Trojan.NSIS.StartPage_24bab88f0e

by malwarelabrobot on January 18th, 2014 in Malware Descriptions.

Trojan.Win32.Badur.ghhq (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.NSIS.StartPage.FD, Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 24bab88f0eddb46da122d84e7c278e93
SHA1: 772d8d82156e8490f30d0484680cecefdb9071fc
SHA256: 1b19f5b903a931a71a79865a90c14130244c1d38f46fd925f56cd52a2abb0544
SSDeep: 3072:WgXdZt9P6D3XJVxBWbnSrvOn5KLwhOZFW:We34vFjYULwhkFW
Size: 109653 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

weatherRealTimeService.exe:3444
365weatherIns_61.exe:3236
Reader_sl.exe:1064
pihhrpg_30310.exe:1648
wuauclt.exe:344
pcWeather365.exe:2104
mscorsvw.exe:1920
akradl_70254.exe:824
jusched.exe:1056

The Trojan injects its code into the following process(es):

%original file name%.exe:2032
qljo.exe:3548

File activity

The process 365weatherIns_61.exe:3236 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\loading1.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\loading2.bmp (456 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\newfeather3.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\bg.bmp (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\ToggleImages.html (1 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\btn_close.bmp (2 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\btn_complete.bmp (3616 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\checkbox1.bmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\btn_next.bmp (3616 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\cnzzonline.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseA.tmp (79841 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\checkbox2.bmp (5 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\nsWindows.dll (10 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\newfeather2.jpg (784 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ð¶ÔØ.lnk (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\md5dll.dll (8 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I6B4VNBQ\aztongji_61[1].htm (2 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\newfeather1.jpg (784 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse9.tmp (0 bytes)

The process %original file name%.exe:2032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (89521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\open.ini (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe (218960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I6B4VNBQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\akradl_70254.exe (206643 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\xID.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (56530 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXEZ4PM7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\91JK1HFT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5BLQGXG0\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (0 bytes)

The process pihhrpg_30310.exe:1648 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMNet.dll.bdl (49976 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\be.exe.bdl (298992 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc7.tmp (160365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMReport.dll.bdl (41169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\tmpx3ljnl.dll (83154 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMDownload.dll (5520 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process pcWeather365.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (137 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (288 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)

The process qljo.exe:3548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\InstallHelper.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\res\InstallWnd.zip (68506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszD.tmp (1553322 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\PluginInstallHelper.dll (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (0 bytes)

The process mscorsvw.exe:1920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (270 bytes)

The process akradl_70254.exe:824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\dl.dll (65945 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMReport.dll.bdl (38476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\tmpbhjmp5.dll (15536 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq4.tmp (125790 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMNet.dll.bdl (48560 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (2270 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\qljo.exe.bdl (382347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (24 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

Registry activity

The process weatherRealTimeService.exe:3444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 03 95 48 5A 7A B9 DF 6D 5B 30 41 E0 17 42 F9"

[HKCR\AppID\weatherService.EXE]
"AppID" = "{636DA746-D508-400B-86A0-AE7F3C4008F7}"

[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService" = "weatherRealTimeService"
"(Default)" = "weatherService"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService"

The process 365weatherIns_61.exe:3236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"UninstallString" = "%Program Files%\pcWeather365\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayIcon" = "%Program Files%\pcWeather365\pcWeather365.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"appdata" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"URLInfoAbout" = "http://114tq.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"Publisher" = "365ÆøÏó¹¤×÷ÊÒ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"(Default)" = "%Program Files%\pcWeather365\pcWeather365.exe"
"desk" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"pcWeather365/weatherRealTimeService.exe" = "weatherRealTimeService"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayName" = "pcWeather365 1.0.0.1004"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Mac" = "00-0C-29-64-A0-20"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 1F 46 77 C2 46 E2 01 3E 32 5E 75 5E 3C 2E 2F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayVersion" = "1.0.0.1004"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"jieguo" = "mac=00-0C-29-64-A0-20&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=fb815cd10206670e32ad5cf9d247badc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:2032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayVersion" = "1.0.0.2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayName" = "Â̶¹ 1.0.0.2"
"Publisher" = "aaa181"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D C8 F0 36 D8 8A DC F5 A2 74 59 4A 9C A6 6B 52"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process pihhrpg_30310.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E E2 56 D5 09 49 FF 77 15 6C 27 A2 EE CA 0D 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process pcWeather365.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 77 26 AE 93 A5 8C 14 B4 9D C2 A2 F9 95 59 E2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process qljo.exe:3548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 94 0B 3C 3C 90 72 D8 3E FE 36 25 42 00 3C 98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process akradl_70254.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 1F 87 C4 73 53 EC A5 C8 FB 88 0E B1 E6 EC F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\metnsd\clsid]
"SequenceID" = "26 1D FA A7 6C 0F 6D 45 B1 BE C2 18 9A FA AE F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq5.tmp]
"qljo.exe" = "qljo"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Network activity (URLs)

URL IP
hxxp://pxsw.n.shifen.com/
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMNet.dll (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://baidubrs.dlmix.glb0.lxdns.com/client/w489/0103/BaiduAn_Setup_1.0.228.281_Sid_50001_Silent_Defense.exe
hxxp://117.21.189.52/dl1sw.baidu.com/client/w489/0103/BaiduAn_Setup_1.0.228.281_Sid_50001_Silent_Defense.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://117.21.189.50/dl1sw.baidu.com/client/w489/0103/BaiduAn_Setup_1.0.228.281_Sid_50001_Silent_Defense.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://117.21.189.51/dl1sw.baidu.com/client/w489/0103/BaiduAn_Setup_1.0.228.281_Sid_50001_Silent_Defense.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://lm.beilequ.com/update/365/365weatherIns_61.rar (ET POLICY PE EXE or DLL Windows file download , Malicious) 122.225.100.200
hxxp://117.21.189.53/dl1sw.baidu.com/client/w489/0103/BaiduAn_Setup_1.0.228.281_Sid_50001_Silent_Defense.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://117.21.189.55/dl1sw.baidu.com/client/w489/0103/BaiduAn_Setup_1.0.228.281_Sid_50001_Silent_Defense.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious)
jp.download.iyuntian.com 123.125.65.154
tk.download.iyuntian.com 123.125.69.209
rc.download.iyuntian.com 123.125.65.153
dlsw.baidu.com 61.155.165.27
dl1sw.baidu.com 117.21.189.102
res.download.iyuntian.com 123.125.65.129
dtrp.download.iyuntian.com 123.125.65.150
p.x.baidu.com 123.125.65.152
utk.download.iyuntian.com 123.125.65.147
down.pxlib.org 222.186.60.2
cfg.download.iyuntian.com 123.125.65.132
res2.download.iyuntian.com Unresolvable
qr.download.iyuntian.com Unresolvable
res3.download.iyuntian.com Unresolvable
sn.download.iyuntian.com Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    weatherRealTimeService.exe:3444
    365weatherIns_61.exe:3236
    pihhrpg_30310.exe:1648
    wuauclt.exe:344
    pcWeather365.exe:2104
    mscorsvw.exe:1920
    akradl_70254.exe:824

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\loading1.bmp (456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\loading2.bmp (456 bytes)
    %Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
    %Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
    %Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
    %Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\newfeather3.jpg (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\bg.bmp (18424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\ToggleImages.html (1 bytes)
    %Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
    %Program Files%\pcWeather365\config.ini (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\nsDialogs.dll (9 bytes)
    %Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
    %Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
    %Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
    %Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\btn_close.bmp (2 bytes)
    %Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\btn_complete.bmp (3616 bytes)
    %Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\checkbox1.bmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\SkinBtn.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\btn_next.bmp (3616 bytes)
    %Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
    %Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
    %Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
    %Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\cnzzonline.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseA.tmp (79841 bytes)
    %Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\checkbox2.bmp (5 bytes)
    %Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
    %Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\nsWindows.dll (10 bytes)
    %Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
    %Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
    %Program Files%\pcWeather365\msweather.dll (5520 bytes)
    %Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\newfeather2.jpg (784 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ð¶ÔØ.lnk (804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\md5dll.dll (8 bytes)
    %Program Files%\pcWeather365\skins\common\close.png (873 bytes)
    %Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
    %Program Files%\pcWeather365\weather.db (6584 bytes)
    %Program Files%\pcWeather365\uninst.exe (2691 bytes)
    %Program Files%\pcWeather365\skins\common\err.png (784 bytes)
    %Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I6B4VNBQ\aztongji_61[1].htm (2 bytes)
    %Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszB.tmp\newfeather1.jpg (784 bytes)
    %Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
    %Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
    %Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
    %Program Files%\pcWeather365\areacode.db (3 bytes)
    %Program Files%\pcWeather365\skins\common\min.png (440 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (89521 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\Inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\Md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\open.ini (660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe (218960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\I6B4VNBQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\akradl_70254.exe (206643 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\xID.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (56530 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GXEZ4PM7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\91JK1HFT\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5BLQGXG0\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (762 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDLogicUtils.dll (30968 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMNet.dll.bdl (49976 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\be.exe.bdl (298992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\res\onlineWnd.zip (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc7.tmp (160365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\hu.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\dl.dll (65930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMReport.dll.bdl (41169 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMSkin.dll (38495 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\tmpx3ljnl.dll (83154 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp\BDMDownload.dll (5520 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (137 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\InstallHelper.dll (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\res\InstallWnd.zip (68506 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nszD.tmp (1553322 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\BDMSkin.dll (36698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjE.tmp\PluginInstallHelper.dll (784 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\dl.dll (65945 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMReport.dll.bdl (38476 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\tmpbhjmp5.dll (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq4.tmp (125790 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\res\onlineWnd.zip (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMNet.dll.bdl (48560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDLogicUtils.dll (31856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMDownload.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\qljo.exe.bdl (382347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMSkin.dll (36698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\hu.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now