Trojan-Downloader.Win32.Genome.gxoa_5a4e7104ee

by malwarelabrobot on May 30th, 2014 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.gxoa (Kaspersky), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5a4e7104eec7aa193c948f874f8bfb45
SHA1: 54768cd7b1817c961c87730e1048acfea81d4a7c
SHA256: 6c2903a4bfab5cec466817324786134b5906c66304b77138286bd839498c81bb
SSDeep: 24576:anGfdRGmay4PjE9bUix084d2mVWca83VSQCbLL0BnqQv:6GfjGfjkoPwx8cHbLIBn7
Size: 1072387 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: A.P.P.
Created at: 2009-06-07 00:41:59
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

shandian.exe:1236
shandian.exe:1800

The Trojan-Downloader injects its code into the following process(es):

sdad.exe:1612
%original file name%.exe:1352

File activity

The process sdad.exe:1612 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa9[1].jpg (2716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b19[1].jpg (2659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stylemini[1].css (5481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\0[1].swf (14391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nvxing_509_366[1].htm (2357 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\normal_bg[1].png (6644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpv1[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa7[1].jpg (3459 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].js (279 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[2].jpg (10051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa1[1].jpg (7228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\miniindex[1].htm (1247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b19[1].jpg (1816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\min[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (21204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[2].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b16[1].jpg (7280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa9[1].jpg (2739 bytes)
%Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (495 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (798 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[1].jpg (4737 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b17[1].jpg (8088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b13[1].jpg (5737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa5[1].jpg (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa6[1].jpg (4716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa8[1].jpg (2800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa5[1].jpg (15139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\meinv[1].htm (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Untitled-3[1].jpg (2528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa10[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa2[1].jpg (5536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico_new2[1].png (10020 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xinwen[1].htm (810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Close[1].gif (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\close[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cpc_img[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cpc_img[1].htm (442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b14[1].jpg (10434 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_swf[1].asp (2097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[2].jpg (11588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (2795 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@565882[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\meinv[1].htm (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\d[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[1].jpg (7936 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[2].jpg (1736 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (817 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shehui_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b17[1].jpg (6124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\lieqi_509_366[1].htm (4014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[1].jpg (10771 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b14[1].jpg (9831 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shehui_509_366[1].htm (2816 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[2].htm (2276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa8[1].jpg (1736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (4478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa2[1].jpg (7096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[2].jpg (12362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lieqi_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa7[1].jpg (2280 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.7.2.min[1].js (51789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_ztyw[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2012_swf[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[1].jpg (5752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Untitled-2[1].gif (1840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa1[1].jpg (10131 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xinwen[1].htm (1799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b16[1].jpg (5628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[1].htm (1907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa10[1].jpg (4059 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b13[1].jpg (5136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Untitled-1[1].gif (2360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.7.2.min[2].js (4781 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nvxing_509_366[1].htm (2273 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (1263 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa6[1].jpg (4736 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b14[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shehui_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xinwen[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa9[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa8[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_swf[1].asp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[1].css (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lieqi_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa7[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nvxing_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b17[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b13[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b16[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa5[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa6[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa1[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa10[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b19[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\meinv[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa2[1].jpg (0 bytes)

The process shandian.exe:1236 makes changes in the file system.
The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF82D5.tmp (0 bytes)

The process shandian.exe:1800 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fine_cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_arrow_h[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (1879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\rec[1].do (377 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[1].js (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[1].js (8409 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123.sogou[1] (7853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[2].js (3170 bytes)
%Program Files%\shandian\bin\twcache.ini (696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logo_1112293[1].gif (188 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon4[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].js (3509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setting_icon[1].gif (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin3[1].gif (1266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fbg_about[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\subnav_v41[1].png (634 bytes)
%Program Files%\shandian\bin\ImgCache\123.sogou.com_favicon.ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX3.tmp (10 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\selogo_111207[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\foot_slider[1].jpg (322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\img-video-2[1].gif (225 bytes)
%Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\favicon[1].ico (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[1].js (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\get_tj[1].php (1019 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (1398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20130531144119_126[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_tip[1].png (1555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123.sogou[1].htm (6365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\new-ico[1].png (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[2].js (254 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526151008_75[1].jpg (846 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin_[1].css (21 bytes)
%Program Files%\shandian\bin\theworld.ac (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140526163242_997[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cloudy[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[1].js (3123 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[1].js (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[1].js (2935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin2_0[1].gif (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526163043_207[1].jpg (1264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\guide_tip[1].png (3144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\texture[1].gif (1611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140520113551_825[1].jpg (401 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\img-news[1].gif (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\selogo_111207[1].png (1858 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[2].js (1368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v53_2icos[1].gif (2 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (193 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20130820165531_481[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[1].js (478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\selogo_111207[2].png (2331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\newioage[1].css (715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[2].js (11947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setskinbg[1].gif (397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[2].js (2303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i-ico-2b[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_top[1].jpg (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140508103513_537[1].gif (3628 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[2].js (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\search_arrow[1].gif (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\20130830161205_609[1].gif (2642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\skin_tips_n1[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\edKzjJ6oPX1140[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\start_button[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zd7uDX2EkK0904[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[2].js (1187 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[2].js (2772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526163446_912[1].jpg (1815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\new-erweima2[1].png (3488 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_123_v53[1].php (14237 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\welcome_cn[1].htm (1469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\titlebg[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140526170756_638[1].jpg (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\v53_bicos[1].gif (826 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[1].js (0 bytes)
%Program Files%\shandian\bin\shandian.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_tip[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)

The process %original file name%.exe:1352 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

%Program Files%\shandian\ico\360.ico (32 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
%Program Files%\shandian\bin\shandian.ini (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config0.ini (4 bytes)
%Program Files%\shandian\bin\shandian.exe (28283 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
%Program Files%\shandian\ico\ie.ico (700 bytes)
%Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (505 bytes)
%Program Files%\shandian\config.ini (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\xID.dll (10 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØÉÁµçä¯ÀÀÆ÷.lnk (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\shandian\ico\anquan.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\System.dll (11 bytes)
%Program Files%\shandian\ico\taobao.ico (15 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config.ini (3 bytes)
%Program Files%\shandian\bin\sdad.exe (12955 bytes)
%Program Files%\shandian\shandian.exe (3124 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÉÁµçä¯ÀÀÆ÷.lnk (700 bytes)
%Documents and Settings%\%current user%\Desktop\360°²È«ä¯ÀÀÆ÷.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\bind.dll (1989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan-Downloader deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)

Registry activity

The process sdad.exe:1612 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "sdad.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1384939658"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 5C 58 66 4B 24 BA A2 94 27 40 2C 5A 34 A3 40"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process shandian.exe:1236 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B A3 07 C7 C6 49 47 14 35 26 8F F2 AB EF 42 58"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process shandian.exe:1800 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052620140527]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014052620140527\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052620140527]
"CacheLimit" = "8192"

"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052620140527]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
"shandian.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014052620140527]
"CachePrefix" = ":2014052620140527:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "shandian.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
"shandian.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1301653454"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 77 BC E3 97 80 BF 68 43 6B C5 06 B7 50 06 CF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1352 makes changes in the system registry.
The Trojan-Downloader creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayName" = "ÉÁµçä¯ÀÀÆ÷"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"Publisher" = "ÉÁµç"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"URLInfoAbout" = "http://www.sd.com"
"DisplayIcon" = "%Program Files%\shandian\shandian.exe"

"UninstallString" = "%Program Files%\shandian\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÉÁµçä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A A0 54 7B 67 86 E7 2D A2 71 F6 7E 22 83 78 70"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan-Downloader modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan-Downloader modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan-Downloader adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"shandian" = "%Program Files%\shandian\shandian.exe"

The Trojan-Downloader modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan-Downloader deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
a7d710e78711d5ab90e4792763241754 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\Md5dll.dll
00a0194c20ee912257df53bfe258ee4a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\System.dll
e2b78c96162ad8c36a623e6a4ba1c216 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\bind.dll
3a5ed71aa9c6846d95d57235c4c443d7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\xID.dll
8f87437f10cd1ae1d2e8a16c74edb3bd c:\Program Files\shandian\bin\sdad.exe
14748083682ed1f9ef1dc28bb609050a c:\Program Files\shandian\bin\shandian.exe
e05c408b45877ca878fc12a27d016568 c:\Program Files\shandian\shandian.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 49152 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 241664 21744 22016 2.03341 10f67552647fb182549d1b8e84e53598

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://112.124.102.171/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-D6-C5-9B&md5=ace8fd4527cbb1f50d0250340f929a7e
hxxp://112.124.102.171/stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-D6-C5-9B&md5=ace8fd4527cbb1f50d0250340f929a7e
hxxp://www.jlbnh.com/ 112.124.102.171
hxxp://proxy.sogou.com/?22014
hxxp://www.jlbnh.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a9457b011f4bbe0d90d1e4cb26c539cb6cf8cfc2fb8f4501b35aaa8b9c8547021401098120&lastver= 112.124.102.171
hxxp://njsh.cdn.sogou.com/kan/static/css/DD_belatedPNG_0.0.8a-min.js?t=
hxxp://proxy.sogou.com/css/skin_.css?V=df
hxxp://njsh.cdn.sogou.com/imgn/v32/icon4.gif
hxxp://proxy.sogou.com/v53/jsn/v53_123n.js?V=df
hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/subnav_v41.png
hxxp://njsh.cdn.sogou.com/imgn/v32/skin3.gif
hxxp://njsh.cdn.sogou.com/imgn/v32/skin2_0.gif
hxxp://njsh.cdn.sogou.com/imgn/v32/selogo_111207.png
hxxp://njsh.cdn.sogou.com/imgn/v32/setskinbg.gif
hxxp://njsh.cdn.sogou.com/v53/imgn/v53_2icos.gif
hxxp://proxy.sogou.com/dh/dhrc/rec.do?block=gamev2&jsonp=__yx2q&t=1&_stamp=1401098124868
hxxp://njsh.cdn.sogou.com/imgn/123ie/search_arrow.gif
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140508103513_537.gif
hxxp://njsh.cdn.sogou.com/v53/imgn/v53_bicos.gif
hxxp://njsh.cdn.sogou.com/imgu/2013/05/20130531144119_126.png
hxxp://njsh.cdn.sogou.com/imgn/123ie/setting_icon.gif
hxxp://njsh.cdn.sogou.com/imgu/2013/08/20130820165531_481.gif
hxxp://njsh.cdn.sogou.com/u/js/ufo2.js
hxxp://njsh.cdn.sogou.com/imgn/v32/titlebg.png
hxxp://njsh.cdn.sogou.com/v53/imgn/v53_arrow_h.gif
hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=ufo&ufoid=wan&ptype=jztf2&pcode=index&rdk=1401098125415&img=pv.gif&sourcelist=0011000100006_0011000100007_0011000100008_0011000100009_0011000100010_0011000100011&titlelist=热血沙城_风云无双_暗黑屠龙_大闹天宫OL_万世_Sogou傲剑2
hxxp://njsh.cdn.sogou.com/v53/imgn/foot_slider.jpg
hxxp://www.jlbnh.com/web/newioage.css 112.124.102.171
hxxp://njsh.cdn.sogou.com/ads_hz/_ads_2.js?t=778387
hxxp://www.jlbnh.com/web/images/texture.gif 112.124.102.171
hxxp://www.jlbnh.com/web/images/start_button.jpg 112.124.102.171
hxxp://njsh.cdn.sogou.com/imgn/v32/fbg_about.png
hxxp://www.jlbnh.com/web/images/guide_top.jpg 112.124.102.171
hxxp://njsh.cdn.sogou.com/imgn/v51/new-erweima2.png
hxxp://njsh.cdn.sogou.com/v53/jsn/main.js?V=107ff6db9da3d62875c7cafb326229a51
hxxp://www.jlbnh.com/web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000 112.124.102.171
hxxp://njsh.cdn.sogou.com/imgn/v32/logo_1112293.gif
hxxp://proxy.sogou.com//v53/get_123_v53.php?block=wt&ver=v53&gfg=1&city=unknown&pid=Af22014&c=1401098128040&method=ajaf&cbf=fn
hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=daohang&rdk=1401098128055&img=pv.gif&pars=?rand=1401098128055&suid=null&sduv=1401098128008_9040_00001&ckid=3060_00001_00000_6308_00000_00000&m=null&apid=null&sgtp=null&refer=&page=&pageUrl=http%3A%2F%2F123.sogou.com%2F%3F22014&loc=null&hp=-1&pid=Af22014&ptype=index&pcode=index&yyid=null&skin=null&ver=v53_ie6_df__4&sys=100&ser=null&sev=null&time=5422
hxxp://proxy.sogou.com/jsn/hotdata.js?V=1401098128086
hxxp://njsh.cdn.sogou.com/jsn/citydata.js
hxxp://njsh.cdn.sogou.com/jsn/v33_sugg_ajaj_v40_3.js
hxxp://proxy.sogou.com/images/weather/fine_cloudy.gif
hxxp://proxy.sogou.com/images/weather/cloudy.gif
hxxp://njsh.cdn.sogou.com/imgn/tips/skin_tips_n1.gif
hxxp://www.jlbnh.com/favicon.ico 112.124.102.171
hxxp://ctc.ping.sogou.com/pv.gif?uigs_productid=ufo&ufoid=daohang&ptype=indexv53&pcode=index&rdk=1401098129555&refer=&page=搜狗网址导航--网址大全,实用网址,尽在123.sogou.com&pageUrl=http://123.sogou.com/?22014&img=pv.gif&vcode=v53
hxxp://proxy.sogou.com/v53/get_tj.php?hz=4670327&ids=qiche
hxxp://njsh.cdn.sogou.com/v53/imgn/guide_tip.png
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526163043_207.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526163242_997.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526163446_912.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526170756_638.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140526151008_75.jpg
hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/new-ico.png
hxxp://njsh.cdn.sogou.com/imgu/2013/08/20130830161205_609.gif
hxxp://njsh.cdn.sogou.com/imgn/v51/i-ico-2b.png
hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/img-video-2.gif
hxxp://njsh.cdn.sogou.com/imgn/sehome/tjv1/img-news.gif
hxxp://save2.xdwscache.glb0.lxdns.com/img/news_photo/2014/05/26/zd7uDX2EkK0904.jpg
hxxp://save2.xdwscache.glb0.lxdns.com/img/news_photo/2014/05/26/edKzjJ6oPX1140.jpg
hxxp://njsh.cdn.sogou.com/imgu/2014/05/20140520113551_825.jpg
hxxp://proxy.sogou.com/favicon.ico
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/ 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/jquery-1.7.2.min.js 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/stylemini.css 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/nvxing_509_366.htm?time=undefined 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/xinwen.htm?time=undefined 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/lieqi_509_366.htm?time=undefined 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/shehui_509_366.htm?time=undefined 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/jiankang_509_366.htm?time=undefined 117.34.91.39
hxxp://taurus.danuoyi.tbcache.com/material/d7/4/a9ac5ed3b828895d94097c8c6faba.jpg
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/meinv.htm?time=undefined 117.34.91.39
hxxp://drmcmm.e.shifen.com/media/id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs.jpg
hxxp://taurus.danuoyi.tbcache.com/noname.gif
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/Untitled-1.gif 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/Untitled-2.gif 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/Untitled-3.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/normal_bg.png 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/tj.js 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/ico_new2.png 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/min.png 117.34.91.39
hxxp://c.split.cnzz.com/stat.php?id=5645354
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/close.png 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/inc/style.css 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b13.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b15.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b14.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b16.jpg 117.34.91.39
hxxp://c.split.cnzz.com/core.php?web_id=5645354&t=z
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=0&sin=none&t=undefinedundefinedundefined&rnd=441217010
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=&lg=en-us&ntime=1401115709&repeatip=1&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17559&sin=&t=undefinedundefinedundefinedundefinedundefined&rnd=563005344
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b17.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b18.JPG 117.34.91.39
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1415945858
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/b19.JPG 117.34.91.39
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=991898417
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa4.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa3.jpg 117.34.91.39
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=59071995
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa5.jpg 117.34.91.39
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=2&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17557&sin=none&t=undefinedundefinedundefined&rnd=1775514661
hxxp://pcookie.split.cnzz.com/app.gif?&cna=PkIKDEZdlGUCAbhrJib8ISST
hxxp://pcookie.split.cnzz.com/app.gif?&cna=PkIKDKU5YBACAbhrJia oqh0
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa6.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa1.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa2.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa7.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa8.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa9.jpg 117.34.91.39
hxxp://www.mdtxw.org.he2.aqb.so/miniindex/images/aaa10.jpg 117.34.91.39
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=2108033191
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=3&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17555&sin=none&t=undefinedundefinedundefined&rnd=1145500216
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=845725053
hxxp://z12.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=4&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17553&sin=none&t=undefinedundefinedundefined&rnd=1207344477
hxxp://cache.adm.cnzz.net/material/d7/4/a9ac5ed3b828895d94097c8c6faba.jpg 195.27.31.240
hxxp://www.mdtxw.org/miniindex/inc/ico_new2.png 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/Untitled-2.gif 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa1.jpg 117.34.91.39
hxxp://p4.123.sogoucdn.com/imgu/2014/05/20140526151008_75.jpg 222.211.87.167
hxxp://www.mdtxw.org/miniindex/nvxing_509_366.htm?time=undefined 117.34.91.39
hxxp://p3.123.sogoucdn.com/imgn/v51/i-ico-2b.png 222.211.87.167
hxxp://p6.123.sogoucdn.com/imgn/123ie/setting_icon.gif 222.211.87.171
hxxp://c.cnzz.com/core.php?web_id=5645354&t=z 42.120.219.6
hxxp://d.123.sogoucdn.com/v53/imgn/v53_arrow_h.gif 222.211.87.167
hxxp://stat.fjmjm.com/stat/?v=1&ac=setup&name=%original file name%.exe&mac=00-0C-29-D6-C5-9B&md5=ace8fd4527cbb1f50d0250340f929a7e
hxxp://s9.cnzz.com/stat.php?id=5645354 1.99.192.15
hxxp://p4.123.sogoucdn.com/imgn/v32/fbg_about.png 222.211.87.167
hxxp://www.mdtxw.org/miniindex/xinwen.htm?time=undefined 117.34.91.39
hxxp://p4.123.sogoucdn.com/imgu/2014/05/20140508103513_537.gif 222.211.87.167
hxxp://d.123.sogoucdn.com/imgn/v32/icon4.gif 222.211.87.167
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=&lg=en-us&ntime=1401115709&repeatip=1&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17559&sin=&t=undefinedundefinedundefinedundefinedundefined&rnd=563005344 42.156.140.25
hxxp://cache.adm.cnzz.net/noname.gif 195.27.31.240
hxxp://p8.123.sogoucdn.com/imgn/tips/skin_tips_n1.gif 222.211.87.185
hxxp://www.mdtxw.org/miniindex/tj.js 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/b16.jpg 117.34.91.39
hxxp://www.fjmjm.com/web/newioage.css 112.124.102.171
hxxp://www.mdtxw.org/miniindex/lieqi_509_366.htm?time=undefined 117.34.91.39
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=0&sin=none&t=undefinedundefinedundefined&rnd=441217010 42.156.140.25
hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/img-video-2.gif 222.211.87.167
hxxp://www.mdtxw.org/miniindex/inc/normal_bg.png 117.34.91.39
hxxp://p1.123.sogoucdn.com/imgn/v32/selogo_111207.png 114.80.179.226
hxxp://d.123.sogoucdn.com/v53/jsn/main.js?V=107ff6db9da3d62875c7cafb326229a51 222.211.87.167
hxxp://p2.123.sogoucdn.com/imgu/2013/05/20130531144119_126.png 58.215.147.36
hxxp://www.mdtxw.org/miniindex/images/Untitled-3.jpg 117.34.91.39
hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/new-ico.png 222.211.87.167
hxxp://www.mdtxw.org/miniindex/images/b14.jpg 117.34.91.39
hxxp://d.123.sogoucdn.com/v53/imgn/v53_bicos.gif 222.211.87.167
hxxp://p5.123.sogoucdn.com/imgn/v32/logo_1112293.gif 114.80.179.224
hxxp://wan.sogou.com/dh/dhrc/rec.do?block=gamev2&jsonp=__yx2q&t=1&_stamp=1401098124868 106.120.151.61
hxxp://p0.123.sogoucdn.com/imgn/v32/skin3.gif 114.80.179.210
hxxp://www.mdtxw.org/miniindex/inc/close.png 117.34.91.39
hxxp://123.sogou.com/favicon.ico 106.120.151.61
hxxp://www.mdtxw.org/miniindex/images/b15.jpg 117.34.91.39
hxxp://p1.123.sogoucdn.com/imgu/2014/05/20140526163446_912.jpg 114.80.179.226
hxxp://d.123.sogoucdn.com/v53/imgn/guide_tip.png 222.211.87.167
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=845725053 42.120.219.171
hxxp://pcookie.cnzz.com/app.gif?&cna=PkIKDKU5YBACAbhrJia oqh0 42.120.219.171
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=991898417 42.120.219.171
hxxp://pb.sogou.com/pv.gif?uigs_productid=ufo&ufoid=daohang&ptype=indexv53&pcode=index&rdk=1401098129555&refer=&page=搜狗网址导航--网址大全,实用网址,尽在123.sogou.com&pageUrl=http://123.sogou.com/?22014&img=pv.gif&vcode=v53 106.120.151.52
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=2108033191 42.120.219.171
hxxp://www.fjmjm.com/web/welcome_cn.htm?ver=2.4.1.9&guid=a9457b011f4bbe0d90d1e4cb26c539cb6cf8cfc2fb8f4501b35aaa8b9c8547021401098120&lastver= 112.124.102.171
hxxp://123.sogou.com//v53/get_123_v53.php?block=wt&ver=v53&gfg=1&city=unknown&pid=Af22014&c=1401098128040&method=ajaf&cbf=fn 106.120.151.61
hxxp://www.mdtxw.org/miniindex/inc/min.png 117.34.91.39
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=2&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17557&sin=none&t=undefinedundefinedundefined&rnd=1775514661 42.156.140.25
hxxp://p4.123.sogoucdn.com/imgn/v32/selogo_111207.png 222.211.87.167
hxxp://drmcmm.baidu.com/media/id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs.jpg 123.125.65.55
hxxp://www.mdtxw.org/miniindex/jiankang_509_366.htm?time=undefined 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa8.jpg 117.34.91.39
hxxp://p0.123.sogoucdn.com/imgu/2014/05/20140526170756_638.jpg 114.80.179.210
hxxp://123.sogou.com/?22014 106.120.151.61
hxxp://p7.123.sogoucdn.com/imgn/123ie/search_arrow.gif 114.80.179.206
hxxp://d.123.sogoucdn.com/v53/imgn/foot_slider.jpg 222.211.87.167
hxxp://123.sogou.com/jsn/hotdata.js?V=1401098128086 106.120.151.61
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1415945858 42.120.219.171
hxxp://pb.sogou.com/pv.gif?uigs_productid=daohang&rdk=1401098128055&img=pv.gif&pars=?rand=1401098128055&suid=null&sduv=1401098128008_9040_00001&ckid=3060_00001_00000_6308_00000_00000&m=null&apid=null&sgtp=null&refer=&page=&pageUrl=http%3A%2F%2F123.sogou.com%2F%3F22014&loc=null&hp=-1&pid=Af22014&ptype=index&pcode=index&yyid=null&skin=null&ver=v53_ie6_df__4&sys=100&ser=null&sev=null&time=5422 106.120.151.52
hxxp://pic2.xcarimg.com/img/news_photo/2014/05/26/zd7uDX2EkK0904.jpg 222.84.167.30
hxxp://123.sogou.com/v53/jsn/v53_123n.js?V=df 106.120.151.61
hxxp://p3.123.sogoucdn.com/imgn/sehome/tjv1/img-news.gif 222.211.87.167
hxxp://www.mdtxw.org/miniindex/shehui_509_366.htm?time=undefined 117.34.91.39
hxxp://www.mdtxw.org/miniindex/inc/jquery-1.7.2.min.js 117.34.91.39
hxxp://p3.123.sogoucdn.com/imgn/v51/new-erweima2.png 222.211.87.167
hxxp://p5.123.sogoucdn.com/imgu/2013/08/20130830161205_609.gif 114.80.179.224
hxxp://www.mdtxw.org/miniindex/images/b19.JPG 117.34.91.39
hxxp://www.mdtxw.org/miniindex/meinv.htm?time=undefined 117.34.91.39
hxxp://p0.123.sogoucdn.com/imgn/v32/titlebg.png 114.80.179.210
hxxp://p5.123.sogoucdn.com/imgu/2014/05/20140526163043_207.jpg 114.80.179.224
hxxp://p1.123.sogoucdn.com/imgn/v32/skin2_0.gif 114.80.179.226
hxxp://www.mdtxw.org/miniindex/images/aaa2.jpg 117.34.91.39
hxxp://www.fjmjm.com/web/images/start_button.jpg 112.124.102.171
hxxp://d.123.sogoucdn.com/ads_hz/_ads_2.js?t=778387 222.211.87.167
hxxp://www.fjmjm.com/web/images/texture.gif 112.124.102.171
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=3&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17555&sin=none&t=undefinedundefinedundefined&rnd=1145500216 42.156.140.25
hxxp://www.mdtxw.org/miniindex/images/aaa4.jpg 117.34.91.39
hxxp://d.123.sogou.com/jsn/v33_sugg_ajaj_v40_3.js 114.80.179.210
hxxp://p0.123.sogoucdn.com/imgu/2014/05/20140526163242_997.jpg 114.80.179.210
hxxp://123.sogou.com/images/weather/fine_cloudy.gif 106.120.151.61
hxxp://stat.fjmjm.com/web/PopWinParam.asp?d=2014419&mainver=1.0.0&popver=1.0.0&xmlver=20131020010000
hxxp://www.mdtxw.org/miniindex/ 117.34.91.39
hxxp://p0.123.sogoucdn.com/imgn/sehome/tjv1/subnav_v41.png 114.80.179.210
hxxp://www.mdtxw.org/miniindex/images/b13.jpg 117.34.91.39
hxxp://pb.sogou.com/pv.gif?uigs_productid=ufo&ufoid=wan&ptype=jztf2&pcode=index&rdk=1401098125415&img=pv.gif&sourcelist=0011000100006_0011000100007_0011000100008_0011000100009_0011000100010_0011000100011&titlelist=热血沙城_风云无双_暗黑屠龙_大闹天宫OL_万世_Sogou傲剑2 106.120.151.52
hxxp://d.123.sogou.com/jsn/citydata.js 114.80.179.210
hxxp://p8.123.sogoucdn.com/imgn/v32/selogo_111207.png 222.211.87.185
hxxp://d.123.sogoucdn.com/kan/static/css/DD_belatedPNG_0.0.8a-min.js?t= 222.211.87.167
hxxp://pcookie.cnzz.com/app.gif?&cna=PkIKDEZdlGUCAbhrJib8ISST 42.120.219.171
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=59071995 42.120.219.171
hxxp://hzs10.cnzz.com/stat.htm?id=5645354&r=http://www.mdtxw.org/miniindex/&lg=en-us&ntime=1401115709&repeatip=4&rtime=0&cnzz_eid=1230754101-1401115709-http://www.mdtxw.org/&showp=1024x768&st=-17553&sin=none&t=undefinedundefinedundefined&rnd=1207344477 42.156.140.25
hxxp://123.sogou.com/css/skin_.css?V=df 106.120.151.61
hxxp://www.fjmjm.com/web/images/guide_top.jpg 112.124.102.171
hxxp://www.mdtxw.org/miniindex/images/aaa5.jpg 117.34.91.39
hxxp://d.123.sogoucdn.com/v53/imgn/v53_2icos.gif 222.211.87.167
hxxp://www.mdtxw.org/miniindex/inc/stylemini.css 117.34.91.39
hxxp://www.mdtxw.org/miniindex/inc/style.css 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa7.jpg 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa6.jpg 117.34.91.39
hxxp://123.sogou.com/images/weather/cloudy.gif 106.120.151.61
hxxp://www.mdtxw.org/miniindex/images/aaa9.jpg 117.34.91.39
hxxp://stat.fjmjm.com/stat/?ac=stat&name=%original file name%.exe&mac=00-0C-29-D6-C5-9B&md5=ace8fd4527cbb1f50d0250340f929a7e
hxxp://p6.123.sogoucdn.com/imgu/2013/08/20130820165531_481.gif 222.211.87.171
hxxp://123.sogou.com/v53/get_tj.php?hz=4670327&ids=qiche 106.120.151.61
hxxp://p0.123.sogoucdn.com/u/js/ufo2.js 114.80.179.210
hxxp://www.mdtxw.org/miniindex/images/Untitled-1.gif 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/b17.jpg 117.34.91.39
hxxp://pic3.xcarimg.com/img/news_photo/2014/05/26/edKzjJ6oPX1140.jpg 222.84.167.30
hxxp://p3.123.sogoucdn.com/imgn/v32/setskinbg.gif 222.211.87.167
hxxp://www.mdtxw.org/miniindex/images/b18.JPG 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa10.jpg 117.34.91.39
hxxp://www.mdtxw.org/miniindex/images/aaa3.jpg 117.34.91.39
hxxp://p0.123.sogoucdn.com/imgu/2014/05/20140520113551_825.jpg 114.80.179.210
hxxp://www.fjmjm.com/favicon.ico 112.124.102.171
down.jsrjrc.org 222.186.60.12


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

Web Traffic was not found.

The Trojan-Downloader connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    shandian.exe:1236
    shandian.exe:1800

  2. Delete the original Trojan-Downloader file.
  3. Delete or disinfect the following files created/modified by the Trojan-Downloader:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (798 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa9[1].jpg (2716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b19[1].jpg (2659 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stylemini[1].css (5481 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\0[1].swf (14391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\nvxing_509_366[1].htm (2357 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[2].txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\normal_bg[1].png (6644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpv1[1].htm (1117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa7[1].jpg (3459 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].js (279 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[2].jpg (10051 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[2].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa1[1].jpg (7228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\miniindex[1].htm (1247 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b19[1].jpg (1816 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\min[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (21204 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[2].css (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b16[1].jpg (7280 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa9[1].jpg (2739 bytes)
    %Program Files%\shandian\bin\update\PopWinParam.xml (196 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (495 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@70e[1].txt (515 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (798 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[1].jpg (4737 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@70e[2].txt (268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b17[1].jpg (8088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b13[1].jpg (5737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa5[1].jpg (14960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa6[1].jpg (4716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa8[1].jpg (2800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa5[1].jpg (15139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\meinv[1].htm (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Untitled-3[1].jpg (2528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa10[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa2[1].jpg (5536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ico_new2[1].png (10020 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\xinwen[1].htm (810 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\Close[1].gif (348 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[2].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\close[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cpc_img[1].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cpc_img[1].htm (442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b14[1].jpg (10434 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_swf[1].asp (2097 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\style[1].css (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[2].jpg (11588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (2795 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@565882[1].txt (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (410 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\meinv[1].htm (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\d[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa4[1].jpg (7936 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b18[2].jpg (1736 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (817 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\shehui_509_366[1].htm (1907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\b17[1].jpg (6124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\lieqi_509_366[1].htm (4014 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[1].jpg (10771 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b14[1].jpg (9831 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\shehui_509_366[1].htm (2816 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (330 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[2].htm (2276 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa8[1].jpg (1736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\id=nHRLPjm3nWRY&gp=401&time=nHnLPjmzrHckPs[1].jpg (4478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aaa2[1].jpg (7096 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa3[2].jpg (12362 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lieqi_509_366[1].htm (1907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\aaa7[1].jpg (2280 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.7.2.min[1].js (51789 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\cpc_ztyw[1].css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2012_swf[1].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b15[1].jpg (5752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Untitled-2[1].gif (1840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa1[1].jpg (10131 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\xinwen[1].htm (1799 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b16[1].jpg (5628 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jiankang_509_366[1].htm (1907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aaa10[1].jpg (4059 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\b13[1].jpg (5136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\Untitled-1[1].gif (2360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery-1.7.2.min[2].js (4781 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\nvxing_509_366[1].htm (2273 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (1263 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\aaa6[1].jpg (4736 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fine_cloudy[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_arrow_h[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (1879 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\rec[1].do (377 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[1].js (678 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[1].js (8409 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123.sogou[1] (7853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[2].js (3170 bytes)
    %Program Files%\shandian\bin\twcache.ini (696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\logo_1112293[1].gif (188 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\icon4[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].js (3509 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setting_icon[1].gif (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin3[1].gif (1266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\fbg_about[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\subnav_v41[1].png (634 bytes)
    %Program Files%\shandian\bin\ImgCache\123.sogou.com_favicon.ico (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX3.tmp (10 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\selogo_111207[1].png (1858 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\foot_slider[1].jpg (322 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\img-video-2[1].gif (225 bytes)
    %Program Files%\shandian\bin\shandian.ini.tmp (244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\favicon[1].ico (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[1].js (678 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\get_tj[1].php (1019 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (1398 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20130531144119_126[1].png (1858 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_tip[1].png (1555 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\123.sogou[1].htm (6365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\new-ico[1].png (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\DD_belatedPNG_0.0.8a-min[2].js (254 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (181 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526151008_75[1].jpg (846 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin_[1].css (21 bytes)
    %Program Files%\shandian\bin\theworld.ac (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140526163242_997[1].jpg (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cloudy[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[1].js (3123 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[1].js (1352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\citydata[1].js (2935 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\skin2_0[1].gif (592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526163043_207[1].jpg (1264 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\guide_tip[1].png (3144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\texture[1].gif (1611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140520113551_825[1].jpg (401 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\img-news[1].gif (225 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\selogo_111207[1].png (1858 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[2].js (1368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v53_2icos[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20130820165531_481[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hotdata[1].js (478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\selogo_111207[2].png (2331 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\newioage[1].css (715 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ufo2[2].js (11947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setskinbg[1].gif (397 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[2].js (2303 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\i-ico-2b[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\guide_top[1].jpg (441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140508103513_537[1].gif (3628 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\_ads_2[2].js (706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\search_arrow[1].gif (447 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\20130830161205_609[1].gif (2642 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\skin_tips_n1[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\edKzjJ6oPX1140[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\start_button[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zd7uDX2EkK0904[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v33_sugg_ajaj_v40_3[2].js (1187 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v53_123n[2].js (2772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\20140526163446_912[1].jpg (1815 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\new-erweima2[1].png (3488 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\get_123_v53[1].php (14237 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\welcome_cn[1].htm (1469 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\titlebg[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\20140526170756_638[1].jpg (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\v53_bicos[1].gif (826 bytes)
    %Program Files%\shandian\ico\360.ico (32 bytes)
    %Documents and Settings%\%current user%\Desktop\Internet Explorer.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config0.ini (4 bytes)
    %Program Files%\shandian\bin\shandian.exe (28283 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
    %Program Files%\shandian\ico\ie.ico (700 bytes)
    %Documents and Settings%\%current user%\Desktop\ÉÁµçä¯ÀÀÆ÷.lnk (505 bytes)
    %Program Files%\shandian\config.ini (194 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\xID.dll (10 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\жÔØÉÁµçä¯ÀÀÆ÷.lnk (507 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Program Files%\shandian\ico\anquan.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\System.dll (11 bytes)
    %Program Files%\shandian\ico\taobao.ico (15 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÉÁµçä¯ÀÀÆ÷\ÉÁµçä¯ÀÀÆ÷.lnk (694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\config.ini (3 bytes)
    %Program Files%\shandian\bin\sdad.exe (12955 bytes)
    %Program Files%\shandian\shandian.exe (3124 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÉÁµçä¯ÀÀÆ÷.lnk (700 bytes)
    %Documents and Settings%\%current user%\Desktop\360°²È«ä¯ÀÀÆ÷.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\bind.dll (1989 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "shandian" = "%Program Files%\shandian\shandian.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now