Trojan.NSIS.StartPage_0a351d1ad1
Trojan.Win32.Badur.gcxa (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 0a351d1ad1ce61aa7dbba809d2e2e0b5
SHA1: 54a1644b92fe5a7c555502c2005e1326fa2c4fc6
SHA256: 3602ae81fc6f227340c4af44e58f73ac99fdd4ae8ab274129d5fff998ecd770a
SSDeep: 24576:B3Q4Z6mR3FYze0YRQKYgaNzjG4u2fU55TBr/m:VZT1YzH0QKYDNfG4u2fU55TdO
Size: 1188893 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Frserira s
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
weatherRealTimeService.exe:3220
pmAqiFunction.exe:3252
ctfmon.exe:252
365weatherIns_61.exe:3088
bbxknhz_30448.exe:2448
greendou.exe:2408
weatherPng2Ico.exe:2628
pcWeather365.exe:876
tianqiUpdate.1004.exe:2184
setup_3128.exe:1076
xblzy_70304.exe:540
mscorsvw.exe:424
The Trojan injects its code into the following process(es):
ft.exe:3116
%original file name%.exe:2640
File activity
The process ft.exe:3116 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsvE.tmp\res\InstallWnd.zip (68506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvE.tmp\PluginInstallHelper.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (1536012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvE.tmp\System.dll (784 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsuC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvE.tmp (0 bytes)
The process 365weatherIns_61.exe:3088 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\btn_close.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\newfeather3.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\loading2.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\inetc.dll (784 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\checkbox2.bmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\SkinBtn.dll (4 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\cnzzonline.html (2 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\btn_complete.bmp (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\btn_next.bmp (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\aztongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\bg.bmp (18424 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\newfeather2.jpg (784 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\newfeather1.jpg (784 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ã¶ÔØ.lnk (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\loading1.bmp (456 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspA.tmp (79841 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\checkbox1.bmp (5 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\ToggleImages.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\nsWindows.dll (10 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9.tmp (0 bytes)
The process bbxknhz_30448.exe:2448 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMReport.dll.bdl (34731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1115 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa7.tmp (157347 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\yn.exe.bdl (582270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMNet.dll.bdl (41765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\tmpqqp7d4.dll (79085 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu6.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
The process greendou.exe:2408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\JompzATkEJ[1].js (2915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\track[1].js (7470 bytes)
%Documents and Settings%\%current user%\Cookies\M3WVHOHH.txt (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\0105200181d9a72429ddef8963f70a17[1].jpg (2326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\YGKeUDnXqV[1].css (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\blank[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\web[1].png (98 bytes)
%Documents and Settings%\%current user%\Cookies\QBIVM57P.txt (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\track[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\web_png8[1].png (955 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\wDhPRhkQFL[1].js (16110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\jLZZdlZktC[1].js (7052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\wHFhxVDOgf[1].js (53681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\sugdata[1].js (3015 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\getinterest[1].txt (39 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014010620140107\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\logonew[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\cc037b20788633c28f67740dc4267493[1].jpg (2802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\wph-1224[1].jpg (562 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\erjiicon_png8[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\dHXmFVzHyk[1].js (23128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\3780[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\1fdc246c6a7533ceb74404cbb7a378e5[1].jpg (2055 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ZNYvbkuJPN[1].js (3544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\NxSmTlnGDI[1].js (5939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\qXQrXDtqtK[1].js (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\baidu-form[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tizi[1].png (181 bytes)
%Documents and Settings%\%current user%\Cookies\OOCB1I07.txt (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\EyrRWikSPx[1].js (627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\a2[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\lazy-loading[1].gif (2298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tip_close-ie-fs8[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ssugdata[1].txt (483 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\shortcut[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\RUVnWBroCd[1].js (13965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\fpBQZAvHma[1].css (73155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\hf_body_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\IvHLvpjSZl[1].css (50 bytes)
%Documents and Settings%\%current user%\Cookies\IPD1VB0O.txt (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\21.1[1].png (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\favicon[1].ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6D6MG1D\www.hao123[1].xml (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\aEoqAxwkVX[1].js (39045 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\textlink-ads[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\FiiutyiMcM[1].js (4646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\xyx_api[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (1288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\af5f93f7bbca100136bc76db19a45a56[1].jpg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\LWLSJgsieY[1].js (23878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\site-tip-fs8[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HKysnblQkf[1].css (5069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cupRkmfFoo[1].js (15503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\hao123_com[2].txt (28281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\index_icon[1].png (10111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\BkznmhpMso[1].js (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\defaultIcon0708[1].png (50 bytes)
%Documents and Settings%\%current user%\Cookies\4CSMUIMO.txt (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\xyx_api_proxy[1].htm (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\1e446ad31c844820454f758c6451f93a[1].jpg (2766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\coolhint[1].png (463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\3fb3165b4352eb66f6d8f4860120c7b9[1].jpg (2621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\newforecast[1] (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\navigate[1].png (1718 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\hao123_com[1].txt (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\IPD1VB0O.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)
%Documents and Settings%\%current user%\Cookies\OOCB1I07.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\M3WVHOHH.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\4CSMUIMO.txt (0 bytes)
The process weatherPng2Ico.exe:2628 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF3D8E.tmp (0 bytes)
The process pcWeather365.exe:876 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tongji[1].htm (657 bytes)
%Documents and Settings%\%current user%\Cookies\MZVT6KU1.txt (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\icon_9[1].gif (893 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (296 bytes)
%Program Files%\pcWeather365\weatherData.tmp (358 bytes)
%Documents and Settings%\%current user%\Cookies\ID1K4EPB.txt (83 bytes)
%Program Files%\pcWeather365\config.ini (8 bytes)
%Documents and Settings%\%current user%\Cookies\ACE7QXY5.txt (249 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\ID1K4EPB.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\15909623[1].js (0 bytes)
The process %original file name%.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (97328 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (25580 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\open.ini (635 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (348 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (63319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\NSISdl.dll (14 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\Inetc.dll (20 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (338162 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (902 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\processwork.dll (6140 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xblzy_70304.exe (172520 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bbxknhz_30448.exe (189643 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\nsRandom.dll (935 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (0 bytes)
The process tianqiUpdate.1004.exe:2184 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (67 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pm25Info\pm25Info.db.!mv (615 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db.!mv (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\weatherInfo[1].xml (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\pngicoInfo[1].xml (25 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\updateInfo.db.!mv (608 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pmAqiInfo\pmAqiInfo.db.!mv (329 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (1390 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pngicoInfo\pngicoInfo.db.!mv (25 bytes)
%Documents and Settings%\%current user%\Cookies\33QHGEUE.txt (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\updateInfo[1].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\pm25Info[1].xml (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\pmAqiInfo[1].xml (329 bytes)
%Program Files%\pcWeather365\config.ini (200 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (0 bytes)
The process setup_3128.exe:1076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\YYMusic\201416\Skin\forecolor_7.png (5 bytes)
%Program Files%\YYMusic\201416\lyrics\baidu_13881991.lrc (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_6.png (5 bytes)
%Program Files%\YYMusic\201416\Data\server.ini (1 bytes)
%Program Files%\YYMusic\201416\lyrics\baidu_13766042.lrc (1 bytes)
%Program Files%\YYMusic\201416\Skin\320x225.png (784 bytes)
%Program Files%\YYMusic\201416\Skin\like.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\FrmPopWnd.xml (354 bytes)
%Program Files%\YYMusic\201416\Skin\update.xml (2 bytes)
%Program Files%\YYMusic\201416\Skin\FrmDropDownMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\FrmSystemMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\history.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_6.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\pl_btn_on.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmdownmenu.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\loading01.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\PlayProgressForeImage.png (142 bytes)
%Program Files%\YYMusic\201416\Skin\color_bg.bmp (784 bytes)
%Program Files%\YYMusic\201416\Skin\remembertt.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\menu.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnsteup.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\pl_split.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\bg_2.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_1.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\random01.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_scroll_bar2.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_play.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_list_bk.png (1552 bytes)
%Program Files%\YYMusic\201416\Skin\suspensiontopahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensioncloseahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playersidebg.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\button.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\reflash.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionbig.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\WindowLrcbkIamge.png (732 bytes)
%Program Files%\YYMusic\201416\Skin\playingpreva.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_close.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\pl_close.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\FrmMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\Òôÿµ÷½Úµã.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\play0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyricdeletea.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\musiclibrary.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\color_003highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\lrclist.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\pl_res.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_012.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyriclikea.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_006highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\color_011.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyricdeletea2.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\btn_kw.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\power.png (5 bytes)
%Program Files%\YYMusic\201416\picture\baidu_c8ea15ce36d3d539f9c9305e3b87e950342ab0b2.jpg (784 bytes)
%Program Files%\YYMusic\201416\Skin\list_title_bg.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pop_bkimage.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\mine.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_scroll_bar.png (1 bytes)
%Program Files%\YYMusic\201416\avcodec-54.dll (23936 bytes)
%Program Files%\YYMusic\201416\Skin\color_009.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\mini.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmplaylist.xml (5 bytes)
%Program Files%\YYMusic\201416\Skin\pl_big.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_4.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\color_005highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\btn-delete.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_set.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyriclikea2.png (3 bytes)
%Program Files%\YYMusic\201416\SysConfig.ini (217 bytes)
%Program Files%\YYMusic\201416\Skin\pl_feedback.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_xm.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionfeedbacka.png (1 bytes)
%Program Files%\YYMusic\201416\Data\client.ini (38 bytes)
%Program Files%\YYMusic\201416\Skin\btn-next.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionmina.png (1 bytes)
%Program Files%\YYMusic\201416\picture\baidu_e1fe9925bc315c60bbe955728cb1cb134954772a.jpg (784 bytes)
%Program Files%\YYMusic\201416\Skin\random.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\astop.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionclose.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\input-password.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_small.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-login2.png (6 bytes)
%Program Files%\YYMusic\201416\Skin\collection.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\FrmFeedBack.xml (411 bytes)
%Program Files%\YYMusic\201416\Skin\voiceall0528.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lista.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionminahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\bg2.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\mineahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_016.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionsetahover.png (1 bytes)
%Program Files%\YYMusic\201416\picture\baidu_c2cec3fdfc03924517c1df928694a4c27d1e2532.jpg (784 bytes)
%Program Files%\YYMusic\201416\Skin\pl_icon.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\loading03.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyricmute.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_004highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\progress_fore.png (2 bytes)
%Program Files%\YYMusic\201416\Data\setup.ini (35 bytes)
%Program Files%\YYMusic\201416\Skin\DefaultUserImage.jpg (6 bytes)
%Program Files%\YYMusic\201416\Skin\fbcaptionbk.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\random03a.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\125x125.jpg (784 bytes)
%Program Files%\YYMusic\201416\Skin\more.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\icon.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\back.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_005.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\btn_ok_red.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\color_001.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\bk.png (3616 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionset.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_007highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\playingrandoma.jpg (2 bytes)
%Program Files%\YYMusic\201416\favorfm.xml (66 bytes)
%Program Files%\YYMusic\201416\Skin\BtnHidePlayList.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\border.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_ok_blue.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\FrmConfig.xml (4 bytes)
%Program Files%\YYMusic\201416\Unins.exe (9608 bytes)
%Program Files%\YYMusic\201416\Skin\color_013.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\dash.png (955 bytes)
%Program Files%\YYMusic\201416\Skin\sys_check_btn_whiter.png (318 bytes)
%Program Files%\YYMusic\201416\Skin\channel.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionseta.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\prevention.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\forgettt.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\playingnext.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\btn_sc.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\playerbg01.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_item_bg.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensiontopa.png (1 bytes)
%Program Files%\YYMusic\201416\channels.xml (784 bytes)
%Program Files%\YYMusic\201416\lyrics\baidu_262581.lrc (993 bytes)
%Program Files%\YYMusic\201416\Skin\color_010.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\random02hover.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\btn_fh.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\color_014.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_3.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnfeedback.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\color_006.bmp (560 bytes)
%Program Files%\YYMusic\201416\Skin\sys_check_btn_red.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\LyricFrameVoice.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\downda.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_play.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmlogin.xml (3 bytes)
%Program Files%\YYMusic\201416\Skin\FrmLrcChild.xml (263 bytes)
%Program Files%\YYMusic\201416\Skin\pl_vol.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\random03.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_007.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\sound.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\pushedVolume.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnexit - ¸±±¾.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\close.png (1 bytes)
%Program Files%\YYMusic\201416\libav.dll (6360 bytes)
%Program Files%\YYMusic\201416\Skin\pl_btn_down.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\next0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionfeedbackahover.png (1 bytes)
%Program Files%\YYMusic\201416\Data\dh.ini (56 bytes)
%Program Files%\YYMusic\201416\Skin\frmplayer.xml (10 bytes)
%Program Files%\YYMusic\201416\Skin\minea.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_back.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\voice00528.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\slider_bg.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\downd.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmWindowLrc.xml (174 bytes)
%Program Files%\YYMusic\201416\Skin\pl_mutevol.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\lyriclike.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\random02.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_5.png (5 bytes)
%Program Files%\YYMusic\201416\PlayerUpdate.exe (5064 bytes)
%Program Files%\YYMusic\201416\Skin\random0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playinginga.jpg (5 bytes)
%Program Files%\YYMusic\201416\Skin\color_unsel.bmp (5 bytes)
%Program Files%\YYMusic\201416\Skin\FrmLrc.xml (7 bytes)
%Program Files%\YYMusic\201416\Skin\mini´°.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\SelectColor_SliderBar_Thumb.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_2.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\prev0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playingvoice.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionbigahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-anonymity.png (8 bytes)
%Program Files%\YYMusic\201416\Skin\playingplaying.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionmin.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\progresstooltip.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\progresstooltipbk.png (1552 bytes)
%Program Files%\YYMusic\201416\Skin\min.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\voice0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyricdelete.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_003.bmp (560 bytes)
%Program Files%\YYMusic\201416\Skin\color_015.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnexit.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\random02a.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\voice0a0528.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyrictoplay.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\BtnRightTop.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-login.png (3 bytes)
%Program Files%\YYMusic\201416\DuiLib.dll (16288 bytes)
%Program Files%\YYMusic\201416\avutil-52.dll (5520 bytes)
%Program Files%\YYMusic\201416\avformat-54.dll (12536 bytes)
%Program Files%\YYMusic\201416\Skin\sound100.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_ok.png (3 bytes)
%Program Files%\YYMusic\201416\pthreadGC2.dll (3616 bytes)
%Program Files%\YYMusic\201416\audio.dll (3616 bytes)
%Program Files%\YYMusic\201416\Skin\max.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\SetTipFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\LrcBk.png (7 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_7.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\suspensiontop.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionfeedback.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_004.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\playingprev.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\home.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\steup.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\btn_db.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\random01a.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\sys_check_btn.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_prev.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\downdahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_item.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\playingrandom.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_9k.png (4 bytes)
%Program Files%\YYMusic\201416\source.dll (6584 bytes)
%Program Files%\YYMusic\201416\Skin\prev.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\tab_comm.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\hotkeytipbk.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionbiga.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-play.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\frmWebBrowser.xml (308 bytes)
%Program Files%\YYMusic\201416\Skin\input-user.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\mainframeshadow.png (4992 bytes)
%Program Files%\YYMusic\201416\Skin\loading02.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_next.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playinging.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\font_forecolor.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_itself.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playerlist.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\playerbg02.png (1 bytes)
%Program Files%\YYMusic\201416\avcore.dll (2392 bytes)
%Program Files%\YYMusic\201416\Skin\pl_forward.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\MessageBox.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_008highlight.bmp (552 bytes)
%Program Files%\YYMusic\201416\Skin\FrmHotKeyTip.xml (482 bytes)
%Program Files%\YYMusic\201416\Skin\AutoRunTipFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-pause.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_4.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_5.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_1.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\next.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\pl_desktop.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\sound (2).jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\random01hover.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\btn_bd.png (4 bytes)
%Program Files%\YYMusic\201416\swresample-0.dll (3312 bytes)
%Program Files%\YYMusic\201416\Skin\btn-fav.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\pl_pause.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionlogin.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\btn_comm.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\FrmColor.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\feedback.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_2.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\LoginBk.png (3312 bytes)
%Program Files%\YYMusic\201416\Skin\exit.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\random03hover.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmProgressToolTip.xml (393 bytes)
%Program Files%\YYMusic\201416\Skin\color_001highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionclosea.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\DownLoadProgressForeImage.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\font_bkcolor.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\frmWindowLrcParent.xml (157 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btntop.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\bg3.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\pl_color.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\listahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\scrollbar.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\sys_check_btn_blue.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_002highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Data\version.ini (32 bytes)
%Program Files%\YYMusic\201416\Skin\play2.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\pl_bg.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\tooltipbk.png (319 bytes)
%Program Files%\YYMusic\201416\Skin\FrmSetWindowLrcFrame.xml (3 bytes)
%Program Files%\YYMusic\201416\Skin\ÒôÿÌõ.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\headimg.png (784 bytes)
%Program Files%\YYMusic\201416\Skin\color_002.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnmini.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\normalVolume.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\voice1000528.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\list_pause.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_008.bmp (556 bytes)
%Program Files%\YYMusic\201416\Skin\loading04.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\search.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_3.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnmin.png (3 bytes)
The process xblzy_70304.exe:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMNet.dll.bdl (45960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMReport.dll.bdl (37245 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (962 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\224b984faf5cf92bdb1ec47086915af6.bdt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMDownload.dll (7192 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (2381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp (124743 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\ft.exe.bdl (368142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\tmpddxyd4.dll (15536 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (0 bytes)
The process mscorsvw.exe:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (848 bytes)
Registry activity
The process weatherRealTimeService.exe:3220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 0B F4 74 40 30 F7 74 57 C6 7C 93 DB 2B 42 1C"
[HKCR\AppID\weatherService.EXE]
"AppID" = "{636DA746-D508-400B-86A0-AE7F3C4008F7}"
[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService" = "weatherRealTimeService"
"(Default)" = "weatherService"
The Trojan deletes the following value(s) in system registry:
[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService"
The process ft.exe:3116 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 05 72 A1 AD 12 C2 4E F0 27 A5 AF B9 9A 7B 2F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The process pmAqiFunction.exe:3252 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 45 2F 07 17 C6 83 17 AE 7B 72 D7 9D DE 00 F9"
The process ctfmon.exe:252 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
The process 365weatherIns_61.exe:3088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"UninstallString" = "%Program Files%\pcWeather365\uninst.exe"
"DisplayIcon" = "%Program Files%\pcWeather365\pcWeather365.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"appdata" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"URLInfoAbout" = "http://114tq.com/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"Publisher" = "365ÆøÃó¹¤×÷ÊÒ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"(Default)" = "%Program Files%\pcWeather365\pcWeather365.exe"
"desk" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"pcWeather365/weatherRealTimeService.exe" = "weatherRealTimeService"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayName" = "pcWeather365 1.0.0.1004"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Mac" = "00-0C-29-3B-DF-2F"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 3C 0D 71 62 72 30 82 C9 9B A5 66 A9 02 4E 97"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayVersion" = "1.0.0.1004"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"jieguo" = "mac=00-0C-29-3B-DF-2F&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=f72e066ddb1d94ae63e1d32390e05757"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process bbxknhz_30448.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 18 89 A5 ED EA 4E 26 A9 1A D8 3E C4 9D F4 16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp8.tmp]
"yn.exe" = "yn"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process greendou.exe:2408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010620140107]
"CachePrefix" = ":2014010620140107:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-12693" = "Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010620140107]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014010620140107"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010620140107]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\Total]
"(Default)" = "81"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "greendou.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010620140107]
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1244086619"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 45 8B 86 42 9C 13 B5 A5 9D 59 76 B6 AA DA 8B"
[HKCU\Software\Gie]
"update2" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\DOMStorage\hao123.com]
"(Default)" = "42"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010620140107]
"CacheRepair" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\System\CurrentControlSet\Services\Tcpip\Performance]
"Error Count"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process weatherPng2Ico.exe:2628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 5E 7E 41 25 16 B4 CB 95 69 76 F0 A7 01 3E 02"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process pcWeather365.exe:876 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"tianqiUpdate.1004.exe" = "气象å‡çº§æ›´æ–°"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"pmAqiFunction.exe" = "空气质é‡(AQI)æ•°æ®ç›‘控"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 72 19 E7 18 F6 32 3F BF 24 63 A8 ED 67 AD 93"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayName" = "Â̶¹ä¯ÀÀÆ÷ 1.0.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"Publisher" = "aaa14"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
The process tianqiUpdate.1004.exe:2184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"weatherPng2Ico.exe" = "æ°”è±¡å›¾æ ‡è‡ªåŠ¨æ ¡æ£æ¨¡å—"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"
[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E D6 E9 4C 1E 4E 02 4F FE 7C CE EC AE 55 38 E8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process setup_3128.exe:1076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 56 82 C9 D0 62 80 87 39 0C AB 56 13 6E CF 2B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\YYMusic]
"Rd" = "_201416"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\YyfmPlay]
"Rd" = "_201416"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YyfmPlay"
"BoxNews"
"YYMusic_News"
"YYMusic"
The process xblzy_70304.exe:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 EA 1A 88 55 B9 CF 86 6E B0 0D 59 83 64 E0 44"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw5.tmp]
"ft.exe" = "ft"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\metnsd\clsid]
"SequenceID" = "99 D0 12 A6 FA 36 3D 44 A6 2E A2 F3 B6 98 33 52"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://shadu.n.shifen.com/index/minidownload/30448 |  |
| hxxp://117.21.189.102/qdmn/ehcszwe_30448.exe | |
| hxxp://117.21.189.54/dl1sw.baidu.com/qdmn/ehcszwe_30448.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://lvdou.300duo.com/favicon.ico |  223.255.145.200 |
| hxxp://hao123.g.shifen.com/?tn=90511352_hao_pg | |
| hxxp://lvdou.300duo.com/ | |
| hxxp://lm.beilequ.com/update/365/365weatherIns_61.rar (ET POLICY PE EXE or DLL Windows file download , Malicious) | 122.225.100.200 |
| hxxp://pxsw.n.shifen.com/ | |
| hxxp://hao123.g.shifen.com/v4/fp/BQ/ZA/vH/ma/fpBQZAvHma.css | |
| hxxp://hao123.g.shifen.com/v4/RU/Vn/WB/ro/Cd/RUVnWBroCd.js | |
| hxxp://hao123.g.shifen.com/v4/YG/Ke/UD/nX/qV/YGKeUDnXqV.css | |
| hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://down.yinyue.fm/open/setup_3128.txt (ET POLICY PE EXE or DLL Windows file download , Malicious) | 222.186.60.1 |
| hxxp://hao123.g.shifen.com/res/img/logo/logonew.png | |
| hxxp://hao123.g.shifen.com/res/images/search_logo/web_png8.png | |
| hxxp://hao123.g.shifen.com/v4/00/27/7X/CU/Rs/hf_body_bg.png | |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/aztongji/aztongji_61.html | 122.225.104.211 |
| hxxp://hao123.g.shifen.com/v4/0W/m8/xk/V4/_g/2/baidu-form.png | |
| hxxp://hao123.g.shifen.com/v4/0W/L5/6s/Z6/qK/6/index_icon.png | |
| hxxp://hao123.g.shifen.com/res/ecom/wph-1224.jpg | |
| hxxp://hao123.g.shifen.com/v4/HK/ys/nb/lQ/kf/HKysnblQkf.css | |
| hxxp://hao123.g.shifen.com/v4/Iv/HL/vp/jS/Zl/IvHLvpjSZl.css | |
| hxxp://hao123.g.shifen.com/res/img/2013/lazy-loading.gif | |
| hxxp://hao123.g.shifen.com/v4/Tt/-9/3I/2J/Fx/5/erjiicon_png8.png | |
| hxxp://bcs.jomodns.com/urlicon/21.1.png | |
| hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMNet.dll (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://bcs.jomodns.com/urlicon/3780.png | |
| hxxp://hao123.g.shifen.com/v4/4w/ZG/ms/BT/sz/1/tizi.png | |
| hxxp://hao123.g.shifen.com/res/r/image/2013-12-27/0105200181d9a72429ddef8963f70a17.jpg | |
| hxxp://hao123.g.shifen.com/v4/00/pY/54/BX/JA/1/shortcut.png | |
| hxxp://hao123.g.shifen.com/res/r/image/2013-12-31/1fdc246c6a7533ceb74404cbb7a378e5.jpg | |
| hxxp://hao123.g.shifen.com/res/r/image/2014-01-06/1e446ad31c844820454f758c6451f93a.jpg | |
| hxxp://hao123.g.shifen.com/img/1L/Aw/2F/mk/ch/o/blank.gif | |
| hxxp://hao123.g.shifen.com/res/img/defaultIcon0708.png | |
| hxxp://hao123.g.shifen.com/res/tip_close-ie-fs8.png | |
| hxxp://hao123.g.shifen.com/res/site-tip-fs8.png | |
| hxxp://hao123.g.shifen.com/v4/0W/f_/2v/Gp/33/5/navigate.png | |
| hxxp://weather51la.cnzz.uujzy.com/post/ | |
| hxxp://baidubrs.dlmix.glb0.lxdns.com/client/v1092/0106/Baidusd_Setup_1.0.93.310.exe | |
| hxxp://hao123.g.shifen.com/favicon.ico | |
| hxxp://hao123.g.shifen.com/v4/wH/Fh/xV/DO/gf/wHFhxVDOgf.js | |
| hxxp://hao123.g.shifen.com/v4/jL/ZZ/dl/Zk/tC/jLZZdlZktC.js | |
| hxxp://hao123.g.shifen.com/v4/qX/Qr/XD/tq/tK/qXQrXDtqtK.js | |
| hxxp://hao123.g.shifen.com/v4/Nx/Sm/Tl/nG/DI/NxSmTlnGDI.js | |
| hxxp://117.21.189.50/dl1sw.baidu.com/client/v1092/0106/Baidusd_Setup_1.0.93.310.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://hao123.g.shifen.com/adimages/textlink-ads.gif | |
| hxxp://hao123.g.shifen.com/v4/wD/hP/Rh/kQ/FL/wDhPRhkQFL.js | |
| hxxp://static.n.shifen.com/h.gif?level=1&page=index&v=rpidmapping&hao123_baiduid=8276D097B9F76714E84B052F3401A41C&hao123_flashid=undefined&pid=113&r=1388988798441 | |
| hxxp://hao123.g.shifen.com/v4/dH/Xm/FV/zH/yk/dHXmFVzHyk.js | |
| hxxp://hao123.g.shifen.com/res/js/track.js?385830 | |
| hxxp://hao123.g.shifen.com/v4/aE/oq/Ax/wk/VX/aEoqAxwkVX.js | |
| hxxp://hao123.g.shifen.com/images/track.gif?level=1&page=index&pageId=hao123-indexyxbd1&pf_fms=0&pf_nav=0&pf_bd=0000&pf_gw=0&pf_mf=&pf_tf=&pf_relax=0&menu=index&navmore=0&skin=skin-color-green&isSiteUser=000&ostype=0&ie=1&home=0&rp=1&mw=0&gxzq=0&type=flash&r=1388988800519 | |
| hxxp://hao123.g.shifen.com/v4/LW/LS/Jg/si/eY/LWLSJgsieY.js | |
| hxxp://hao123.g.shifen.com/v4/cu/pR/km/fF/oo/cupRkmfFoo.js | |
| hxxp://hao123.g.shifen.com/images/track.gif?level=1&page=index&type=menu&cur=index&r=1388988801191 | |
| hxxp://hao123.g.shifen.com/ | |
| hxxp://hao123.g.shifen.com/images/track.gif?level=1&page=index&type=KFC&code=0&r=1388988801456 | |
| hxxp://hao123.g.shifen.com/v4/Bk/zn/mh/pM/so/BkznmhpMso.js | |
| hxxp://hao123.g.shifen.com/api/ssugdata?c=8276D097B9F76714E84B052F3401A41C&r=4629962 | |
| hxxp://hao123.g.shifen.com/v4/ZN/Yv/bk/uJ/PN/ZNYvbkuJPN.js | |
| hxxp://hao123.g.shifen.com/sugdata.js?r=-771661 | |
| hxxp://hao123.g.shifen.com/v4/Ey/rR/Wi/kS/Px/EyrRWikSPx.js | |
| hxxp://hao123.g.shifen.com/v4/Jo/mp/zA/Tk/EJ/JompzATkEJ.js | |
| hxxp://hao123.g.shifen.com/v4/Fi/iu/ty/iM/cM/FiiutyiMcM.js | |
| hxxp://hao123.g.shifen.com/images/timer.gif?_=1388988802862 | |
| hxxp://hao123.g.shifen.com/res/images/search_logo/web.png | |
| hxxp://hao123.g.shifen.com/v4/rr/DB/HB/8z/lZ/1/coolhint.png | |
| hxxp://hao123.g.shifen.com/api/newforecast?callback=jQuery17208521490926656371_1388988800784&t=1&_=1388988802909 | |
| hxxp://hao123.g.shifen.com/res/js/xyx_api.js?_=385830 | |
| hxxp://hao123.g.shifen.com/api/getinterest?c=8276D097B9F76714E84B052F3401A41C&_=1388988803191 | |
| hxxp://hao123.g.shifen.com/images/track.gif?level=1&page=index&type=KTN&code=0&tn=&src=&r=1388988803394 | |
| hxxp://hao123.g.shifen.com/images/track.gif?tm=1388988804&embed=0&ho=0&type=access&r=1388988804316&v=1.1.3&level=1&page=index&pageId=hao123-indexyxbd1&pf_fms=0&pf_bd=0000&pf_gw=0&pf_nav=0&rp=1&navmore=0&skin=skin-color-green&isSiteUser=000&ostype=0&menu=index&mw=0&gxzq=0&gx_t0=0&gx_t1=0&gx_t2=0&gx_t3=0&gx_t4=0&gx_navmore=0&gx_relax=0&gx_sh=0&gx_wl=0&gx_gw=0&gx_c_sp=ysdq&gx_c_tt=xwdq&gx_yx=0&gx_c_sj=sjyy&gx_c_xxyl=jpy&gx_menu=index&gx_cywz=0 | |
| hxxp://hao123.g.shifen.com/xyx_api_proxy.html?v=192916 | |
| hxxp://hao123.g.shifen.com/index/images/weather/icon/a2.png | |
| hxxp://bcs.jomodns.com/sw-search-sp/client2/common/install/4625269089/BaiduAn_Setup_1.0.630.320_Silent_Defense.exe (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| hxxp://baidubrs.dlmix.glb0.lxdns.com/client2/common/install/4625269089/BaiduAn_Setup_1.0.630.320_Silent_Defense.exe | |
| hxxp://117.21.189.53/dl1sw.baidu.com/client2/common/install/4625269089/BaiduAn_Setup_1.0.630.320_Silent_Defense.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious) | |
| www.xzsky.com | 122.225.104.211 |
| dtrp.download.iyuntian.com | 123.125.65.150 |
| p.x.baidu.com | 123.125.65.152 |
| cfg.download.iyuntian.com | 123.125.65.132 |
| jp.download.iyuntian.com | 123.125.65.154 |
| img2.hao123.com | 61.155.165.26 |
| dlsw.baidu.com | 61.155.165.26 |
| dl1sw.baidu.com | 117.21.189.102 |
| res.download.iyuntian.com | 123.125.65.129 |
| s0.hao123img.com | 123.125.112.45 |
| nsclick.baidu.com | 115.239.210.151 |
| shadu.baidu.com | 123.125.65.162 |
| img1.hao123.com | 61.155.165.26 |
| www.biso.cc |  67.198.240.190 |
| tk.download.iyuntian.com | 123.125.69.209 |
| rc.download.iyuntian.com | 123.125.65.153 |
| utk.download.iyuntian.com | 123.125.65.147 |
| s1.hao123img.com | 61.135.185.29 |
| www.hao123.com | 119.75.219.38 |
| res2.download.iyuntian.com |  Unresolvable |
| qr.download.iyuntian.com | Unresolvable |
| res3.download.iyuntian.com | Unresolvable |
| sn.download.iyuntian.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
weatherRealTimeService.exe:3220
pmAqiFunction.exe:3252
365weatherIns_61.exe:3088
bbxknhz_30448.exe:2448
greendou.exe:2408
weatherPng2Ico.exe:2628
pcWeather365.exe:876
tianqiUpdate.1004.exe:2184
setup_3128.exe:1076
xblzy_70304.exe:540
mscorsvw.exe:424 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsvE.tmp\res\InstallWnd.zip (68506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvE.tmp\PluginInstallHelper.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (1536012 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvE.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\btn_close.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\newfeather3.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\loading2.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\inetc.dll (784 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\checkbox2.bmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\SkinBtn.dll (4 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\cnzzonline.html (2 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\btn_complete.bmp (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\btn_next.bmp (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\aztongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\bg.bmp (18424 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\newfeather2.jpg (784 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\newfeather1.jpg (784 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ã¶ÔØ.lnk (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\loading1.bmp (456 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspA.tmp (79841 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\checkbox1.bmp (5 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\ToggleImages.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuB.tmp\nsWindows.dll (10 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMReport.dll.bdl (34731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1115 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa7.tmp (157347 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\yn.exe.bdl (582270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMNet.dll.bdl (41765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\tmpqqp7d4.dll (79085 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\JompzATkEJ[1].js (2915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\track[1].js (7470 bytes)
%Documents and Settings%\%current user%\Cookies\M3WVHOHH.txt (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\0105200181d9a72429ddef8963f70a17[1].jpg (2326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\YGKeUDnXqV[1].css (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\blank[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\web[1].png (98 bytes)
%Documents and Settings%\%current user%\Cookies\QBIVM57P.txt (712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\track[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\web_png8[1].png (955 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\wDhPRhkQFL[1].js (16110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\jLZZdlZktC[1].js (7052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\wHFhxVDOgf[1].js (53681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\sugdata[1].js (3015 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\getinterest[1].txt (39 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014010620140107\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\logonew[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\cc037b20788633c28f67740dc4267493[1].jpg (2802 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\wph-1224[1].jpg (562 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\erjiicon_png8[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\dHXmFVzHyk[1].js (23128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\3780[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\1fdc246c6a7533ceb74404cbb7a378e5[1].jpg (2055 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ZNYvbkuJPN[1].js (3544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\NxSmTlnGDI[1].js (5939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\qXQrXDtqtK[1].js (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\baidu-form[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tizi[1].png (181 bytes)
%Documents and Settings%\%current user%\Cookies\OOCB1I07.txt (240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\EyrRWikSPx[1].js (627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\a2[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\lazy-loading[1].gif (2298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tip_close-ie-fs8[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ssugdata[1].txt (483 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\shortcut[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\RUVnWBroCd[1].js (13965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\fpBQZAvHma[1].css (73155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\hf_body_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\IvHLvpjSZl[1].css (50 bytes)
%Documents and Settings%\%current user%\Cookies\IPD1VB0O.txt (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\21.1[1].png (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\favicon[1].ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\C6D6MG1D\www.hao123[1].xml (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\aEoqAxwkVX[1].js (39045 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\textlink-ads[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\FiiutyiMcM[1].js (4646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\xyx_api[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (1288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\af5f93f7bbca100136bc76db19a45a56[1].jpg (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\LWLSJgsieY[1].js (23878 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\site-tip-fs8[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\HKysnblQkf[1].css (5069 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cupRkmfFoo[1].js (15503 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\hao123_com[2].txt (28281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\index_icon[1].png (10111 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\BkznmhpMso[1].js (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\defaultIcon0708[1].png (50 bytes)
%Documents and Settings%\%current user%\Cookies\4CSMUIMO.txt (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\xyx_api_proxy[1].htm (296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\1e446ad31c844820454f758c6451f93a[1].jpg (2766 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\coolhint[1].png (463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\3fb3165b4352eb66f6d8f4860120c7b9[1].jpg (2621 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\newforecast[1] (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\navigate[1].png (1718 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\hao123_com[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tongji[1].htm (657 bytes)
%Documents and Settings%\%current user%\Cookies\MZVT6KU1.txt (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\icon_9[1].gif (893 bytes)
%Program Files%\pcWeather365\weatherData.tmp (358 bytes)
%Documents and Settings%\%current user%\Cookies\ID1K4EPB.txt (83 bytes)
%Documents and Settings%\%current user%\Cookies\ACE7QXY5.txt (249 bytes)
%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (97328 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (25580 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\open.ini (635 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (63319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\NSISdl.dll (14 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\Inetc.dll (20 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (338162 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\processwork.dll (6140 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xblzy_70304.exe (172520 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bbxknhz_30448.exe (189643 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\nsRandom.dll (935 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pm25Info\pm25Info.db.!mv (615 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db.!mv (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\weatherInfo[1].xml (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\pngicoInfo[1].xml (25 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\updateInfo.db.!mv (608 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pmAqiInfo\pmAqiInfo.db.!mv (329 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pngicoInfo\pngicoInfo.db.!mv (25 bytes)
%Documents and Settings%\%current user%\Cookies\33QHGEUE.txt (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\updateInfo[1].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\pm25Info[1].xml (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\pmAqiInfo[1].xml (329 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_7.png (5 bytes)
%Program Files%\YYMusic\201416\lyrics\baidu_13881991.lrc (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_6.png (5 bytes)
%Program Files%\YYMusic\201416\Data\server.ini (1 bytes)
%Program Files%\YYMusic\201416\lyrics\baidu_13766042.lrc (1 bytes)
%Program Files%\YYMusic\201416\Skin\320x225.png (784 bytes)
%Program Files%\YYMusic\201416\Skin\like.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\FrmPopWnd.xml (354 bytes)
%Program Files%\YYMusic\201416\Skin\update.xml (2 bytes)
%Program Files%\YYMusic\201416\Skin\FrmDropDownMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\FrmSystemMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\history.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_6.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\pl_btn_on.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmdownmenu.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\loading01.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\PlayProgressForeImage.png (142 bytes)
%Program Files%\YYMusic\201416\Skin\color_bg.bmp (784 bytes)
%Program Files%\YYMusic\201416\Skin\remembertt.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\menu.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnsteup.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\pl_split.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\bg_2.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_1.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\random01.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_scroll_bar2.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_play.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_list_bk.png (1552 bytes)
%Program Files%\YYMusic\201416\Skin\suspensiontopahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensioncloseahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playersidebg.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\button.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\reflash.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionbig.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\WindowLrcbkIamge.png (732 bytes)
%Program Files%\YYMusic\201416\Skin\playingpreva.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_close.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\pl_close.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\FrmMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\Òôÿµ÷½Úµã.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\play0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyricdeletea.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\musiclibrary.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\color_003highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\lrclist.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\pl_res.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_012.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyriclikea.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_006highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\color_011.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyricdeletea2.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\btn_kw.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\power.png (5 bytes)
%Program Files%\YYMusic\201416\picture\baidu_c8ea15ce36d3d539f9c9305e3b87e950342ab0b2.jpg (784 bytes)
%Program Files%\YYMusic\201416\Skin\list_title_bg.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pop_bkimage.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\mine.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_scroll_bar.png (1 bytes)
%Program Files%\YYMusic\201416\avcodec-54.dll (23936 bytes)
%Program Files%\YYMusic\201416\Skin\color_009.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\mini.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmplaylist.xml (5 bytes)
%Program Files%\YYMusic\201416\Skin\pl_big.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_4.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\color_005highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\btn-delete.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_set.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyriclikea2.png (3 bytes)
%Program Files%\YYMusic\201416\SysConfig.ini (217 bytes)
%Program Files%\YYMusic\201416\Skin\pl_feedback.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_xm.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionfeedbacka.png (1 bytes)
%Program Files%\YYMusic\201416\Data\client.ini (38 bytes)
%Program Files%\YYMusic\201416\Skin\btn-next.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionmina.png (1 bytes)
%Program Files%\YYMusic\201416\picture\baidu_e1fe9925bc315c60bbe955728cb1cb134954772a.jpg (784 bytes)
%Program Files%\YYMusic\201416\Skin\random.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\astop.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionclose.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\input-password.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_small.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-login2.png (6 bytes)
%Program Files%\YYMusic\201416\Skin\collection.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\FrmFeedBack.xml (411 bytes)
%Program Files%\YYMusic\201416\Skin\voiceall0528.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lista.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionminahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\bg2.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\mineahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_016.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionsetahover.png (1 bytes)
%Program Files%\YYMusic\201416\picture\baidu_c2cec3fdfc03924517c1df928694a4c27d1e2532.jpg (784 bytes)
%Program Files%\YYMusic\201416\Skin\pl_icon.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\loading03.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyricmute.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_004highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\progress_fore.png (2 bytes)
%Program Files%\YYMusic\201416\Data\setup.ini (35 bytes)
%Program Files%\YYMusic\201416\Skin\DefaultUserImage.jpg (6 bytes)
%Program Files%\YYMusic\201416\Skin\fbcaptionbk.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\random03a.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\125x125.jpg (784 bytes)
%Program Files%\YYMusic\201416\Skin\more.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\icon.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\back.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_005.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\btn_ok_red.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\color_001.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\bk.png (3616 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionset.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_007highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\playingrandoma.jpg (2 bytes)
%Program Files%\YYMusic\201416\favorfm.xml (66 bytes)
%Program Files%\YYMusic\201416\Skin\BtnHidePlayList.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\border.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_ok_blue.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\FrmConfig.xml (4 bytes)
%Program Files%\YYMusic\201416\Unins.exe (9608 bytes)
%Program Files%\YYMusic\201416\Skin\color_013.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\dash.png (955 bytes)
%Program Files%\YYMusic\201416\Skin\sys_check_btn_whiter.png (318 bytes)
%Program Files%\YYMusic\201416\Skin\channel.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionseta.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\prevention.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\forgettt.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\playingnext.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\btn_sc.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\playerbg01.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_item_bg.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensiontopa.png (1 bytes)
%Program Files%\YYMusic\201416\channels.xml (784 bytes)
%Program Files%\YYMusic\201416\lyrics\baidu_262581.lrc (993 bytes)
%Program Files%\YYMusic\201416\Skin\color_010.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\random02hover.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\btn_fh.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\color_014.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_3.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnfeedback.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\color_006.bmp (560 bytes)
%Program Files%\YYMusic\201416\Skin\sys_check_btn_red.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\LyricFrameVoice.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\downda.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_play.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmlogin.xml (3 bytes)
%Program Files%\YYMusic\201416\Skin\FrmLrcChild.xml (263 bytes)
%Program Files%\YYMusic\201416\Skin\pl_vol.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\random03.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_007.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\sound.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\pushedVolume.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnexit - ¸±±¾.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\close.png (1 bytes)
%Program Files%\YYMusic\201416\libav.dll (6360 bytes)
%Program Files%\YYMusic\201416\Skin\pl_btn_down.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\next0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionfeedbackahover.png (1 bytes)
%Program Files%\YYMusic\201416\Data\dh.ini (56 bytes)
%Program Files%\YYMusic\201416\Skin\frmplayer.xml (10 bytes)
%Program Files%\YYMusic\201416\Skin\minea.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_back.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\voice00528.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\slider_bg.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\downd.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmWindowLrc.xml (174 bytes)
%Program Files%\YYMusic\201416\Skin\pl_mutevol.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\lyriclike.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\random02.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_5.png (5 bytes)
%Program Files%\YYMusic\201416\PlayerUpdate.exe (5064 bytes)
%Program Files%\YYMusic\201416\Skin\random0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playinginga.jpg (5 bytes)
%Program Files%\YYMusic\201416\Skin\color_unsel.bmp (5 bytes)
%Program Files%\YYMusic\201416\Skin\FrmLrc.xml (7 bytes)
%Program Files%\YYMusic\201416\Skin\mini´°.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\SelectColor_SliderBar_Thumb.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\forecolor_2.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\prev0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playingvoice.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionbigahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-anonymity.png (8 bytes)
%Program Files%\YYMusic\201416\Skin\playingplaying.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionmin.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\progresstooltip.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\progresstooltipbk.png (1552 bytes)
%Program Files%\YYMusic\201416\Skin\min.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\voice0520.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyricdelete.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_003.bmp (560 bytes)
%Program Files%\YYMusic\201416\Skin\color_015.bmp (1 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnexit.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\random02a.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\voice0a0528.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\lyrictoplay.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\BtnRightTop.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-login.png (3 bytes)
%Program Files%\YYMusic\201416\DuiLib.dll (16288 bytes)
%Program Files%\YYMusic\201416\avutil-52.dll (5520 bytes)
%Program Files%\YYMusic\201416\avformat-54.dll (12536 bytes)
%Program Files%\YYMusic\201416\Skin\sound100.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_ok.png (3 bytes)
%Program Files%\YYMusic\201416\pthreadGC2.dll (3616 bytes)
%Program Files%\YYMusic\201416\audio.dll (3616 bytes)
%Program Files%\YYMusic\201416\Skin\max.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\SetTipFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\LrcBk.png (7 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_7.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\suspensiontop.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionfeedback.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_004.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\playingprev.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\home.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\steup.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\btn_db.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\random01a.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\sys_check_btn.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_prev.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\downdahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list_item.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\playingrandom.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn_9k.png (4 bytes)
%Program Files%\YYMusic\201416\source.dll (6584 bytes)
%Program Files%\YYMusic\201416\Skin\prev.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\tab_comm.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\hotkeytipbk.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionbiga.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-play.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\frmWebBrowser.xml (308 bytes)
%Program Files%\YYMusic\201416\Skin\input-user.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\list.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\mainframeshadow.png (4992 bytes)
%Program Files%\YYMusic\201416\Skin\loading02.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_next.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playinging.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\font_forecolor.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\pl_itself.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\playerlist.png (4 bytes)
%Program Files%\YYMusic\201416\Skin\playerbg02.png (1 bytes)
%Program Files%\YYMusic\201416\avcore.dll (2392 bytes)
%Program Files%\YYMusic\201416\Skin\pl_forward.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\MessageBox.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_008highlight.bmp (552 bytes)
%Program Files%\YYMusic\201416\Skin\FrmHotKeyTip.xml (482 bytes)
%Program Files%\YYMusic\201416\Skin\AutoRunTipFrame.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\btn-pause.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_4.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_5.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_1.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\next.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\pl_desktop.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\sound (2).jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\random01hover.jpg (2 bytes)
%Program Files%\YYMusic\201416\Skin\btn_bd.png (4 bytes)
%Program Files%\YYMusic\201416\swresample-0.dll (3312 bytes)
%Program Files%\YYMusic\201416\Skin\btn-fav.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\pl_pause.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionlogin.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\btn_comm.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\FrmColor.xml (1 bytes)
%Program Files%\YYMusic\201416\Skin\feedback.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_2.png (5 bytes)
%Program Files%\YYMusic\201416\Skin\LoginBk.png (3312 bytes)
%Program Files%\YYMusic\201416\Skin\exit.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\random03hover.jpg (1 bytes)
%Program Files%\YYMusic\201416\Skin\frmProgressToolTip.xml (393 bytes)
%Program Files%\YYMusic\201416\Skin\color_001highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\suspensionclosea.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\DownLoadProgressForeImage.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\font_bkcolor.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\frmWindowLrcParent.xml (157 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btntop.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\bg3.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\pl_color.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\listahover.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\scrollbar.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\sys_check_btn_blue.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_002highlight.bmp (564 bytes)
%Program Files%\YYMusic\201416\Data\version.ini (32 bytes)
%Program Files%\YYMusic\201416\Skin\play2.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\pl_bg.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\tooltipbk.png (319 bytes)
%Program Files%\YYMusic\201416\Skin\FrmSetWindowLrcFrame.xml (3 bytes)
%Program Files%\YYMusic\201416\Skin\ÒôÿÌõ.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\headimg.png (784 bytes)
%Program Files%\YYMusic\201416\Skin\color_002.bmp (564 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnmini.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\normalVolume.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\voice1000528.png (2 bytes)
%Program Files%\YYMusic\201416\Skin\list_pause.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\color_008.bmp (556 bytes)
%Program Files%\YYMusic\201416\Skin\loading04.png (1 bytes)
%Program Files%\YYMusic\201416\Skin\search.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\bkcolor_3.png (3 bytes)
%Program Files%\YYMusic\201416\Skin\system_menu_btnmin.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMNet.dll.bdl (45960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMReport.dll.bdl (37245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\224b984faf5cf92bdb1ec47086915af6.bdt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDMDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh4.tmp (124743 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\ft.exe.bdl (368142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\tmpddxyd4.dll (15536 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (848 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
