Trojan.NSIS.StartPage_682695d020
Trojan.Win32.Badur.gckd (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Artemis!682695D020C8 (McAfee), WS.Reputation.1 (Symantec), SHeur4.ALHH (AVG), Win32:Malware-gen (Avast), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 682695d020c84b3678c693c2c2f27ac6
SHA1: 53b24482866dc7d76b0a942bf95ba3d75fefdf69
SHA256: 2ac5d534c9198c656762be72ada7992a54e177d05d5d71ea17c801780ae0a4b5
SSDeep: 24576:7Dm3zJSehDs74Z6mR3FYze0YRQKYgaNzjG4u2fU55TBr/z:fwz0EzZT1YzH0QKYDNfG4u2fU55Tdr
Size: 1634717 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
weatherRealTimeService.exe:2020
hrbvuq_70254.exe:332
weatherPng2Ico.exe:2020
setup_qd334.exe:1696
pcWeather365.exe:828
tianqiUpdate.1004.exe:1664
365weatherIns_6:1724
mscorsvw.exe:172
The Trojan injects its code into the following process(es):
%original file name%.exe:1856
greendou.exe:384
File activity
The process hrbvuq_70254.exe:332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (125174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\tmps3v833.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\BDMNetGetInfo.dll (9608 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (0 bytes)
The process weatherPng2Ico.exe:2020 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF15A2.tmp (0 bytes)
The process %original file name%.exe:1856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\nsRandom.dll (935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\desktop.ini (67 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\open.ini (2 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (25580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (111510 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hrbvuq_70254.exe (195336 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (262629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (902 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\Inetc.dll (20 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\processwork.dll (6140 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (348 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_qd334.exe (17240 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nigqvra_30310.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
The process setup_qd334.exe:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nstC.tmp\setup_qd334.gif.partial (75957 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstC.tmp\metadl.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp (8533 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstC.tmp\System.dll (11 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsdA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstC.tmp (0 bytes)
The process pcWeather365.exe:828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\tongji[1].htm (657 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (145 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (288 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Program Files%\pcWeather365\weatherData.tmp (341 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (139 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (306 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
The process tianqiUpdate.1004.exe:1664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\pm25Info[1].xml (615 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pngicoInfo\pngicoInfo.db.!mv (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\pmAqiInfo[1].xml (331 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db.!mv (584 bytes)
%Program Files%\pcWeather365\skins\common\363.ico.!mv (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\pngicoInfo[1].xml (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\weatherInfo[1].xml (584 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pmAqiInfo\pmAqiInfo.db.!mv (331 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (1390 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\updateInfo[1].xml (608 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\363[1].ico (145 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pm25Info\pm25Info.db.!mv (615 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\updateInfo.db.!mv (608 bytes)
%Program Files%\pcWeather365\config.ini (200 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF4D65.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (0 bytes)
The process 365weatherIns_6:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\aztongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\ToggleImages.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\checkbox2.bmp (5 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\bg.bmp (18424 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cnzzonline.html (2 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\btn_close.bmp (2 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (79841 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\inetc.dll (784 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsWindows.dll (10 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\newfeather2.jpg (784 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\loading1.bmp (456 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\btn_complete.bmp (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\checkbox1.bmp (5 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\loading2.bmp (456 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\btn_next.bmp (3616 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ã¶ÔØ.lnk (804 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\md5dll.dll (8 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\newfeather1.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\newfeather3.jpg (784 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi7.tmp (0 bytes)
The process greendou.exe:384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\21.1[1].png (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\FiiutyiMcM[1].js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\baidu-form[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\textlink-ads[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\wph-1224[1].jpg (2770 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\hao123[1].htm (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\hao123[1].htm (14268 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\www.hao123[1].xml (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\logonew-24[1].png (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\d7dcd9063c58bcf494d2d6ee6098e107[1].jpg (2498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\site-tip-fs8[1].png (50 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (4537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\wHFhxVDOgf[1].js (4546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\290fe6185f875d2edc8e0c604aeec4c5[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\9a609c2207b011fa737f549787c16246[1].jpg (1714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\erjiicon_png8[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX3.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\tizi[1].png (181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\index_icon[1].png (11391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\blank[1].gif (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\sugdata[1].js (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\LocalStorage[1].swf (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\LWLSJgsieY[1].js (1937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\a0[2].png (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\jLZZdlZktC[1].js (930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\RUVnWBroCd[1].js (597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\290fe6185f875d2edc8e0c604aeec4c5[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\JompzATkEJ[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\IvHLvpjSZl[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\BkznmhpMso[1].js (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\coolhint[1].png (463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\logonew[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\hf_body_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\xyx_api_proxy[1].html (758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\facb15c9aa22d2e011ae94f88cb6b5fb[1].jpg (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\navigate-1[1].png (635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\a0[1].png (1716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\shortcut[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\b61dd7b9d4d116dcc484857611fb2bcb[1].jpg (1001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\a0[1].png (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\YGKeUDnXqV[1].css (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\xyx_api_proxy[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\ZNYvbkuJPN[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\xyx_api[1].js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\8H5ZVPUJ\s1.hao123img.com\index\swf\LocalStorage.swf\$hao123$.sxx (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\ssugdata[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\EyrRWikSPx[1].js (627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\OqPzSlIEsk[1].js (1586 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (2532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\khByJQNVqR[1].js (2485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\track[1].js (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\tip_close-ie-fs8[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\3780[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\FknMSkBHaj[1].js (1963 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com\settings.sxx (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\a09b5bc3b80ee0d80d651e1139e1de4d[1].jpg (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\getinterest[1].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\web_png8[1].png (443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\cupRkmfFoo[1].js (23 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (2062 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\www.hao123[1].xml (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\lazy-loading[1].gif (1002 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\kBzAajSXDG[1].css (13 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (6748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\favicon[1].ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\qXQrXDtqtK[1].js (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\nmtnhxeLdD[1].css (3792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\defaultIcon0708[1].png (883 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[2].txt (1415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\8447613e85c841183c5c1c4175eba24d[1].jpg (2646 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\CALW8FHL.gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\blank[1].gif (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\NxSmTlnGDI[1].js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\newforecast[1] (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\xyx_api_proxy[1].html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\blank[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\a0[1].png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\8H5ZVPUJ\s1.hao123img.com\index\swf\LocalStorage.swf\$hao123$.sxx (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\blank[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021320130214 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216\index.dat (0 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\www.hao123[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\290fe6185f875d2edc8e0c604aeec4c5[1].png (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130212\index.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021520130216 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\a0[2].png (0 bytes)
The process mscorsvw.exe:172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (458 bytes)
Registry activity
The process weatherRealTimeService.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 9D C4 C0 7D 24 16 D0 48 78 34 45 7F 2D B0 6A"
[HKCR\AppID\weatherService.EXE]
"AppID" = "{636DA746-D508-400B-86A0-AE7F3C4008F7}"
[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService" = "weatherRealTimeService"
"(Default)" = "weatherService"
The Trojan deletes the following value(s) in system registry:
[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService"
The process hrbvuq_70254.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 49 76 33 80 60 E3 E5 A6 5D 7B 6D 41 89 A0 D3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process weatherPng2Ico.exe:2020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 A3 80 76 AB 89 7A B1 51 A1 BC E9 5F 8E 00 A2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process %original file name%.exe:1856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"Publisher" = "aaa319"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayName" = "Â̶¹ä¯ÀÀÆ÷ 1.0.0.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF E6 3F 26 D3 B8 72 8E 3A 45 6B 6B 1F 2A 8E A2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The process setup_qd334.exe:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 DA 2B 72 DF 67 5B 0A E1 F8 94 AC D7 65 FA 50"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process pcWeather365.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"tianqiUpdate.1004.exe" = "气象å‡çº§æ›´æ–°"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 7B BC 4E 6B D5 7E 86 21 A4 3A 50 F0 76 EA F6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process tianqiUpdate.1004.exe:1664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"weatherPng2Ico.exe" = "æ°”è±¡å›¾æ ‡è‡ªåŠ¨æ ¡æ£æ¨¡å—"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 EA 3A 55 75 67 1A 69 FC 82 A3 4E 29 00 18 9F"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache" = "A8 03 00 00 02 00 00 00 E3 04 00 00 01 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 365weatherIns_6:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"UninstallString" = "%Program Files%\pcWeather365\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayIcon" = "%Program Files%\pcWeather365\pcWeather365.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"appdata" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"URLInfoAbout" = "http://114tq.com/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"Publisher" = "365ÆøÃó¹¤×÷ÊÒ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"(Default)" = "%Program Files%\pcWeather365\pcWeather365.exe"
"desk" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"pcWeather365/weatherRealTimeService.exe" = "weatherRealTimeService"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayName" = "pcWeather365 1.0.0.1004"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Mac" = "00-0C-29-5D-CB-C0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 98 1E E1 BD 1A BD 22 E3 C6 27 11 F8 C3 72 1C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayVersion" = "1.0.0.1004"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"jieguo" = "mac=00-0C-29-5D-CB-C0&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=84fc481904ce41c6e06ca40bf9f452ca"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process greendou.exe:384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-12693" = "Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014011120140112]
"CachePrefix" = ":2014011120140112:"
"CacheLimit" = "8192"
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "greendou.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014011120140112]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "greendou.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1244086619"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014011120140112]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014011120140112\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 5A 77 42 AF EF 16 3A 9D 84 DC AB EA CE BE 38"
[HKCU\Software\Gie]
"update2" = "2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130212]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021520130216]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021320130214]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
[HKLM\System\CurrentControlSet\Services\Tcpip\Performance]
"Error Count"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Macromedia\FlashPlayer]
"FlashPlayerVersion"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://223.255.145.200/favicon.ico |  |
| hxxp://223.255.145.200/ | |
| hxxp://hao123.g.shifen.com/?tn=90511352_hao_pg |  |
| hxxp://hao123.g.shifen.com/v4/nm/tn/hx/eL/dD/nmtnhxeLdD.css | |
| hxxp://hao123.g.shifen.com/v4/YG/Ke/UD/nX/qV/YGKeUDnXqV.css | |
| hxxp://hao123.g.shifen.com/v4/00/27/7X/CU/Rs/hf_body_bg.png | |
| hxxp://hao123.g.shifen.com/res/images/search_logo/web_png8.png | |
| hxxp://hao123.g.shifen.com/res/img/logo/logonew.png | |
| hxxp://hao123.g.shifen.com/v4/0W/L5/6s/Z6/qK/6/index_icon.png | |
| hxxp://hao123.g.shifen.com/v4/0W/m8/xk/V4/_g/2/baidu-form.png | |
| hxxp://hao123.g.shifen.com/v4/RU/Vn/WB/ro/Cd/RUVnWBroCd.js | |
| hxxp://hao123.g.shifen.com/res/ecom/wph-1224.jpg | |
| hxxp://hao123.g.shifen.com/v4/kB/zA/aj/SX/DG/kBzAajSXDG.css | |
| hxxp://hao123.g.shifen.com/v4/Iv/HL/vp/jS/Zl/IvHLvpjSZl.css | |
| hxxp://hao123.g.shifen.com/v4/4w/ZG/ms/BT/sz/1/tizi.png | |
| hxxp://hao123.g.shifen.com/res/img/2013/lazy-loading.gif | |
| hxxp://hao123.g.shifen.com/res/r/image/2014-01-11/9a609c2207b011fa737f549787c16246.jpg | |
| hxxp://hao123.g.shifen.com/v4/Tt/-9/3I/2J/Fx/5/erjiicon_png8.png | |
| hxxp://hao123.g.shifen.com/res/img/index/navigate-1.png | |
| hxxp://hao123.g.shifen.com/res/r/image/2014-01-07/a09b5bc3b80ee0d80d651e1139e1de4d.jpg | |
| hxxp://bcs.jomodns.com/urlicon/21.1.png | |
| hxxp://bcs.jomodns.com/urlicon/3780.png | |
| hxxp://hao123.g.shifen.com/res/r/image/2014-01-11/facb15c9aa22d2e011ae94f88cb6b5fb.jpg | |
| hxxp://hao123.g.shifen.com/img/1L/Aw/2F/mk/ch/o/blank.gif | |
| hxxp://hao123.g.shifen.com/res/img/defaultIcon0708.png | |
| hxxp://hao123.g.shifen.com/favicon.ico | |
| hxxp://hao123.g.shifen.com/v4/wH/Fh/xV/DO/gf/wHFhxVDOgf.js | |
| hxxp://hao123.g.shifen.com/v4/jL/ZZ/dl/Zk/tC/jLZZdlZktC.js | |
| hxxp://hao123.g.shifen.com/v4/Fk/nM/Sk/BH/aj/FknMSkBHaj.js | |
| hxxp://hao123.g.shifen.com/v4/qX/Qr/XD/tq/tK/qXQrXDtqtK.js | |
| hxxp://shadu.n.shifen.com/index/minidownload/30310 | |
| hxxp://hao123.g.shifen.com/v4/Nx/Sm/Tl/nG/DI/NxSmTlnGDI.js | |
| hxxp://hao123.g.shifen.com/adimages/textlink-ads.gif | |
| hxxp://hao123.g.shifen.com/v4/Oq/Pz/Sl/IE/sk/OqPzSlIEsk.js | |
| hxxp://static.n.shifen.com/h.gif?level=1&page=index&v=rpidmapping&hao123_baiduid=F40161B74931642731FFAC5B526D64A1&hao123_flashid=undefined&pid=113&r=1389404631902 | |
| hxxp://hao123.g.shifen.com/v4/kh/By/JQ/NV/qR/khByJQNVqR.js | |
| hxxp://hao123.g.shifen.com/res/js/track.js?385945 | |
| hxxp://hao123.g.shifen.com/index/swf/LocalStorage.swf | |
| hxxp://hao123.g.shifen.com/v4/LW/LS/Jg/si/eY/LWLSJgsieY.js | |
| hxxp://hao123.g.shifen.com/images/track.gif?level=1&page=index&type=menu&cur=index&r=1389404638246 | |
| hxxp://hao123.g.shifen.com/ | |
| hxxp://hao123.g.shifen.com/images/track.gif?level=1&page=index&type=KFC&code=0&r=1389404638824 | |
| hxxp://hao123.g.shifen.com/api/ssugdata?c=F40161B74931642731FFAC5B526D64A1&r=4631348 | |
| hxxp://hao123.g.shifen.com/sugdata.js?r=-771892 | |
| hxxp://hao123.g.shifen.com/res/tip_close-ie-fs8.png | |
| hxxp://hao123.g.shifen.com/res/site-tip-fs8.png | |
| hxxp://hao123.g.shifen.com/v4/cu/pR/km/fF/oo/cupRkmfFoo.js | |
| hxxp://hao123.g.shifen.com/res/img/logo/logonew-24.png | |
| hxxp://hao123.g.shifen.com/v4/Bk/zn/mh/pM/so/BkznmhpMso.js | |
| hxxp://hao123.g.shifen.com/v4/ZN/Yv/bk/uJ/PN/ZNYvbkuJPN.js | |
| hxxp://hao123.g.shifen.com/images/timer.gif?_=1389404639887 | |
| hxxp://hao123.g.shifen.com/api/newforecast?callback=jQuery17204016030610081334_1389404637387&t=1&_=1389404639933 | |
| hxxp://hao123.g.shifen.com/v4/Ey/rR/Wi/kS/Px/EyrRWikSPx.js | |
| hxxp://hao123.g.shifen.com/v4/Jo/mp/zA/Tk/EJ/JompzATkEJ.js | |
| hxxp://a1293.d.akamai.net/get/flashplayer/update/current/install/version.xml11.6.602.168~installVector=6&lang=en&cpuWordLength=32&playerType=ax&os=win&osVer=7 |  |
| hxxp://hao123.g.shifen.com/res/js/xyx_api.js?_=385945 | |
| hxxp://hao123.g.shifen.com/api/getinterest?c=F40161B74931642731FFAC5B526D64A1&_=1389404641855 | |
| hxxp://hao123.g.shifen.com/v4/Fi/iu/ty/iM/cM/FiiutyiMcM.js | |
| hxxp://hao123.g.shifen.com/v4/rr/DB/HB/8z/lZ/1/coolhint.png | |
| hxxp://hao123.g.shifen.com/xyx_api_proxy.html?v=192973 | |
| hxxp://hao123.g.shifen.com/index/images/weather/icon/a0.png | |
| hxxp://hao123.g.shifen.com/v4/00/pY/54/BX/JA/1/shortcut.png | |
| hxxp://hao123.g.shifen.com/images/track.gif?tm=1389404639&embed=0&ho=0&type=access&r=1389404639637&v=1.1.3&level=1&page=index&pageId=hao123-indexnu&pf_fms=0&pf_bd=0000&pf_gw=0&pf_nav=0&rp=1&navmore=0&skin=skin-color-green&isSiteUser=000&ostype=0&menu=index&mw=2&gxzq=0&gx_t0=0&gx_t1=0&gx_t2=0&gx_t3=0&gx_t4=0&gx_navmore=0&gx_relax=0&gx_sh=0&gx_wl=0&gx_gw=0&gx_c_sp=ysdq&gx_c_tt=xwdq&gx_yx=0&gx_c_sj=sjyy&gx_c_xxyl=jpy&gx_menu=index&gx_cywz=0&gx_jF=0 | |
| hxxp://hao123.g.shifen.com/images/track.gif?level=1&page=index&type=KTN&code=0&tn=&src=&r=1389404641574 | |
| hxxp://hao123.g.shifen.com/res/r/image/2014-01-10/290fe6185f875d2edc8e0c604aeec4c5.png | |
| hxxp://hao123.g.shifen.com/xyx_proxy.htm | |
| hxxp://hao123.g.shifen.com/images/track.gif?level=1&page=index&pageId=hao123-indexnu&pf_fms=0&pf_nav=0&pf_bd=0000&pf_gw=0&pf_mf=&pf_tf=&pf_relax=0&menu=index&navmore=0&skin=skin-color-green&isSiteUser=000&ostype=0&ie=1&home=0&rp=1&mw=2&gxzq=0&type=flash&r=1389404643183 | |
| hxxp://hao123.g.shifen.com/res/r/image/2014-01-11/d7dcd9063c58bcf494d2d6ee6098e107.jpg | |
| hxxp://hao123.g.shifen.com/res/r/image/2014-01-11/b61dd7b9d4d116dcc484857611fb2bcb.jpg | |
| hxxp://hao123.g.shifen.com/res/r/image/2014-01-10/8447613e85c841183c5c1c4175eba24d.jpg | |
| hxxp://lm.beilequ.com/update/365/365weatherIns_61.rar (ET POLICY PE EXE or DLL Windows file download , Malicious) | 122.225.100.200 |
| hxxp://08911.xdwscache.glb0.lxdns.com/qdn/setup_qd334.txt | |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/aztongji/aztongji_61.html | 122.225.104.211 |
| hxxp://sj88.www.web.glb0.ldcache.net/hezi/jm/setup_a7158.rar | |
| hxxp://08911.xdwscache.glb0.lxdns.com/qdn/setup_qd334.gif | |
| hxxp://weather51la.cnzz.uujzy.com/post/ | |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/weatherPng/cnzz.html | |
| hxxp://tongji.uujzy.com/tongji.html?1.0.1004_id61_md1_os1 | 60.190.171.236 |
| hxxp://js.users.51.la/15909623.js | 113.107.42.34 |
| hxxp://icon.ajiang.net/icon_9.gif | 125.46.49.200 |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/_61/cnzz.html | |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/cnzz.html | |
| hxxp://weather51la.cnzz.uujzy.com/cnzz/weather/1.0.0.1004/weatherdata/weatherInfo.xml | |
| hxxp://int.dpool.sina.com.cn/iplookup | 123.125.29.252 |
| hxxp://int.dpool.sina.com.cn/iplookup/ (SURICATA STREAM TIMEWAIT ACK with wrong seq ) | |
| www.xzsky.com | 122.225.104.211 |
| web2.51.la | 117.21.224.131 |
| p.x.baidu.com | 123.125.65.152 |
| weather.uujzy.com | 122.225.203.94 |
| img2.hao123.com | 61.155.165.26 |
| s1.hao123img.com | 61.135.185.29 |
| weather51la.cnzz.beilequ.com | 122.225.104.211 |
| s0.hao123img.com | 123.125.112.45 |
| nsclick.baidu.com | 115.239.210.151 |
| fpdownload2.macromedia.com | 165.254.155.130 |
| www.sj88.com | 202.97.174.78 |
| shadu.baidu.com | 123.125.65.162 |
| img1.hao123.com | 61.155.165.27 |
| down.guangsu.cn | 116.10.190.62 |
| www.biso.cc | 67.198.240.190 |
| weather51la.cnzz.alivcd.com | 122.225.104.211 |
| www.hao123.com | 61.135.185.29 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
weatherRealTimeService.exe:2020
hrbvuq_70254.exe:332
weatherPng2Ico.exe:2020
setup_qd334.exe:1696
pcWeather365.exe:828
tianqiUpdate.1004.exe:1664
365weatherIns_6:1724
mscorsvw.exe:172 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (125174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\tmps3v833.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp\BDMNetGetInfo.dll (9608 bytes)
%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\nsRandom.dll (935 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\desktop.ini (67 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\open.ini (2 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (25580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (111510 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hrbvuq_70254.exe (195336 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (262629 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (902 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\Inetc.dll (20 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\processwork.dll (6140 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (348 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_qd334.exe (17240 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstC.tmp\setup_qd334.gif.partial (75957 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstC.tmp\metadl.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp (8533 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstC.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\tongji[1].htm (657 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (145 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (288 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Program Files%\pcWeather365\weatherData.tmp (341 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (139 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (306 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\pm25Info[1].xml (615 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pngicoInfo\pngicoInfo.db.!mv (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\pmAqiInfo[1].xml (331 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db.!mv (584 bytes)
%Program Files%\pcWeather365\skins\common\363.ico.!mv (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\pngicoInfo[1].xml (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\weatherInfo[1].xml (584 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pmAqiInfo\pmAqiInfo.db.!mv (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\updateInfo[1].xml (608 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\363[1].ico (145 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pm25Info\pm25Info.db.!mv (615 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\updateInfo.db.!mv (608 bytes)
%Program Files%\pcWeather365\config.ini (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\aztongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\ToggleImages.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\checkbox2.bmp (5 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\bg.bmp (18424 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cnzzonline.html (2 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\btn_close.bmp (2 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (79841 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\inetc.dll (784 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsWindows.dll (10 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\newfeather2.jpg (784 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\loading1.bmp (456 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\btn_complete.bmp (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\checkbox1.bmp (5 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\loading2.bmp (456 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\btn_next.bmp (3616 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\SkinBtn.dll (4 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ã¶ÔØ.lnk (804 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\md5dll.dll (8 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\newfeather1.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\newfeather3.jpg (784 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\21.1[1].png (378 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\FiiutyiMcM[1].js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\baidu-form[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\textlink-ads[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\wph-1224[1].jpg (2770 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\hao123[1].htm (79 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\hao123[1].htm (14268 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\www.hao123[1].xml (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\logonew-24[1].png (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\d7dcd9063c58bcf494d2d6ee6098e107[1].jpg (2498 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\site-tip-fs8[1].png (50 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (4537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\wHFhxVDOgf[1].js (4546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\290fe6185f875d2edc8e0c604aeec4c5[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\9a609c2207b011fa737f549787c16246[1].jpg (1714 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\erjiicon_png8[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX3.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\tizi[1].png (181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\index_icon[1].png (11391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\blank[1].gif (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\sugdata[1].js (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\LocalStorage[1].swf (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\LWLSJgsieY[1].js (1937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\a0[2].png (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\jLZZdlZktC[1].js (930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\RUVnWBroCd[1].js (597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\290fe6185f875d2edc8e0c604aeec4c5[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\JompzATkEJ[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\IvHLvpjSZl[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\BkznmhpMso[1].js (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\coolhint[1].png (463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\logonew[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\hf_body_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\xyx_api_proxy[1].html (758 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\facb15c9aa22d2e011ae94f88cb6b5fb[1].jpg (561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\navigate-1[1].png (635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\a0[1].png (1716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\shortcut[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\b61dd7b9d4d116dcc484857611fb2bcb[1].jpg (1001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\a0[1].png (98 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\YGKeUDnXqV[1].css (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\xyx_api_proxy[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\ZNYvbkuJPN[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\xyx_api[1].js (1 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\8H5ZVPUJ\s1.hao123img.com\index\swf\LocalStorage.swf\$hao123$.sxx (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\ssugdata[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\EyrRWikSPx[1].js (627 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\OqPzSlIEsk[1].js (1586 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\khByJQNVqR[1].js (2485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\track[1].js (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\tip_close-ie-fs8[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\3780[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\FknMSkBHaj[1].js (1963 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com\settings.sxx (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\a09b5bc3b80ee0d80d651e1139e1de4d[1].jpg (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\getinterest[1].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\web_png8[1].png (443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\cupRkmfFoo[1].js (23 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (2062 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\www.hao123[1].xml (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\lazy-loading[1].gif (1002 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\kBzAajSXDG[1].css (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\favicon[1].ico (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\qXQrXDtqtK[1].js (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\nmtnhxeLdD[1].css (3792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\defaultIcon0708[1].png (883 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[2].txt (1415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\8447613e85c841183c5c1c4175eba24d[1].jpg (2646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ECYDOVLX\CALW8FHL.gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\UNU14D2L\blank[1].gif (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OTS7YT69\NxSmTlnGDI[1].js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CNQVERCN\newforecast[1] (1 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (458 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
