Trojan.NSIS.StartPage_5f6f3b85d7

by malwarelabrobot on January 4th, 2014 in Malware Descriptions.

Trojan.Win32.Generic!BT (VIPRE), Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 5f6f3b85d71d2668451cc9670e1e2dfe
SHA1: 688fd02f2e020e4a603d88f0ec098969ed212b18
SHA256: 5490ee7399af6c7b03d8abea0c71729943f44fe6454ff56029749284c74d8342
SSDeep: 24576: NEssUAz/myivTS2u5fYKjHeWBaNzjGaF5roJm/89Iwcuvpk: 25uyirSXVDepNfGaF5roW8Bcuve
Size: 998082 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Rapiddown
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

weatherRealTimeService.exe:468
setup_a7158.tmp:1260
YyfmPlay.exe:820
365weatherIns_61.exe:1328
pcWeather365.exe:1788
tianqiUpdate.1004.exe:1768
setup_3128.exe:1500
mscorsvw.exe:1912
setup_a7158.exe:1268

The Trojan injects its code into the following process(es):

%original file name%.exe:332
greendou.exe:1604
YYNews.exe:1324

File activity

The process %original file name%.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (101612 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (27153 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\open.ini (660 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (434477 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (367208 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (902 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xblzy_70304.exe (93861 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\Inetc.dll (20 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (348 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\NSISdl.dll (14 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Program Files%\greeou\ico\taobao.ico (2104 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)

The process setup_a7158.tmp:1260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\CallbackCtrl.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\ItDownload.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\webctrl.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\info.iam (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\WSysInfo.dll (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\botva2.dll (35 bytes)

The process YyfmPlay.exe:820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Yyfm\201413\Data\client.ini (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\a[1].htm (3 bytes)
%Program Files%\Yyfm\201413\Data\server.ini (1 bytes)
%Program Files%\Yyfm\201413\SysConfig.ini (34 bytes)
%Program Files%\Yyfm\201413\Data\user2.ini (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj[1].ashx (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ver[1].txt (36 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\a[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj[1].ashx (0 bytes)

The process 365weatherIns_61.exe:1328 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\cnzzonline.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_complete.bmp (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather2.jpg (784 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather1.jpg (784 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\checkbox1.bmp (5 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\checkbox2.bmp (5 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_close.bmp (2 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_next.bmp (3616 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ToggleImages.html (1 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\SkinBtn.dll (4 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (79841 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ð¶ÔØ.lnk (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\loading1.bmp (456 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\loading2.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\bg.bmp (18424 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather3.jpg (784 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aztongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsWindows.dll (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)

The process greendou.exe:1604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388714661[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388652231[1].jpg (3384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388712393[1].jpg (290 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388712368[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\h[1].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\db100x60[1].gif (1272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tool4[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388712298[1].jpg (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dangdang10060[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\searchbg[1].gif (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388714609[1].jpg (1267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sethome[1].png (662 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\btnbg[1].gif (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tmall[1].png (181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\h[2].js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1387530625[1].jpg (3470 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388625868[1].jpg (1647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b1[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388474290[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1387868883[1].jpg (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\u_13741[1].htm (25849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1388712157[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jd[1].png (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index_icon[1].gif (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1388625844[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\www.h1231[1].xml (266 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388474361[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tool1[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388712273[1].jpg (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388474238[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b0[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388714573[1].jpg (2672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388474315[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388650216[1].jpg (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388625947[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hf_body_bg[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_icon[1].png (2402 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388474264[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tool9[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tianqi2345_2[1].htm (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tool8[1].png (1 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (2974 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\lvdou.300duo[1].htm (352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388625919[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388650495[1].jpg (3433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388650164[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baidu-form[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\123logo[1].gif (1272 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388650112[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1388650139[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388625895[1].jpg (1058 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\core[1].php (797 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@5w[2].txt (757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tool6[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tool2[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tool3[1].png (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8772 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@5w[1].txt (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388650189[1].jpg (290 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tool7[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tool5[1].png (1 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\baidu[1].gif (50 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\u_13741[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@5w[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@5w[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tianqi2345_2[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\h[1].js (0 bytes)

The process pcWeather365.exe:1788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tongji[1].htm (657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (145 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (288 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3084 bytes)
%Program Files%\pcWeather365\weatherData.tmp (358 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (137 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (302 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)

The process tianqiUpdate.1004.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (67 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pm25Info\pm25Info.db.!mv (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pmAqiInfo[1].xml (329 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db.!mv (584 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\updateInfo.db.!mv (608 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pmAqiInfo\pmAqiInfo.db.!mv (329 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (1180 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pm25Info[1].xml (615 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\updateInfo[1].xml (608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\weatherInfo[1].xml (584 bytes)
%Program Files%\pcWeather365\config.ini (200 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF20B2.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (0 bytes)

The process setup_3128.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Yyfm\201413\Skin\frmplaylist.xml (5 bytes)
%Program Files%\Yyfm\201413\Data\version.ini (32 bytes)
%Program Files%\Yyfm\201413\Skin\more.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\MessageBox.xml (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_list_bk.png (1552 bytes)
%Program Files%\Yyfm\201413\Skin\color_011.bmp (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionseta.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\voice0520.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\voiceall0528.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\AutoRunTipFrame.xml (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_013.bmp (1 bytes)
%Program Files%\Yyfm\201413\Skin\sound.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn_ok_red.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\btn_close.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\color_008.bmp (556 bytes)
%Program Files%\Yyfm\201413\Skin\suspensiontopahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\random02a.jpg (2 bytes)
%Program Files%\Yyfm\201413\avcore.dll (2392 bytes)
%Program Files%\Yyfm\201413\Skin\mainframeshadow.png (4992 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionmina.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_mutevol.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\steup.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\btn_kw.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\sys_check_btn_whiter.png (318 bytes)
%Program Files%\Yyfm\201413\Skin\frmplayer.xml (10 bytes)
%Program Files%\Yyfm\201413\Skin\voice0a0528.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\playingnext.png (4 bytes)
%Program Files%\Yyfm\201413\picture\baidu_c2cec3fdfc03924517c1df928694a4c27d1e2532.jpg (784 bytes)
%Program Files%\Yyfm\201413\Skin\dash.png (955 bytes)
%Program Files%\Yyfm\201413\Skin\remembertt.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_color.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\collection.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\downdahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\mini´°.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\LyricFrameVoice.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\playingvoice.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\system_menu_btnsteup.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\pl_res.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\bkcolor_5.png (5 bytes)
%Program Files%\Yyfm\201413\lyrics\baidu_13766042.lrc (1 bytes)
%Program Files%\Yyfm\201413\Skin\LoginBk.png (3312 bytes)
%Program Files%\Yyfm\201413\Skin\SetTipFrame.xml (1 bytes)
%Program Files%\Yyfm\201413\Skin\input-user.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\lyriclike.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn_ok_blue.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\random01hover.jpg (2 bytes)
%Program Files%\Yyfm\201413\Skin\random02hover.jpg (2 bytes)
%Program Files%\Yyfm\201413\Skin\pl_btn_down.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\loading01.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\pushedVolume.png (2 bytes)
%Program Files%\Yyfm\201413\picture\baidu_e1fe9925bc315c60bbe955728cb1cb134954772a.jpg (784 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionfeedbackahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\downda.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\progress_fore.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\SelectColor_SliderBar_Thumb.png (1 bytes)
%Program Files%\Yyfm\201413\picture\baidu_c8ea15ce36d3d539f9c9305e3b87e950342ab0b2.jpg (784 bytes)
%Program Files%\Yyfm\201413\Skin\random01.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\mini.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_001.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\system_menu_btnexit - ¸±±¾.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\playingrandom.jpg (1 bytes)
%Program Files%\Yyfm\201413\YyfmPlay.exe (32784 bytes)
%Program Files%\Yyfm\201413\Skin\frmProgressToolTip.xml (393 bytes)
%Program Files%\Yyfm\201413\Skin\next0520.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_009.bmp (1 bytes)
%Program Files%\Yyfm\201413\Skin\lyriclikea.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\random03hover.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\forecolor_6.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\loading04.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\FrmDropDownMenuFrame.xml (1 bytes)
%Program Files%\Yyfm\201413\PlayerUpdate.exe (5064 bytes)
%Program Files%\Yyfm\201413\Skin\tab_comm.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\hotkeytipbk.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\sys_check_btn_red.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\minea.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\close.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn-fav.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionfeedbacka.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\reflash.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\border.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\system_menu_btnmini.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\system_menu_btnexit.png (4 bytes)
%Program Files%\Yyfm\201413\libav.dll (6360 bytes)
%Program Files%\Yyfm\201413\Skin\bg3.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\ÒôÁ¿µ÷½Úµã.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn-login2.png (6 bytes)
%Program Files%\Yyfm\201413\Skin\home.png (2 bytes)
%Program Files%\Yyfm\201413\icon\gouwu.ico (9 bytes)
%Program Files%\Yyfm\201413\Skin\list_scroll_bar.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\sound100.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\FrmConfig.xml (4 bytes)
%Program Files%\Yyfm\201413\Skin\font_bkcolor.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionminahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn-anonymity.png (8 bytes)
%Program Files%\Yyfm\201413\Skin\color_012.bmp (1 bytes)
%Program Files%\Yyfm\201413\Skin\bkcolor_4.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\pl_close.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\lyricdelete.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\list_play.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\PlayProgressForeImage.png (142 bytes)
%Program Files%\Yyfm\201413\Skin\btn_db.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\btn_comm.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_bg.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\playerbg01.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_split.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\forecolor_3.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\btn_9k.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\FrmMenuFrame.xml (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_itself.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\sound (2).jpg (1 bytes)
%Program Files%\Yyfm\201413\lyrics\baidu_13881991.lrc (1 bytes)
%Program Files%\Yyfm\201413\Skin\button.png (3 bytes)
%Program Files%\Yyfm\201413\avutil-52.dll (5520 bytes)
%Program Files%\Yyfm\201413\Skin\pl_small.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_002.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\btn_fh.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\color_014.bmp (1 bytes)
%Program Files%\Yyfm\201413\Skin\fbcaptionbk.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\FrmLrc.xml (7 bytes)
%Program Files%\Yyfm\201413\Skin\forecolor_2.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\random01a.jpg (2 bytes)
%Program Files%\Yyfm\201413\Skin\color_007highlight.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\DownLoadProgressForeImage.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\frmlogin.xml (3 bytes)
%Program Files%\Yyfm\201413\Skin\pl_set.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionclosea.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\forgettt.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\play0520.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\LrcBk.png (7 bytes)
%Program Files%\Yyfm\201413\Skin\next.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\color_002highlight.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\color_005.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\lrclist.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\menu.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionset.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensiontop.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_005highlight.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\btn_bd.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\back.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\bkcolor_3.png (3 bytes)
%Program Files%\Yyfm\201413\icon\ccjs.ico (13 bytes)
%Program Files%\Yyfm\201413\Skin\headimg.png (784 bytes)
%Program Files%\Yyfm\201413\Skin\pl_big.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn_sc.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\FrmFeedBack.xml (411 bytes)
%Program Files%\Yyfm\201413\Skin\color_006highlight.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\frmWindowLrcParent.xml (157 bytes)
%Program Files%\Yyfm\201413\Skin\list_pause.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_unsel.bmp (5 bytes)
%Program Files%\Yyfm\201413\Skin\listahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\forecolor_1.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\font_forecolor.png (1 bytes)
%Program Files%\Yyfm\201413\DuiLib.dll (16288 bytes)
%Program Files%\Yyfm\201413\Skin\frmWindowLrc.xml (174 bytes)
%Program Files%\Yyfm\201413\Skin\color_001highlight.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\WindowLrcbkIamge.png (732 bytes)
%Program Files%\Yyfm\201413\Skin\loading02.png (1 bytes)
%Documents and Settings%\All Users\Desktop\ÒôÀÖFM.lnk (757 bytes)
%Program Files%\Yyfm\201413\Skin\pl_play.png (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\ÅäÖù¤¾ß\жÔØÒôÀÖFM.lnk (764 bytes)
%Program Files%\Yyfm\201413\Skin\playinging.jpg (2 bytes)
%Program Files%\Yyfm\201413\Skin\progresstooltipbk.png (1552 bytes)
%Program Files%\Yyfm\201413\Skin\voice00528.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionclose.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_016.bmp (1 bytes)
%Program Files%\Yyfm\201413\Skin\sys_check_btn_blue.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\lista.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\history.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\BtnRightTop.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\play2.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\slider_bg.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\bkcolor_2.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\125x125.jpg (784 bytes)
%Program Files%\Yyfm\201413\Skin\FrmSystemMenuFrame.xml (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_bg.bmp (784 bytes)
%Program Files%\Yyfm\201413\Skin\pl_vol.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_003.bmp (560 bytes)
%Program Files%\Yyfm\201413\Skin\random0520.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn_xm.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\random03a.jpg (1 bytes)
%Program Files%\Yyfm\201413\YYNews.exe (20416 bytes)
%Program Files%\Yyfm\201413\Skin\lyriclikea2.png (3 bytes)
%Program Files%\Yyfm\201413\source.dll (6584 bytes)
%Program Files%\Yyfm\201413\Skin\color_006.bmp (560 bytes)
%Program Files%\Yyfm\201413\Skin\pop_bkimage.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\list_scroll_bar2.png (1 bytes)
%Program Files%\Yyfm\201413\Data\client.ini (38 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionlogin.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\bkcolor_7.png (5 bytes)
%Program Files%\Yyfm\201413\Data\server.ini (1 bytes)
%Program Files%\Yyfm\201413\Skin\lyricdeletea.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\FrmSetWindowLrcFrame.xml (3 bytes)
%Program Files%\Yyfm\201413\Skin\btn-next.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\min.png (1 bytes)
%Program Files%\Yyfm\201413\channels.xml (784 bytes)
%Program Files%\Yyfm\201413\Skin\pl_feedback.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\voice1000528.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionmin.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn_ok.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionsetahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_next.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\like.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\list_item.xml (1 bytes)
%Program Files%\Yyfm\201413\Skin\list_title_bg.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\list.png (1 bytes)
%Program Files%\Yyfm\201413\swresample-0.dll (3312 bytes)
%Program Files%\Yyfm\201413\Skin\bkcolor_1.png (5 bytes)
%Program Files%\Yyfm\201413\SysConfig.ini (280 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionbigahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_desktop.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\FrmPopWnd.xml (354 bytes)
%Program Files%\Yyfm\201413\Skin\playingpreva.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_icon.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\playingplaying.jpg (2 bytes)
%Program Files%\Yyfm\201413\Skin\color_004highlight.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\prev.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\progresstooltip.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\btn-delete.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\btn-play.png (5 bytes)
%Program Files%\Yyfm\201413\Unins.exe (9608 bytes)
%Program Files%\Yyfm\201413\Skin\playinginga.jpg (5 bytes)
%Program Files%\Yyfm\201413\Skin\power.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\color_015.bmp (1 bytes)
%Program Files%\Yyfm\201413\icon\ie.ico (784 bytes)
%Program Files%\Yyfm\201413\Skin\pl_back.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensiontopa.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\lyricmute.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\FrmLrcChild.xml (263 bytes)
%Program Files%\Yyfm\201413\Skin\color_007.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\prevention.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\random02.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\playingprev.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\frmWebBrowser.xml (308 bytes)
%Program Files%\Yyfm\201413\avcodec-54.dll (23936 bytes)
%Program Files%\Yyfm\201413\Skin\bkcolor_6.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\forecolor_5.png (5 bytes)
%Program Files%\Yyfm\201413\avformat-54.dll (12536 bytes)
%Program Files%\Yyfm\201413\Skin\mineahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_pause.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionfeedback.png (1 bytes)
%Program Files%\Yyfm\201413\audio.dll (3616 bytes)
%Program Files%\Yyfm\201413\Skin\frmdownmenu.xml (1 bytes)
%Program Files%\Yyfm\201413\lyrics\baidu_262581.lrc (993 bytes)
%Program Files%\Yyfm\201413\Skin\lyricdeletea2.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\btn-login.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\pl_prev.png (1 bytes)
%Program Files%\Yyfm\201413\pthreadGC2.dll (3616 bytes)
%Program Files%\Yyfm\201413\Skin\btn-pause.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\icon.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\list_item_bg.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\system_menu_btnfeedback.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\playerbg02.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\channel.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\mine.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\bg_2.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\BtnHidePlayList.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\playingrandoma.jpg (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\ÒôÀÖFM.lnk (769 bytes)
%Program Files%\Yyfm\201413\Skin\lyrictoplay.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_003highlight.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\input-password.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\prev0520.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\musiclibrary.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\random.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\scrollbar.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\color_010.bmp (1 bytes)
%Program Files%\Yyfm\201413\favorfm.xml (66 bytes)
%Program Files%\Yyfm\201413\Skin\color_004.bmp (564 bytes)
%Program Files%\Yyfm\201413\Skin\bg2.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\sys_check_btn.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\system_menu_btnmin.png (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\¹Ù·½Ö÷Ò³.lnk (334 bytes)
%Program Files%\Yyfm\201413\Skin\downd.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensioncloseahover.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\pl_forward.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\update.xml (2 bytes)
%Program Files%\Yyfm\201413\Data\setup.ini (111 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionbiga.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\search.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\playersidebg.jpg (1 bytes)
%Program Files%\Yyfm\201413\Skin\FrmColor.xml (1 bytes)
%Program Files%\Yyfm\201413\Skin\DefaultUserImage.jpg (6 bytes)
%Program Files%\Yyfm\201413\Skin\ÒôÁ¿Ìõ.png (1 bytes)
%Program Files%\Yyfm\201413\Data\dh.ini (56 bytes)
%Program Files%\Yyfm\201413\Skin\system_menu_btntop.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\max.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\playerlist.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\loading03.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\suspensionbig.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\normalVolume.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\forecolor_7.png (5 bytes)
%Program Files%\Yyfm\201413\Skin\color_008highlight.bmp (552 bytes)
%Program Files%\Yyfm\201413\Skin\forecolor_4.png (4 bytes)
%Program Files%\Yyfm\201413\Skin\320x225.png (784 bytes)
%Program Files%\Yyfm\201413\Skin\bk.png (3616 bytes)
%Program Files%\Yyfm\201413\Skin\feedback.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\tooltipbk.png (319 bytes)
%Program Files%\Yyfm\201413\Skin\exit.png (2 bytes)
%Program Files%\Yyfm\201413\Skin\astop.png (3 bytes)
%Program Files%\Yyfm\201413\Skin\pl_btn_on.png (1 bytes)
%Program Files%\Yyfm\201413\Skin\FrmHotKeyTip.xml (482 bytes)
%Program Files%\Yyfm\201413\Skin\random03.jpg (1 bytes)

The process mscorsvw.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (474 bytes)

The process setup_a7158.exe:1268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-QI0R1.tmp\setup_a7158.tmp (7386 bytes)

Registry activity

The process weatherRealTimeService.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 AB 4D 41 84 A5 6A F7 24 EE 9D 9A 10 5E 22 99"

[HKCR\AppID\weatherService.EXE]
"AppID" = "{636DA746-D508-400B-86A0-AE7F3C4008F7}"

[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService" = "weatherRealTimeService"
"(Default)" = "weatherService"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService"

The process %original file name%.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"Publisher" = "00o89"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayName" = "Â̶¹ä¯ÀÀÆ÷ 1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 E4 0B F8 B0 72 FC E3 B5 99 8C 17 C8 F7 16 24"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process setup_a7158.tmp:1260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 34 C4 37 57 7E AC 3D AE 6A 6B 47 75 38 3B 63"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process YyfmPlay.exe:820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 88 DA 25 65 81 8E 19 7A 37 A0 35 78 5C 6A FC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YyfmPlay_201413" = "%Program Files%\Yyfm\201413\YyfmPlay.exe -mini"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BoxNews_201413" = "%Program Files%\Yyfm\201413\YYNews.exe -mini"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 365weatherIns_61.exe:1328 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"UninstallString" = "%Program Files%\pcWeather365\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayIcon" = "%Program Files%\pcWeather365\pcWeather365.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"appdata" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"URLInfoAbout" = "http://114tq.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"Publisher" = "365ÆøÏó¹¤×÷ÊÒ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"(Default)" = "%Program Files%\pcWeather365\pcWeather365.exe"
"desk" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"pcWeather365/weatherRealTimeService.exe" = "weatherRealTimeService"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayName" = "pcWeather365 1.0.0.1004"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Mac" = "00-0C-29-7C-CD-1F"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 11 1F 9B FB 6D AC 15 9D E6 DE D4 3F 6A AC 5C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayVersion" = "1.0.0.1004"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"jieguo" = "mac=00-0C-29-7C-CD-1F&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=84c8b24c6597ce51c54789a9b4632126"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process greendou.exe:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010320140104]
"CachePrefix" = ":2014010320140104:"

[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010320140104]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014010320140104\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-12693" = "Favorites"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "greendou.exe"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010320140104]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010320140104]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1244086619"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C EB A2 F5 94 2F AA D8 68 48 A4 D3 AF 4A 21 6B"

[HKCU\Software\Gie]
"update2" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010320140104]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\System\CurrentControlSet\Services\Tcpip\Performance]
"Error Count"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process pcWeather365.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"tianqiUpdate.1004.exe" = "气象升级更新"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 82 28 EF 94 90 65 29 10 E1 36 0D 8A 78 5B BB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tianqiUpdate.1004.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 53 6A D9 DD 15 A2 02 DD CB 34 FF 8E 1A 9E 17"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache" = "E3 04 00 00 02 00 00 00 A8 03 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup_3128.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayName" = "ÒôÀÖFM"
"Publisher" = "ÒôÀÖFM"

[HKLM\SOFTWARE\YyfmPlay]
"Rd" = "_201413"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 A9 F7 AA 18 EE 34 A2 62 52 D5 13 65 7C A8 C4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"UninstallString" = "%Program Files%\Yyfm\201413\Unins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayIcon" = "%Program Files%\Yyfm\201413\Unins.exe"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BoxNews"

"YyfmPlay"

The process YYNews.exe:1324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E AF 74 E7 65 E9 86 18 B3 E7 02 75 58 70 3B 63"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup_a7158.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 0D FD 89 BC 85 B9 9D FC 9C AC A9 32 F7 79 09"

Network activity (URLs)

URL IP
hxxp://33c.xjhq.org/open/open.ini?name=%original file name%.exe&ini=open.ini (SURICATA HTTP invalid content length field in response ) 61.155.149.89
hxxp://lm.beilequ.com/update/365/365weatherIns_61.rar (ET POLICY PE EXE or DLL Windows file download , Malicious) 122.225.100.200
hxxp://lvdou.300duo.com/favicon.ico 223.255.145.200
hxxp://lvdou.300duo.com/
hxxp://down.yinyue.fm/open/setup_3128.txt (ET POLICY PE EXE or DLL Windows file download , Malicious) 222.186.60.1
hxxp://lm.beilequ.com/u_13741.html
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/aztongji/aztongji_61.html 122.225.104.211
hxxp://lm.beilequ.com/theme/hao123v3_1/css/global.css
hxxp://lm.beilequ.com/theme/hao123v3_1/images/hf_body_bg.png
hxxp://lm.beilequ.com/theme/hao123v3_1/images/index_icon.png
hxxp://lm.beilequ.com/theme/hao123v3/images/tool1.png
hxxp://lm.beilequ.com/theme/hao123v3_1/images/sethome.png
hxxp://lm.beilequ.com/data/html/tianqi2345_2.htm
hxxp://lm.beilequ.com/theme/hao123v3_1/images/baidu-form.png
hxxp://lm.beilequ.com/images/123logo.gif
hxxp://lm.beilequ.com/theme/hao123v3/images/tool3.png
hxxp://lm.beilequ.com/theme/hao123v3/images/tool2.png
hxxp://lm.beilequ.com/theme/hao123v3_1/images/btnbg.gif
hxxp://lm.beilequ.com/theme/hao123v3/images/tool4.png
hxxp://lm.beilequ.com/theme/hao123v3/images/tool5.png
hxxp://lm.beilequ.com/theme/hao123v3_1/images/searchbg.gif
hxxp://lm.beilequ.com/static/images/index_icon.gif
hxxp://lm.beilequ.com/theme/hao123v3/images/tool6.png
hxxp://lm.beilequ.com/theme/hao123v3/images/tool7.png
hxxp://lm.beilequ.com/images/db100x60.gif
hxxp://lm.beilequ.com/images/dangdang10060.gif
hxxp://lm.beilequ.com/static/js/ajax.js
hxxp://lm.beilequ.com/static/js/123tu5.js?haov3
hxxp://lm.beilequ.com/theme/hao123v3/images/tool8.png
hxxp://lm.beilequ.com/theme/hao123v3/images/tool9.png
hxxp://lm.beilequ.com/static/images/s/baidu.gif
hxxp://lm.beilequ.com/weath5wtq.php?a=getWeather
hxxp://lm.beilequ.com/images/tmall.png
hxxp://lm.beilequ.com/images/jd.png
hxxp://lm.beilequ.com/images/upload/1388650495.jpg
hxxp://lm.beilequ.com/images/upload/1388652231.jpg
hxxp://lm.beilequ.com/static/images/tianqi/b0.gif
hxxp://lm.beilequ.com/static/images/tianqi/b1.gif
hxxp://lm.beilequ.com/images/upload/1387530625.jpg
hxxp://lm.beilequ.com/images/upload/1388714573.jpg
hxxp://c.split.cnzz.com/stat.php?id=5779743
hxxp://lm.beilequ.com/images/upload/1388714609.jpg
hxxp://lm.beilequ.com/images/upload/1388714661.jpg
hxxp://c.split.cnzz.com/core.php?web_id=5779743&t=z
hxxp://lm.beilequ.com/images/upload/1387868883.jpg
hxxp://lm.beilequ.com/images/upload/1388712157.jpg
hxxp://lm.beilequ.com/c.js
hxxp://lm.beilequ.com/images/upload/1388712273.jpg
hxxp://lm.beilequ.com/images/upload/1388712298.jpg
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=426746402
hxxp://lm.beilequ.com/images/upload/1388712368.jpg
hxxp://lm.beilequ.com/images/upload/1388712393.jpg
hxxp://weather51la.cnzz.uujzy.com/post/
hxxp://lm.beilequ.com/images/upload/1388650112.jpg
hxxp://lm.beilequ.com/images/upload/1388650139.jpg
hxxp://lm.beilequ.com/images/upload/1388650164.jpg
hxxp://lm.beilequ.com/images/upload/1388650189.jpg
hxxp://pcookie.split.cnzz.com/app.gif?&cna=NNlNC/IhiXUCAbhrJiYhESa2
hxxp://hm.e.shifen.com/h.js?bf8aae25f2470e8119f2768f78a8d610
hxxp://lm.beilequ.com/images/upload/1388650216.jpg
hxxp://lm.beilequ.com/images/upload/1388625844.jpg
hxxp://lm.beilequ.com/images/upload/1388625868.jpg
hxxp://lm.beilequ.com/images/upload/1388625895.jpg
hxxp://hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1024x768&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=1774880152&si=bf8aae25f2470e8119f2768f78a8d610&st=3&su=http://lvdou.300duo.com/&v=1.0.53&lv=1&tt=我的上网主页
hxxp://lm.beilequ.com/images/upload/1388625919.jpg
hxxp://lm.beilequ.com/images/upload/1388625947.jpg
hxxp://lm.beilequ.com/images/upload/1388474238.jpg
hxxp://lm.beilequ.com/images/upload/1388474264.jpg
hxxp://lm.beilequ.com/images/upload/1388474290.jpg
hxxp://lm.beilequ.com/images/upload/1388474315.jpg
hxxp://lm.beilequ.com/images/upload/1388474361.jpg
hxxp://z7.cnzz.com/stat.htm?id=5779743&r=http://lvdou.300duo.com/&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=674838082-1388768051-http://lvdou.300duo.com/&showp=1024x768&st=0&sin=http://lvdou.300duo.com/&t=undefinedundefinedundefinedundefinedundefinedundefined&rnd=1592102292 42.156.140.20
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/weatherPng/cnzz.html
hxxp://tongji.uujzy.com/tongji.html?1.0.1004_id61_md1_os1 60.190.171.236
hxxp://js.users.51.la/15909623.js 117.21.191.223
hxxp://icon.ajiang.net/icon_9.gif 125.46.49.200
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/_61/cnzz.html
hxxp://sj88.www.web.glb0.ldcache.net/hezi/jm/setup_a7158.rar
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/cnzz.html
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/weatherInfo.xml
hxxp://int.dpool.sina.com.cn/iplookup 123.125.29.252
hxxp://int.dpool.sina.com.cn/iplookup/ (SURICATA STREAM TIMEWAIT ACK with wrong seq )
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/pmAqiInfo.xml
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/pm25Info.xml
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/pngicoInfo.xml
hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/updateInfo.xml
hxxp://update.yinyue.fm/tj.ashx 171.111.158.28
hxxp://update.yinyue.fm/a.ashx?v=51856086832E9ADB837E6CA960EEA2B40AD16CB00B306F346DC36E365402D30A421FC7ECB84CB04F731A028A8FCCBA7D8944ABE95C1C48B8E1600291B829482FD5F553AA04C5D1393DA663A99E655F206C25FD326A56091EB4B9BE6D78D8299092AF3B7F0446D6CFC614035E6A388FF8CA1DE4C6CD997514DAC9F3A3513AFD07
www.xzsky.com 122.225.104.211
web2.51.la 222.187.221.235
weather51la.cnzz.beilequ.com 122.225.104.211
js.hao2266.com 122.225.100.200
pcookie.cnzz.com 42.121.149.43
weather.uujzy.com 122.225.203.94
s13.cnzz.com 1.99.192.16
c.cnzz.com 42.156.140.11
www.5w123.com 122.225.100.200
www.5w.com 122.225.100.200
www.sj88.com 202.97.174.78
hm.baidu.com 61.135.185.140
www.biso.cc 67.198.240.190
www.h1231.com 122.225.100.200
weather51la.cnzz.alivcd.com 122.225.104.211
cnzz.mmstat.com 42.121.149.42
www.hao2266.com 122.225.100.200
tongji.yinyue.fm 171.111.158.28


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    weatherRealTimeService.exe:468
    setup_a7158.tmp:1260
    YyfmPlay.exe:820
    365weatherIns_61.exe:1328
    pcWeather365.exe:1788
    tianqiUpdate.1004.exe:1768
    setup_3128.exe:1500
    mscorsvw.exe:1912
    setup_a7158.exe:1268

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
    %Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\Md5dll.dll (8 bytes)
    %Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (101612 bytes)
    %Program Files%\greeou\profile\Template\start\style.css (3 bytes)
    %Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
    %Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
    %Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
    %Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
    %Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
    %Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
    %Program Files%\greeou\GreenDou.exe (27153 bytes)
    %Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
    %Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\System.dll (11 bytes)
    %Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
    %Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
    %Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
    %Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
    %Program Files%\greeou\profile\Template\start\index.html (832 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
    %Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
    %Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
    %Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
    %Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
    %Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\open.ini (660 bytes)
    %Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
    %Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
    %Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
    %Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
    %Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
    %Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
    %Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
    %Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
    %Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (434477 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
    %Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
    %Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
    %Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
    %Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\xID.dll (3 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
    %Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
    %Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
    %Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
    %Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
    %Program Files%\greeou\profile\Template\start\left.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (367208 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
    %Program Files%\greeou\profile\Defaults\config.ini (902 bytes)
    %Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
    %Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
    %Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
    %Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
    %Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xblzy_70304.exe (93861 bytes)
    %Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
    %Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
    %Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
    %Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
    %Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\Inetc.dll (20 bytes)
    %Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
    %Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
    %Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
    %Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
    %Program Files%\greeou\profile\Defaults\last.ini (348 bytes)
    %Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\NSISdl.dll (14 bytes)
    %Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
    %Program Files%\greeou\ico\taobao.ico (2104 bytes)
    %Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
    %Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\CallbackCtrl.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\ItDownload.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\webctrl.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\info.iam (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\WSysInfo.dll (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-KNBIA.tmp\botva2.dll (35 bytes)
    %Program Files%\Yyfm\201413\Data\client.ini (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\a[1].htm (3 bytes)
    %Program Files%\Yyfm\201413\Data\server.ini (1 bytes)
    %Program Files%\Yyfm\201413\SysConfig.ini (34 bytes)
    %Program Files%\Yyfm\201413\Data\user2.ini (363 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tj[1].ashx (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ver[1].txt (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\cnzzonline.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_complete.bmp (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather2.jpg (784 bytes)
    %Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
    %Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsDialogs.dll (9 bytes)
    %Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather1.jpg (784 bytes)
    %Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
    %Program Files%\pcWeather365\config.ini (325 bytes)
    %Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\checkbox1.bmp (5 bytes)
    %Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\checkbox2.bmp (5 bytes)
    %Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_close.bmp (2 bytes)
    %Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_next.bmp (3616 bytes)
    %Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
    %Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ToggleImages.html (1 bytes)
    %Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
    %Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
    %Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
    %Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
    %Program Files%\pcWeather365\skins\common\min.png (440 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\SkinBtn.dll (4 bytes)
    %Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
    %Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
    %Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\System.dll (11 bytes)
    %Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
    %Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (79841 bytes)
    %Program Files%\pcWeather365\msweather.dll (5520 bytes)
    %Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ð¶ÔØ.lnk (804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\loading1.bmp (456 bytes)
    %Program Files%\pcWeather365\skins\common\close.png (873 bytes)
    %Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
    %Program Files%\pcWeather365\weather.db (6584 bytes)
    %Program Files%\pcWeather365\uninst.exe (2691 bytes)
    %Program Files%\pcWeather365\skins\common\err.png (784 bytes)
    %Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
    %Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
    %Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\loading2.bmp (456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\bg.bmp (18424 bytes)
    %Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
    %Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather3.jpg (784 bytes)
    %Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
    %Program Files%\pcWeather365\areacode.db (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\aztongji_61[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsWindows.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388714661[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388652231[1].jpg (3384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388712393[1].jpg (290 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388712368[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\h[1].js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\db100x60[1].gif (1272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tool4[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388712298[1].jpg (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dangdang10060[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\searchbg[1].gif (344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388714609[1].jpg (1267 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sethome[1].png (662 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\btnbg[1].gif (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tmall[1].png (181 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\h[2].js (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1387530625[1].jpg (3470 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388625868[1].jpg (1647 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\b1[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388474290[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1387868883[1].jpg (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\u_13741[1].htm (25849 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1388712157[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jd[1].png (378 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index_icon[1].gif (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1388625844[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\www.h1231[1].xml (266 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (495 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388474361[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tool1[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388712273[1].jpg (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388474238[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\b0[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388714573[1].jpg (2672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388474315[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388650216[1].jpg (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388625947[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hf_body_bg[1].png (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\index_icon[1].png (2402 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (161 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388474264[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tool9[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tianqi2345_2[1].htm (788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tool8[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\lvdou.300duo[1].htm (352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388625919[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388650495[1].jpg (3433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388650164[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baidu-form[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\123logo[1].gif (1272 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388650112[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1388650139[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1388625895[1].jpg (1058 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\core[1].php (797 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@5w[2].txt (757 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tool6[1].png (1 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tool2[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tool3[1].png (1 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (8772 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@5w[1].txt (507 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388650189[1].jpg (290 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tool7[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tool5[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\baidu[1].gif (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tongji[1].htm (657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icon_9[1].gif (893 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\15909623[1].js (25 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (145 bytes)
    %Program Files%\pcWeather365\weatherData.tmp (358 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (137 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (302 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\pm25Info\pm25Info.db.!mv (615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pmAqiInfo[1].xml (329 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db.!mv (584 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\updateInfo.db.!mv (608 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\pmAqiInfo\pmAqiInfo.db.!mv (329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pm25Info[1].xml (615 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\updateInfo[1].xml (608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\weatherInfo[1].xml (584 bytes)
    %Program Files%\Yyfm\201413\Skin\frmplaylist.xml (5 bytes)
    %Program Files%\Yyfm\201413\Data\version.ini (32 bytes)
    %Program Files%\Yyfm\201413\Skin\more.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\MessageBox.xml (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_list_bk.png (1552 bytes)
    %Program Files%\Yyfm\201413\Skin\color_011.bmp (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionseta.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\voice0520.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\voiceall0528.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\AutoRunTipFrame.xml (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_013.bmp (1 bytes)
    %Program Files%\Yyfm\201413\Skin\sound.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_ok_red.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_close.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\color_008.bmp (556 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensiontopahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\random02a.jpg (2 bytes)
    %Program Files%\Yyfm\201413\avcore.dll (2392 bytes)
    %Program Files%\Yyfm\201413\Skin\mainframeshadow.png (4992 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionmina.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_mutevol.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\steup.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_kw.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\sys_check_btn_whiter.png (318 bytes)
    %Program Files%\Yyfm\201413\Skin\frmplayer.xml (10 bytes)
    %Program Files%\Yyfm\201413\Skin\voice0a0528.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\playingnext.png (4 bytes)
    %Program Files%\Yyfm\201413\picture\baidu_c2cec3fdfc03924517c1df928694a4c27d1e2532.jpg (784 bytes)
    %Program Files%\Yyfm\201413\Skin\dash.png (955 bytes)
    %Program Files%\Yyfm\201413\Skin\remembertt.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_color.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\collection.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\downdahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\mini´°.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\LyricFrameVoice.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\playingvoice.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\system_menu_btnsteup.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_res.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\bkcolor_5.png (5 bytes)
    %Program Files%\Yyfm\201413\lyrics\baidu_13766042.lrc (1 bytes)
    %Program Files%\Yyfm\201413\Skin\LoginBk.png (3312 bytes)
    %Program Files%\Yyfm\201413\Skin\SetTipFrame.xml (1 bytes)
    %Program Files%\Yyfm\201413\Skin\input-user.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\lyriclike.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_ok_blue.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\random01hover.jpg (2 bytes)
    %Program Files%\Yyfm\201413\Skin\random02hover.jpg (2 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_btn_down.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\loading01.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pushedVolume.png (2 bytes)
    %Program Files%\Yyfm\201413\picture\baidu_e1fe9925bc315c60bbe955728cb1cb134954772a.jpg (784 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionfeedbackahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\downda.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\progress_fore.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\SelectColor_SliderBar_Thumb.png (1 bytes)
    %Program Files%\Yyfm\201413\picture\baidu_c8ea15ce36d3d539f9c9305e3b87e950342ab0b2.jpg (784 bytes)
    %Program Files%\Yyfm\201413\Skin\random01.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\mini.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_001.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\system_menu_btnexit - ¸±±¾.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\playingrandom.jpg (1 bytes)
    %Program Files%\Yyfm\201413\YyfmPlay.exe (32784 bytes)
    %Program Files%\Yyfm\201413\Skin\frmProgressToolTip.xml (393 bytes)
    %Program Files%\Yyfm\201413\Skin\next0520.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_009.bmp (1 bytes)
    %Program Files%\Yyfm\201413\Skin\lyriclikea.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\random03hover.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\forecolor_6.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\loading04.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmDropDownMenuFrame.xml (1 bytes)
    %Program Files%\Yyfm\201413\PlayerUpdate.exe (5064 bytes)
    %Program Files%\Yyfm\201413\Skin\tab_comm.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\hotkeytipbk.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\sys_check_btn_red.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\minea.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\close.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn-fav.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionfeedbacka.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\reflash.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\border.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\system_menu_btnmini.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\system_menu_btnexit.png (4 bytes)
    %Program Files%\Yyfm\201413\libav.dll (6360 bytes)
    %Program Files%\Yyfm\201413\Skin\bg3.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\ÒôÁ¿µ÷½Úµã.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn-login2.png (6 bytes)
    %Program Files%\Yyfm\201413\Skin\home.png (2 bytes)
    %Program Files%\Yyfm\201413\icon\gouwu.ico (9 bytes)
    %Program Files%\Yyfm\201413\Skin\list_scroll_bar.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\sound100.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmConfig.xml (4 bytes)
    %Program Files%\Yyfm\201413\Skin\font_bkcolor.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionminahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn-anonymity.png (8 bytes)
    %Program Files%\Yyfm\201413\Skin\color_012.bmp (1 bytes)
    %Program Files%\Yyfm\201413\Skin\bkcolor_4.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_close.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\lyricdelete.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\list_play.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\PlayProgressForeImage.png (142 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_db.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_comm.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_bg.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\playerbg01.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_split.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\forecolor_3.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_9k.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmMenuFrame.xml (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_itself.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\sound (2).jpg (1 bytes)
    %Program Files%\Yyfm\201413\lyrics\baidu_13881991.lrc (1 bytes)
    %Program Files%\Yyfm\201413\Skin\button.png (3 bytes)
    %Program Files%\Yyfm\201413\avutil-52.dll (5520 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_small.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_002.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_fh.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\color_014.bmp (1 bytes)
    %Program Files%\Yyfm\201413\Skin\fbcaptionbk.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmLrc.xml (7 bytes)
    %Program Files%\Yyfm\201413\Skin\forecolor_2.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\random01a.jpg (2 bytes)
    %Program Files%\Yyfm\201413\Skin\color_007highlight.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\DownLoadProgressForeImage.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\frmlogin.xml (3 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_set.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionclosea.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\forgettt.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\play0520.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\LrcBk.png (7 bytes)
    %Program Files%\Yyfm\201413\Skin\next.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\color_002highlight.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\color_005.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\lrclist.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\menu.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionset.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensiontop.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_005highlight.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_bd.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\back.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\bkcolor_3.png (3 bytes)
    %Program Files%\Yyfm\201413\icon\ccjs.ico (13 bytes)
    %Program Files%\Yyfm\201413\Skin\headimg.png (784 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_big.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_sc.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmFeedBack.xml (411 bytes)
    %Program Files%\Yyfm\201413\Skin\color_006highlight.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\frmWindowLrcParent.xml (157 bytes)
    %Program Files%\Yyfm\201413\Skin\list_pause.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_unsel.bmp (5 bytes)
    %Program Files%\Yyfm\201413\Skin\listahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\forecolor_1.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\font_forecolor.png (1 bytes)
    %Program Files%\Yyfm\201413\DuiLib.dll (16288 bytes)
    %Program Files%\Yyfm\201413\Skin\frmWindowLrc.xml (174 bytes)
    %Program Files%\Yyfm\201413\Skin\color_001highlight.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\WindowLrcbkIamge.png (732 bytes)
    %Program Files%\Yyfm\201413\Skin\loading02.png (1 bytes)
    %Documents and Settings%\All Users\Desktop\ÒôÀÖFM.lnk (757 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_play.png (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\ÅäÖù¤¾ß\жÔØÒôÀÖFM.lnk (764 bytes)
    %Program Files%\Yyfm\201413\Skin\playinging.jpg (2 bytes)
    %Program Files%\Yyfm\201413\Skin\progresstooltipbk.png (1552 bytes)
    %Program Files%\Yyfm\201413\Skin\voice00528.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionclose.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_016.bmp (1 bytes)
    %Program Files%\Yyfm\201413\Skin\sys_check_btn_blue.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\lista.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\history.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\BtnRightTop.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\play2.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\slider_bg.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\bkcolor_2.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\125x125.jpg (784 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmSystemMenuFrame.xml (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_bg.bmp (784 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_vol.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_003.bmp (560 bytes)
    %Program Files%\Yyfm\201413\Skin\random0520.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_xm.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\random03a.jpg (1 bytes)
    %Program Files%\Yyfm\201413\YYNews.exe (20416 bytes)
    %Program Files%\Yyfm\201413\Skin\lyriclikea2.png (3 bytes)
    %Program Files%\Yyfm\201413\source.dll (6584 bytes)
    %Program Files%\Yyfm\201413\Skin\color_006.bmp (560 bytes)
    %Program Files%\Yyfm\201413\Skin\pop_bkimage.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\list_scroll_bar2.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionlogin.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\bkcolor_7.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\lyricdeletea.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmSetWindowLrcFrame.xml (3 bytes)
    %Program Files%\Yyfm\201413\Skin\btn-next.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\min.png (1 bytes)
    %Program Files%\Yyfm\201413\channels.xml (784 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_feedback.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\voice1000528.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionmin.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn_ok.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionsetahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_next.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\like.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\list_item.xml (1 bytes)
    %Program Files%\Yyfm\201413\Skin\list_title_bg.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\list.png (1 bytes)
    %Program Files%\Yyfm\201413\swresample-0.dll (3312 bytes)
    %Program Files%\Yyfm\201413\Skin\bkcolor_1.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionbigahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_desktop.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmPopWnd.xml (354 bytes)
    %Program Files%\Yyfm\201413\Skin\playingpreva.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_icon.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\playingplaying.jpg (2 bytes)
    %Program Files%\Yyfm\201413\Skin\color_004highlight.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\prev.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\progresstooltip.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\btn-delete.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\btn-play.png (5 bytes)
    %Program Files%\Yyfm\201413\Unins.exe (9608 bytes)
    %Program Files%\Yyfm\201413\Skin\playinginga.jpg (5 bytes)
    %Program Files%\Yyfm\201413\Skin\power.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\color_015.bmp (1 bytes)
    %Program Files%\Yyfm\201413\icon\ie.ico (784 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_back.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensiontopa.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\lyricmute.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmLrcChild.xml (263 bytes)
    %Program Files%\Yyfm\201413\Skin\color_007.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\prevention.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\random02.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\playingprev.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\frmWebBrowser.xml (308 bytes)
    %Program Files%\Yyfm\201413\avcodec-54.dll (23936 bytes)
    %Program Files%\Yyfm\201413\Skin\bkcolor_6.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\forecolor_5.png (5 bytes)
    %Program Files%\Yyfm\201413\avformat-54.dll (12536 bytes)
    %Program Files%\Yyfm\201413\Skin\mineahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_pause.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionfeedback.png (1 bytes)
    %Program Files%\Yyfm\201413\audio.dll (3616 bytes)
    %Program Files%\Yyfm\201413\Skin\frmdownmenu.xml (1 bytes)
    %Program Files%\Yyfm\201413\lyrics\baidu_262581.lrc (993 bytes)
    %Program Files%\Yyfm\201413\Skin\lyricdeletea2.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\btn-login.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_prev.png (1 bytes)
    %Program Files%\Yyfm\201413\pthreadGC2.dll (3616 bytes)
    %Program Files%\Yyfm\201413\Skin\btn-pause.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\icon.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\list_item_bg.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\system_menu_btnfeedback.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\playerbg02.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\channel.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\mine.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\bg_2.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\BtnHidePlayList.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\playingrandoma.jpg (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\ÒôÀÖFM.lnk (769 bytes)
    %Program Files%\Yyfm\201413\Skin\lyrictoplay.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_003highlight.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\input-password.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\prev0520.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\musiclibrary.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\random.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\scrollbar.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\color_010.bmp (1 bytes)
    %Program Files%\Yyfm\201413\favorfm.xml (66 bytes)
    %Program Files%\Yyfm\201413\Skin\color_004.bmp (564 bytes)
    %Program Files%\Yyfm\201413\Skin\bg2.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\sys_check_btn.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\system_menu_btnmin.png (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\¹Ù·½Ö÷Ò³.lnk (334 bytes)
    %Program Files%\Yyfm\201413\Skin\downd.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensioncloseahover.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_forward.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\update.xml (2 bytes)
    %Program Files%\Yyfm\201413\Data\setup.ini (111 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionbiga.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\search.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\playersidebg.jpg (1 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmColor.xml (1 bytes)
    %Program Files%\Yyfm\201413\Skin\DefaultUserImage.jpg (6 bytes)
    %Program Files%\Yyfm\201413\Skin\ÒôÁ¿Ìõ.png (1 bytes)
    %Program Files%\Yyfm\201413\Data\dh.ini (56 bytes)
    %Program Files%\Yyfm\201413\Skin\system_menu_btntop.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\max.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\playerlist.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\loading03.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\suspensionbig.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\normalVolume.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\forecolor_7.png (5 bytes)
    %Program Files%\Yyfm\201413\Skin\color_008highlight.bmp (552 bytes)
    %Program Files%\Yyfm\201413\Skin\forecolor_4.png (4 bytes)
    %Program Files%\Yyfm\201413\Skin\320x225.png (784 bytes)
    %Program Files%\Yyfm\201413\Skin\bk.png (3616 bytes)
    %Program Files%\Yyfm\201413\Skin\feedback.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\tooltipbk.png (319 bytes)
    %Program Files%\Yyfm\201413\Skin\exit.png (2 bytes)
    %Program Files%\Yyfm\201413\Skin\astop.png (3 bytes)
    %Program Files%\Yyfm\201413\Skin\pl_btn_on.png (1 bytes)
    %Program Files%\Yyfm\201413\Skin\FrmHotKeyTip.xml (482 bytes)
    %Program Files%\Yyfm\201413\Skin\random03.jpg (1 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (474 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-QI0R1.tmp\setup_a7158.tmp (7386 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YyfmPlay_201413" = "%Program Files%\Yyfm\201413\YyfmPlay.exe -mini"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BoxNews_201413" = "%Program Files%\Yyfm\201413\YYNews.exe -mini"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now