.png

images/flowwindow/num_small_7.png

images/flowwindow/num_small_8.png

images/flowwindow/num_small_9.png

images/flowwindow/set.png

images/flowwindow/weatherremind_blue.png

images/flowwindow/weatherremind_orange.png

images/flowwindow/weatherremind_red.png

images/flowwindow/weatherremind_yellow.png

images/main/aero.png

images/main/aero_left.png

images/main/aero_right.png

images/main/chkbox.png

images/main/close.png

images/main/install_bottom.png

v9r%s

?%dU=

images/main/install_left.png

f7U.xPu

)G%Xu

images/main/install_right.png

.EpOZ

images/main/install_top.png

UdPiid

x%Ft44

.pqsc

.X6%S

images/main/max.png

images/main/menu.png

images/main/min.png

images/main/mytime.png

images/main/radio.png

images/main/remindbg.png

images/main/restore.png

images/main/skin.png

images/main/switch.png

*!X%Xi

images/main/upgradebg.png

.Ìh

images/plugins/alarmclock.png

images/plugins/leisure.png

6-e$_.ko

images/plugins/net.png

.mg u}

images/plugins/notepad.png

images/plugins/plugins_bg.png

images/plugins/tipbg.png

images/plugins/treasure.png

images/plugins/unused.png

images/timemanage/addicn.png

images/timemanage/countdownremind.png

>.xJr;i

images/timemanage/countdown_add.png

images/timemanage/countdown_bg0.png

images/timemanage/countdown_bg1.png

images/timemanage/countdown_cancle.png

images/timemanage/itemdel.png

images/timemanage/stopwatch_bg.png

SFTp

images/timemanage/stopwatch_btn.png

images/timemanage/time_label.png]

images/timemanage/worldtime_clockbg.png

images/timemanage/worldtime_hour.png

images/timemanage/worldtime_minute.png

images/weather/defaultcity.png}S]H

images/weather/warn_blue.png}S

images/weather/warn_orange.png}S

images/weather/warn_red.png}S

[>.BSU

images/weather/warn_yellow.png}S

images/weather/weather_6day.png

resources.xml

R.IrX[

xmls/about.xml}S

xmls/calendar.xml

xmls/calendartip.xml

xmls/checktimetip.xml}R

xmls/citylist_item.xml

xmls/countdownremind.xml

xmls/flowwindow.xml

xmls/installtip.xmlU

xmls/mainframe.xml

xmls/pluginsmanager.xml

xmls/pluginstip.xmlU

xmls/rightmenu_calendar.xml

xmls/set.xml

/.jKA

xmls/timemanage.xml

xmls/timemanage_countdown_item.xml

xmls/timemanage_stopwatch_item.xml

xmls/timemanage_worldtime_item.xml

xmls/upgradetip.xml

xmls/warninfoitem.xml

xmls/weather.xml

xmls/weatherremind.xml

xmls/worldcup.xml

images/common/menu_bg.png

images/flowwindow/flowwindow_itembtn.png

images/timemanage/time_label.png

images/weather/defaultcity.png

images/weather/warn_blue.png

images/weather/warn_orange.png

images/weather/warn_red.png

images/weather/warn_yellow.png

xmls/about.xml

xmls/checktimetip.xml

xmls/installtip.xml

xmls/pluginstip.xml

~{unf_XTRQSSSQLG@:569CPcv

vf^^clnj]I5'$.AZq

{wuuvurlhfis}

niurl}

~}||~~{{~~{|~~}}}~

||||~~}~

}}}~}{{}}|{}~|}}

||}}}{|~~}}

}|~~}|{|~~}~

~}|}|}~}}~

~}|}~}}~}~

}}~}}}}|~}~~

||~~|~~~~

}}~~}~~~}}~

~}}~}||}

keY<h

9œ9a9

1%2U2

1"1/1<1~1

55L5j5s5

1#2-2;2{2

='=-=3=~=

1'2,292>2

7%7U758

0 02080~0

1-2

> >%>/>4>>>

< <$<(<,<0<4<8<<<@<

4 4$4(4,404

6 8$8(8,8

3 3<3@3\3`3|3

5 5@5\5|5

ntdll.dll

xx

\StringFileInfo\%s\ProductName

\StringFileInfo\%s\FileDescription

\StringFileInfo\%s\FileVersion

\StringFileInfo\%s\ProductVersion

\StringFileInfo\%s\OriginalFilename

\StringFileInfo\%s\LegalCopyright

\StringFileInfo\%s\InternalName

\StringFileInfo\%s\CompanyName

%d.%d.%d.%d

explorer.exe /e,/select,"

explorer.exe /e,/select,

%%X%%X

%s.bak%I64dd

%%X

%%X%%X%%X

.%d.tmp

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

Software\Classes\http\shell\open\command

pcmaster.exe

saayaa.exe

cooldock.exe

explorer.exe

OpenUrlWithSaayaa

Internet Explorer\iexplore.exe

%s?r=%d

rmup.exe

hXXp://dat.ruanmei.com/pcmaster/upgrade6.xml

hXXp://down.ruanmei.com/%s?skq=%d

\\.\pipe\PCMasterSvc

pcmaster\config\pcmastersrv.cfg

\\.\PhysicalDrive%d

Internet open url failed! error code

\sfc_os.dll

takeown /f %s

icacls %s /grant

%username%:F

icacls %s /grant *S-1-1-0:(F)

.old.tweakcube

.temp.tweakcube

%u.%u.%u.%u

hXXp://VVV.6655.com/?f=sh

=============SendData:version:%d----%d==%s==%d==%s=

hXXp://VVV.hao123.com/?tn=12092018_15_hao_pg

hXXp://VVV.duba.com/?un_383619_1

hXXp://VVV.2345.com/?11319

^(hXXp://)?(www\.)?hao123\.com(/?(\?tn=. )?)?$

^(hXXp://)?(www\.)?duba\.com(/?(\?.)?)?$

winguard.dll

winguard.exe

^(hXXp://)?(www\.)?2345\.com(/?(\?\d )?)?$

hXXp://VVV.google.com.hk/search?ie=utf-8&oe=utf-8&hl=zh-cn&q={searchterms}

hXXp://VVV.google.com/favicon.ico

winguard_x64.dll

winguard_x64.exe

{DAFC3089-C966-4796-BF72-E6BB9C4BB8E5}

hXXp://VVV.bing.com/search?q={searchTerms}

hXXp://VVV.bing.com/favicon.ico

{0633EE93-D776-472f-A0FF-E1416B8B2E3A}

hXXp://VVV.baidu.com/s?tn=mswin_oem_dg&ie=utf-8&word={searchTerms}

hXXp://VVV.baidu.com/favicon.ico

hXXp://suggestion.baidu.com/su?wd={searchTerms}&action=opensearch&ie={inputEncoding}&from=ie8

{0E7B197B-A3DE-4FD4-A19A-1EECF791D16F}

mshtml.dll

%s\log\winguard-d-d-d-d-d-d.log

MoveFile Faild === [%s] [%s] [%d]

IE.AssocFile.HTM

.html

IE.AssocFile.URL

IE.AssocFile.MHT

.mhtml

.shtm

.shtml

Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32

https

Software\Classes\%s\shell

Software\Classes\%s\shell\%s\command

IE.HTTP

IE.HTTPS

HTTPS

IE.FTP

%s.HTTP

%s.AssocFile.HTM

Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\

IEXPLORE.EXE

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE

%s.%s

Software\Microsoft\Windows\Shell\Associations\UrlAssociations\

Kernel32.dll

%c:%I64d~%I64d

%dx%d

SOFTWARE\Microsoft\Windows NT\CurrentVersion

6.3.9600

%d.%d.%d

360tray.exe

zhudongfangyu.exe

360sd.exe

360rp.exe

ksafetray.exe

ksafesvc.exe

kxescore.exe

kxetray.exe

qqpctray.exe

qqpcwebshield.exe

qqpcrtp.exe

avgnt.exe

avcenter.exe

egui.exe

ekrn.exe

rstray.exe

ravmond.exe

avp.exe

msmpeng.exe

ccsvchst.exe

bdagent.exe

kvmonxp.exe

kvsrvxp.exe

uiseagnt.exe

coreframeworkhost.exe

coreserviceshell.exe

uiwatchdog.exe

mcshield.exe

cfp.exe

baidusd.exe

baidusdsvc.exe

baidusdtray.exe

baiduantray.exe

baiduan.exe

baiduansvc.exe

avastsvc.exe

avastui.exe

avgui.exe

avgwdsvc.exe

avgidsagent.exe

mpmon.exe

mpsvc.exe

dwarkdaemon.exe

dwengine.exe

dwservice.exe

clamtray.exe

clamwin.exe

avkservice.exe

avktray.exe

fsm32.exe

fsma32.exe

fsorsp.exe

twssrv.exe

twister.exe

SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Uninstall

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

chrome

firefox

opera

iexplore.exe

SaaYaa.exe

bin\Maxthon.exe

maxthon.exe

InstallerSuccessLaunchCmdLine

LastInstallerSuccessLaunchCmdLine

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

chrome.exe

sogouexplorer.exe

sogoue~1.exe

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox

SOFTWARE\Mozilla\Mozilla Firefox

SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\

SOFTWARE\Mozilla\Mozilla Firefox\

PathToExe

firefox.exe

BrowserExe

safari.exe

Software\Opera Software

opera.exe

launcher.exe

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{23F3F476-BE34-4f48-9C77-2806A8393EC4}

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{23F3F476-BE34-4f48-9C77-2806A8393EC4}

Software\Microsoft\Windows\CurrentVersion\Uninstall\360se6

360se.exe

Software\360chrome\chrome

360Chrome\Chrome\Application\360chrome.exe

360chrome.exe

LBBrowser\liebao.exe

liebao.exe

hao123juzi.exe

QQBrowser.exe

qqbrowser.exe

qqbrow~1.exe

theworld.exe

2345Explorer.exe

2345explorer.exe

Software\TaoBrowser.exe

taobrowser.exe

avant.exe

baidubrowser.exe

drivers\ANDROIDUSB.sys

Software\Microsoft\Windows\CurrentVersion\Run

version:%s;business:magictray;setup:%s;cpu:%s;memory:%s;disk:%s;partition:%s;resolution:%s;mac:%s;os:%s;ie:%s;process:%d;autorun:%d;browser:%d;defaultbrowser:%d;

&r=%d

hXXp://union.ruanmei.com/receive/postdata.aspx?uid=

hXXp://union.ruanmei.com/receive/install.aspx?uninstall=1&uid=

hXXp://union.ruanmei.com/receive/install.aspx?uid=

&t2=%d

0126|0208|0504|0928|1011

%s %s

%s-d-d-d-d-d-d-%d-%d.

Last Error: %d, HRESULT %d, File: %s

log.ruanmei.com

/apperror.aspx

.zip&v=

rkernel32.dll

mytime.exe

mytime.pdb

d-d-d d-d

24.56.178.140

129.6.15.28

132.163.4.101

132.163.4.102

132.163.4.103

version:%s;business:mytime;disk:%s;mac:%s;os:%s;x64:%d;ie:%s;process:%d;browser:%d;defaultbrowser:%d;button:%s;append:%s;

6hXXp://union.ruanmei.com/receive/buttonclick.aspx?r=%d&uid=

HKEY_LOCAL_MACHINE

Windows:

%d.%d.%d, SP %d.%d

EIP: X EFlags: X

ESI: X EDI: X ESP: X EBP: X

EAX: X EBX: X ECX: X EDX: X

X,

Operation:

[0xX] Cannot %s.

0xX

d/d/%d

[ExeFileInfo]

d-d-d d:d:d

(%X, %X, %X, %X, %X)

 X

%sX %s

.%sX

so.6655.com

hXXp://so.6655.com/favicon.ico

{C30DAF89-C966-4796-F7B2-EC4BB8E6BB95}

hXXp://so.6655.com/?s_type=1&k1={searchTerms}

souxia.com

hXXp://VVV.souxia.com/favicon.ico

{EE930633-72f4-76D7-A0FF-142E3A16EB8C}

hXXp://VVV.souxia.com/search.aspx?wd={searchTerms}&ie=utf-8

sogou.com

hXXp://VVV.sogou.com/favicon.ico

{EE930633-72f4-76D7-A0FF-142E3A16EB8B}

hXXp://VVV.sogou.com/sogou?query={searchTerms}&ie=utf8&pid=sogou-clse-c07d4fe1bad8cc10

baidu.com

hXXp://VVV.SoSo.com/favicon.ico

{EE930633-72f4-76D7-A0FF-142E3A16EB8D}

hXXp://VVV.soso.com/q?w={searchTerms}&unc=s400021_4&cid=union.s.wh&ie=utf-8

hXXp://VVV.google.com.hk/search?client=aff-6655&forid=1&ie=utf-8&oe=UTF-8&hl=zh-CN&q={searchTerms}

hXXp://dat.ruanmei.com/pcmaster/mytime.xml

mytime.cfg

default.icn

default.snd

._RuanmeiTime_%dd

.UIAniPanel

.UIChild12

hXXp://VVV.12306.cn/mormhweb/

%s\%d.xml

MSXML2.MXXMLWriter

MSXML2.SAXXMLReader

%s %s %s

%s ( %s )

%s %s%s

%s %s

%c%c%c

dd

ddd

.IDX_RightMenu_Calendar

res='%s' corner='4,4,4,4'

mainframe.birthdayIcon

mainframe.remindIcon

res='%s' corner='2,2,2,2'

mytimeweb.exe

leisure.dll

net.dll

notepad.dll

\mytime.txt

pmytimeweb

kernel32.dll

.flowwindow_AniWeatherRemind

&fade='%d'

plugins_mytimeweb_unused

%s %s PM2.5

d:d:d

%d:d

IDB_DynamicWeather_%d

IDB_Flowwindow_weathericon%d

dest='%d,%d,%d,%d'

%s\mytimeset.cfg

%s\weatherlist.xml

%s\weathericon\default.icn

%s\sound\remind.wav

%s\mytimeinj.exe

%s\mytime.dll

\mytime.dll

\mytimeinj.exe

%Y-%m-%d

ImportMagictray

\TrayClock.xml

_Pcmaster_LunarCalendar_MytimeWeb

\mytimeweb.exe

plugin_mytimeweb

\net.dll

\leisure.dll

\notepad.dll

\remind.dll

\sound\defaultman.snd

\defaultman.snd

\sound\default.snd

\default.snd

plugins_text_%s

plugins_progress_%s

1230.wav

d30.wav

12.wav

%s.wav

d.wav

%d-d-d d:d

d,

%d-d-d

%d-d-d d:d:d

.weatherremind_openremind

weathericon_%d_png

%d.png

WeatherRemind_date%d

WeatherRemind_title%d

.ikonw

taskmgr.exe

hXXp://go.ruanmei.com/url.aspx?linkid=155

hXXp://xzs.ithome.com

/select,%s

Rundll32.exe

Shell32.dll,Control_RunDLL timedate.cpl

.advanceset_basic_playwhenfull

\sound\*.*

defaultman.snd

\rmup.exe

sound\default.snd

hXXp://bbs.ithome.com/thread-438650-1-1.html

(*.snd)

*.snd

hXXp://bbs.ithome.com/thread-466493-1-1.html

-t=%d|%d|%d|%d|%d|%d|%d|0|

.about_close

%s-%d

hXXp://dat.ruanmei.com/pcmaster/upgrade6s.xml

hXXp://20140507.ip138.com/ic.asp

<h2>%d

btn_mytimeweb

-plugin_mytimeweb -notice -silent -from:_Pcmaster_LunarCalendar

plugins_progress_plugin_mytimeweb

plugins_text_plugin_mytimeweb

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

IDB_countdown_bg%d

\countdown.xml

\worldtime.xml

%d-%d-%d d:d:d

%s|%s|%s|%s|1

d:d

.countdownremind_close

%s,%s,%s,%s|

hXXp://search.weather.com.cn/static/xxfb/rss/alert.xml?a=%d%d

%H:%M:%S

101010100

hXXp://ip.qq.com

hXXp://ip.6655.com/ip.aspx?area=1

hXXp://api.ruanmei.com/api/xzs/aqi/citys/

.json

?t=%d

hXXp://VVV.weather.com.cn/data/sk/%s.html?_=%d

hXXp://VVV.weather.com.cn/data/ks/%s.html?_=%d

GetWeb

,?t=%d%d

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Holiday%d

# d

%d-d-d d:d:d

%s|%s|%s|%d|%d

%d.d.d %s

hXXp://VVV.weather.com.cn/weather/

?_=%d

hXXp://php.weather.sina.com.cn/xml.php?city=

&password=DJOYnieT8234jlsK&day=

&_=%d

%d-d-d d-d-d

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\%s

windowshow

windowsized

msimg32.dll

.WndX

Software\Microsoft\Windows\DWM

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

pagebtn_group_%d

/source='%d,%d,%d,%d'

.selectedid

keyboard

User32.dll

<%s>%s</%s>

<Style id="%s">

0%s='%s'

source='%d,%d,%d,%d'

%s='%s'

.showbutton2

msftedit.dll

1 REOLEStorage%d

password

WebBrowser

7XML Error: %s

2UIWebBrowser

errorUrl

2M-d-d

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

nKERNEL32.DLL

ADVAPI32.DLL

WUSER32.DLL

1.0.0.1

Countdown.dll

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

USER32.DLL

Replace%Select the entire document

Arrange Icons/Arrange windows so they overlap

Cascade Windows5Arrange windows as non-overlapping tiles

Tile Windows5Arrange windows as non-overlapping tiles

Tile Windows(Split the active window into panes

1.0.0.2

mytimeinj.exe

2011-12-12 18:18

%s%s%s %s

3.0.1.0

mytime.dll

3.0.6.0

mytime.exe_3584_rwx_6D271000_000D5000:

SSSh<

SSSh|

SSShd

SSSh0

SSSht

SSShl

SSShT

SSShD

RSShx

SSSSh

1mSSh

SSShLK0mV

.mr!.m

.md .mt

h0(.md

E.meD.m\D.m

E.m"E.m E.mj

RhVg.mQ

w.mkw.m

hPq1mh0(.md

USER32.dll

pcmasterdata.dll

}-mU}-m

y-m(z-mIz-m}z-m

.mT11m

operator

GetProcessWindowStation

dwmapi.dll

UxTheme.dll

INSERT INTO remind (createtime, type, mode, advance, remindtime, timevalue, text, solar, sound, haveremind, soundpath, exepath) VALUES(%Q, %d, %d, %d, %Q, %Q, %Q, %d, %d, %d, %Q, %Q)

update remind set type=%d, mode=%d, advance=%d, remindtime=%Q, timevalue=%Q, text=%Q, solar=%d, sound=%d, haveremind=%d, soundpath=%Q, exepath=%Q where id=%d

update remind set %Q=%Q where id=%d

delete from remind where id=%d

id INTEGER PRIMARY KEY AUTOINCREMENT,

inflate 1.2.5 Copyright 1995-2010 Mark Adler

unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll

<4,$?7/'

(3-!0,1'8"5.*2$

D:\TFS_New2013\MagicTray2013\MagicTray\Bin\Release\plugins\remind.pdb

hB.mlB.m

sqlite3_open

sqlite3_key

sqlite3_rekey

sqlite3_close

sqlite3_exec

sqlite3_free

sqlite3_prepare

sqlite3_step

sqlite3_finalize

sqlite3_column_int

sqlite3_column_text

sqlite3_mprintf

EnumChildWindows

GetKeyState

.?AVCUIWebBrowser@meiui@@

.?AVCActiveXEnum@meiui@@

zcÁ

.?AVCSqliteDB@@

%Program Files%\Ruanmei\PCMaster\mytime.exe

images/common/canclebtn.png

images/common/combo.png

images/common/comboitembg.png

images/common/datebg.png

images/common/dropbox_bg.png

images/common/edit.png

images/common/okbtn.png

images/common/scrollbar.png

!.fSH

images/common/vscrollbar.png

images/common/vscrollbar1.png

images/main/addicn.png

images/main/aero.png

images/main/chkbox.png

images/main/close.png

images/main/itemdel.png

images/main/itemmodify.png

images/main/item_bg0.png

images/main/item_bg1.png

images/main/min.png

images/main/noremind.png,

qa.Ge

$\.eT

@c.ky

images/main/radio.png

images/main/remindnotice.png

>.xJr;i

images/main/shadow.png

main.xml

,.EjA,ET,E

remindadd.xml

6{n.Ylbr

reminditem.xml

remindnotice.xml

resources.xml

images/main/noremind.png

GetProcessHeap

GetCPInfo

RegOpenKeyExW

RegFlushKey

RegCreateKeyExW

RegCloseKey

GdiplusShutdown

GdipSetImageAttributesColorKeys

ShellExecuteW

HGSHHHSSSHHRD`

$ $@$< 8

.text

`.rdata

@.data

.rsrc

@.reloc

Software\Microsoft\Windows\DWM

msimg32.dll

keyboard

windowsized

windowshow

User32.dll

dest='%d,%d,%d,%d'

<%s>%s</%s>

<Style id="%s">

fade='%d'

%s='%s'

source='%d,%d,%d,%d'

%s='%s'

pagebtn_group_%d

source='%d,%d,%d,%d'

dest='%d,%d,%d,%d' source='%d,%d,%d,%d'

msftedit.dll

password

M-d-d

WebBrowser

XML Error: %s

UIWebBrowser

errorUrl

nKERNEL32.DLL

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

close %s

open "%s" type MPEGVideo alias %s

play %s repeat

play %s

%d.%d.%d.%d

remind.dat

0126|0208|0504|0928|1011

MSXML2.SAXXMLReader

MSXML2.MXXMLWriter

\sound\remind.wav

IDB_RemindItem_bg%d

remind_add_chkbox_week%d

*.mp3/*.wav

(*.wav;*.mp3)

*.wav;*.mp3

%s\sound\remind.wav

(*.*)

\remind.dll

\remind.xml

\remind.dat

d-d-d d:d:d

d-d d:d:d

d:d

d:d:d

%d-d-d

shutdown.exe -l

tsdiscon.exe

shutdown.exe -r -t 0

shutdown.exe -s -t 0

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   mytime.exe:3148
   %original file name%.exe:1976

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Program Files%\Ruanmei\PCMaster\config\mytime\countdown.xml (158 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ip[1].htm (25 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\101010100[1].htm (14574 bytes)
   %Program Files%\Ruanmei\PCMaster\config\mytime\191B.tmp (196 bytes)
   %Program Files%\Ruanmei\PCMaster\plugins\weathericon\default.icn (125 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\mytime[1].xml (3 bytes)
   %Program Files%\Ruanmei\PCMaster\config\mytime\mytimeset.cfg (11405 bytes)
   %Program Files%\Ruanmei\PCMaster\config\mytime\2017.xml (53 bytes)
   %Program Files%\Ruanmei\PCMaster\config\mytime\remind.xml (152 bytes)
   %Program Files%\Ruanmei\PCMaster\plugins\sound\remind.wav (21 bytes)
   %Program Files%\Ruanmei\PCMaster\config\mytime\weatherlist.xml (152 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\MagicTray\Config\remind.xml (152 bytes)
   %Program Files%\Ruanmei\PCMaster\plugins\mytime.dll (108 bytes)
   %Program Files%\Ruanmei\PCMaster\plugins\remind.dll (12024 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\软媒时间.lnk (1950 bytes)
   %Program Files%\Ruanmei\PCMaster\rmup.exe (6584 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\remind.dll (12024 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\nsDialogs.dll (21 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\软媒软件\软媒魔方\卸载软媒时间.lnk (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\软媒时间.lnk (975 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\MPlugin_NSIS.dll (5199 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\notepad.dll (9608 bytes)
   C:\Users\Public\Desktop\软媒时间.lnk (1 bytes)
   %Program Files%\Ruanmei\PCMaster\plugins\notepad.dll (9608 bytes)
   %Program Files%\Ruanmei\PCMaster\plugins\net.dll (10136 bytes)
   %Program Files%\Ruanmei\PCMaster\uninstall_mytime.exe (6249 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D2.tmp\System.dll (23 bytes)
   %Program Files%\Ruanmei\PCMaster\plugins\mytimeweb.exe (12024 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\mytimeweb.exe (12024 bytes)
   %Program Files%\Ruanmei\PCMaster\pcmasterdata.dll (11048 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\net.dll (10136 bytes)
   %Program Files%\Ruanmei\PCMaster\mytime.exe (132503 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsiF3D1.tmp (166781 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\pcmaster\plugins\leisure.dll (12088 bytes)
   C:\ProgramData\Microsoft\Windows\Start Menu\Programs\软媒软件\软媒魔方\软媒时间.lnk (1 bytes)
   %Program Files%\Ruanmei\PCMaster\plugins\leisure.dll (12088 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "mytime" = "%Program Files%\Ruanmei\PCMaster\mytime.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.