MD5: 9a6906c9aa2a87cced21082f05ff175e
SHA1: d15b9fb4edd52ee74f94e37358a1e8f0045994b4
SHA256: 3026e2155a959c7ba61c1a12026a65bf600060908fb99b35a22f0a85cfeac9f7
SSDeep: 49152:Gc//////ZTsG/IQHLL1 lLcSRhUX9kiJBG428fBRhlsT7DZ3:Gc//////tLL1SLcoeNki/G428nsT7x
Size: 2117120 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: Be Or
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

sc.exe:244
net1.exe:1748
net.exe:1948
cj1.exe:540
%original file name%.exe:1848
%original file name%.exe:1820
gamedmon.exe:1712

The Trojan injects its code into the following process(es):

svohost.exe:1360

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process svohost.exe:1360 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cj1.exe (0 bytes)
%System%\svohost.txt (0 bytes)

The process cj1.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\svohost.exe (2105 bytes)
%System%\s_svost.ini (11 bytes)
%System%\svohost.txt (38 bytes)

The process %original file name%.exe:1848 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Æô¶¯\卸载.lnk (663 bytes)
%Program Files%\Æô¶¯\Uninstall.exe (202 bytes)
%Program Files%\Æô¶¯\Æô¶¯.exe (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Æô¶¯\Æô¶¯.lnk (636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gamedmon.exe (176 bytes)

The process %original file name%.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ÎÒ»¹»î×ÅÈýÏîÐÞ¸ÄÆ÷ v1.0.1.zip (9606 bytes)

The process gamedmon.exe:1712 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj1[1].jpg (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.jpg (174475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj1[1].jpg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updatetimezone.ini (1776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cj1[1].exe (174329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KB1024FB11 (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KB1024FB13 (80 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cj1.jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\updatetimezone.ini (0 bytes)

Registry activity

The process sc.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 82 30 B8 31 78 5D 18 11 30 34 D8 39 E1 E0 16"

The process net1.exe:1748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA DE 0B A4 CF DC 25 28 74 05 5C AF E2 C8 16 90"

The process net.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 6E 9F 7E AB 2D D6 C0 FC 86 B3 26 3B 30 76 40"

The process svohost.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "74 61 43 6C 15 EC 9A 83 1E B0 96 19 47 3B DC 43"

The process %original file name%.exe:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æô¶¯]
"InstallLocation" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æô¶¯]
"UninstallString" = "%Program Files%\Æô¶¯\Uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æô¶¯]
"DisplayName" = "Æô¶¯.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 6B D4 A6 9F 87 54 4E 61 98 47 B0 EC 8B 7F 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æô¶¯]
"DisplayIcon" = "%Program Files%\Æô¶¯\Æô¶¯.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 5A C2 A9 44 3B 27 B7 28 B6 57 1E 9C F9 63 6A"

The process gamedmon.exe:1712 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D AF F3 CD EA C1 36 C5 0C C8 35 7D FE 70 74 A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://js.users.51.la/17119807.js	113.107.42.34
web.51.la	117.21.224.131

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /17119807.js HTTP/1.1

Accept: */*

Referer: hXXp://162.218.30.90:801/51tj/tj1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: js.users.51.la

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: max-age=300

Content-Length: 1931

Content-Type: application/x-javascript

Last-Modified: Wed, 16 Jul 2014 03:30:40 GMT

Accept-Ranges: bytes

ETag: "b6206c51a6a0cf1:1818"

Server: Microsoft-IIS/6.0

X-Powered-By: ASP.NET

Date: Thu, 25 Sep 2014 13:01:47 GMT

Connection: close
document.write ('<a href="hXXp://VVV.51.la/?17119807" target="_blan
k" title="51.la 专业、
免费、强健的访问߭
F;计">网站统计</a>\n');..var a9
807tf="51la";var a9807pu="";var a9807pf="51la";var a9807su=window.loca
tion;var a9807sf=document.referrer;var a9807of="";var a9807op="";var a
9807ops=1;var a9807ot=1;var a9807d=new Date();var a9807color="";if (na
vigator.appName=="Netscape"){a9807color=screen.pixelDepth;} else {a980
7color=screen.colorDepth;}..try{a9807tf=top.document.referrer;}catch(e
){}..try{a9807pu =window.parent.location;}catch(e){}..try{a9807pf=wind
ow.parent.document.referrer;}catch(e){}..try{a9807ops=document.cookie.
match(new RegExp("(^| )a9807_pages=([^;]*)(;|$)"));a9807ops=(a9807ops=
=null)?1: (parseInt(unescape((a9807ops)[2])) 1);var a9807oe =new Date(
);a9807oe.setTime(a9807oe.getTime() 60*60*1000);document.cookie="a9807
_pages=" a9807ops  ";path=/;expires=" a9807oe.toGMTString();a9807ot=do
cument.cookie.match(new RegExp("(^| )a9807_times=([^;]*)(;|$)"));if(a9
807ot==null){a9807ot=1;}else{a9807ot=parseInt(unescape((a9807ot)[2]));
 a9807ot=(a9807ops==1)?(a9807ot 1):(a9807ot);}a9807oe.setTime(a9807oe.
getTime() 365*24*60*60*1000);document.cookie="a9807_times=" a9807ot ";
path=/;expires=" a9807oe.toGMTString();}catch(e){}..try{if(document.co
okie==""){a9807ops=-1;a9807ot=-1;}}catch(e){}..a9807of=a9807sf;if(a980
7pf!=="51la"){a9807of=a9807pf;}if(a9807tf!=="51la"){a9807of=a9807t
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSSSh

.hL!B

Uxs.Ux!

RVxt.Vx

Applications\iexplore.exe\shell\open\command

kernel32.dll

HTTP ANALYZER

MALWAREDEFENDER.EXE

OD.EXE

WSEXPLORER.EXE

WIRESHARK.EXE

SNIFFER.EXE

FIDDLER.EXE

HTTPANALYZERSTDV3.EXE

Windows update

Software\Microsoft\Windows\CurrentVersion\Run

HTTP/1.0

password

Failed to set an internet option (%u)

Failed to connect to server (%s:%u)

Failed to read from network (%u bytes)

Failed to write to network (%u bytes)

updatetimezone.ini

%d.%d

nopasswd

name%d

url%d

urlbind%d

XXXXXX

System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}

Unknown operating system

Windows 2000

Windows XP

Windows Server 2003

Windows XP Professional x64 Edition

Windows Storage Server 2003

Windows Server 2003 R2

Windows Server 2008 R2

Windows 7

Windows Server 2008

Windows Vista

1620127iso_646.irv:19911351932windows-519320920001x-cp20001

1000932csshiftjis

1350221windows-502210712000cp12000

1028597iso_8859-70628605latin90501200utf160700154ptcp1541410010x-mac-romanian

1410001x-mac-japanese1200932cswindows31j

0601251cp12511201258windows-12580601125cp1125

1201257windows-12570601250cp12500601133cp1133

1201256windows-12561100932windows-31j

1000936csgb2312801201255windows-1255

1201254windows-1254

1052936hz-gb-23121201253windows-12531400949ks_c_5601_19871528599iso_8859-9:19890601201cp1201

0601200cp12001201252windows-1252

0810029x-mac-ce1201251windows-12511528598iso_8859-8:19880900949ks_c_56011110000csmacintosh

1201250windows-12501300932shifft_jis-ms

1528597csisolatingreek1100874windows-874

1100936windows-9360520127ascii

1100932windows-9321100437codepage437

0928596iso8859-60900154csptcp154

<>=\/?!"';

http-equiv

SELECT * FROM Win32_OperatingSystem

\\.\%s#{ad498944-762f-11d0-8dcb-00c04fc3358c}

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

UrlUnescapeA

SHLWAPI.dll

MSVCR90.dll

_amsg_exit

_acmdln

_crt_debugger_hook

GetProcessHeap

KERNEL32.dll

EnumWindows

USER32.dll

RegCloseKey

RegOpenKeyExA

RegOpenKeyA

ADVAPI32.dll

ShellExecuteA

ShellExecuteExA

SHELL32.dll

ole32.dll

OLEAUT32.dll

InternetOpenUrlA

HttpAddRequestHeadersA

HttpQueryInfoA

HttpEndRequestA

InternetCrackUrlA

InternetCanonicalizeUrlA

HttpOpenRequestA

HttpSendRequestExA

WININET.dll

IPHLPAPI.DLL

NETAPI32.dll

.?AVCHttpFile@@

.?AVCHttpConnection@@

1.1.4

\www\jpg\hXXp://122.226.56.132:808/img/tj1.jpg\hXXp://tj.yuemar.com/count.asp\0\0

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<assemblyIdentity type="win32" name="Microsoft.VC90.CRT" version="9.0.21022.8" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>

00u0

6 6$6(60646

eHTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: %s/%s (Windows %s)

dd.yuemar.net

/verify/verify.php

OperatingSystem

WindowsDirectory

2, 0, 0, 0

Microsoft(R) Windows(R) Operating System

usb3mon.exe

svohost.exe_1360:

.text

`.rdata

@.data

.rsrc

@.aspack

.adata

.aspack

SSSSh

L$TQSSh

aSSSh

FTPjK

FtPj;

C.PjRV

FTPQ

kernel32.dll

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

KERNEL32.DLL

portuguese-brazilian

operator

GetProcessWindowStation

USER32.DLL

deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler

1.2.8

inflate 1.2.8 Copyright 1995-2013 Mark Adler

svohost.log

svohost.exe

s_svost.ini

net stop %s

sc.exe delete %s

svohost1.exe

svohost.txt

sc.exe create %s binpath= "%s internal_start" DisplayName= %s start= auto

net start %s

192.168.1.15

\svohost.txt

taskh0st.exe

svch0st.exe

service.exe

win1ogon.exe

rund1132.exe

"%s" "%s"

client.log

WS2_32.dll

1234567890

Windows NT

[%d,%d.%d]

Windows 95

Windows 98

Windows Me

XXXXXX

e:\work\WebTools\bin\client_ex.pdb

KERNEL32.dll

USER32.dll

ReportEventA

RegOpenKeyExA

RegCloseKey

ADVAPI32.dll

WTSAPI32.dll

iphlpapi.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

zcÁ

.?AVCClientTcpSocket@@

%System%\svohost.exe

.rdata

.data

EØ)

!M6%s

V\%sK

uc.hZ

.WfGI

.zk.NU

[Q.eN

.Vs8?)

(,'-&.%/$

cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

advapi32.dll

ole32.dll

oleaut32.dll

ws2_32.dll

wtsapi32.dll

svohost.exe_1360_rwx_00487000_00006000:

kernel32.dll

user32.dll

The procedure entry point %s could not be located in the dynamic link library %s

The ordinal %u could not be located in the dynamic link library %s

advapi32.dll

ws2_32.dll

wtsapi32.dll

iphlpapi.dll

iexplore.exe_644:

%?9-*09,*19}*09

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

USER32.dll

SHLWAPI.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

rsabase.dll

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

watson.microsoft.com

IEWatsonURL

%s -h %u

iedw.exe

Iexplore.XPExceptionFilter

jscript.DLL

mshtml.dll

mlang.dll

urlmon.dll

wininet.dll

shdocvw.DLL

browseui.DLL

comctl32.DLL

IEXPLORE.EXE

iexplore.pdb

ADVAPI32.dll

MsgWaitForMultipleObjects

IExplorer.EXE

IIIIIB(II<.Fg

7?_____ZZSSH%

)z.UUUUUUUU

,....Qym

````2```

{.QLQIIIKGKGKGKGKGKG

;33;33;0

8888880

8887080

browseui.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

Windows

Operating System

6.00.2900.5512

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   sc.exe:244
   net1.exe:1748
   net.exe:1948
   cj1.exe:540
   %original file name%.exe:1848
   %original file name%.exe:1820
   gamedmon.exe:1712

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %System%\svohost.exe (2105 bytes)
   %System%\s_svost.ini (11 bytes)
   %System%\svohost.txt (38 bytes)
   %Documents and Settings%\%current user%\Start Menu\Æô¶¯\卸载.lnk (663 bytes)
   %Program Files%\Æô¶¯\Uninstall.exe (202 bytes)
   %Program Files%\Æô¶¯\Æô¶¯.exe (3 bytes)
   %Documents and Settings%\%current user%\Start Menu\Æô¶¯\Æô¶¯.lnk (636 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\gamedmon.exe (176 bytes)
   C:\ÎÒ»¹»î×ÅÈýÏîÐÞ¸ÄÆ÷ v1.0.1.zip (9606 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj1[1].jpg (296 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\cj1.jpg (174475 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\cj1.exe (2105 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj1[1].jpg (592 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\updatetimezone.ini (1776 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cj1[1].exe (174329 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\KB1024FB11 (68 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\KB1024FB13 (80 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.