Trojan.NSIS.StartPage_a31d77c494

by malwarelabrobot on January 4th, 2015 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a31d77c4941277b89798cb0197973ae4
SHA1: 6ca7be3bd02363228ceee06b9884df2f7438b949
SHA256: 00affff4ba47d45a04b15bf1c57996efd18f200c0b499dfd8c8c69725688fdb0
SSDeep: 12288:LyXZZthSgM0WupPJdBxrXWT60EQHnxGuT/MI6CV44o:LyXnSgMF4dBxYjkuT/wA44o
Size: 628600 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-19 00:33:27
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

install.exe:352
OneDay.exe:340
ksimekusu_zhim_007.exe:680
KS21860.exe:136
%original file name%.exe:1540
CreateShortcut.exe:1500

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process OneDay.exe:340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process ksimekusu_zhim_007.exe:680 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÐÎÄÖ®ÐÇË«Æ´.ini (526 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\wordlib\sys.wlb (39329 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\bg_main.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\bg_status.png (4 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ìáʾ.ini (960 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzjf.dat (784 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÉèÖÃ.lnk (826 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\À¶ÌìË«Æ´.ini (912 bytes)
%Program Files%\KS2015010306\V21860\imeunit.exe (4992 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\phrase\ÎҵĶÌÓï.ini (24 bytes)
%Program Files%\KS2015010306\V21860\msvcr100.dll (25824 bytes)
%Program Files%\KS2015010306\V21860\uninst.exe (838 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\theme.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\System.dll (11 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\line.png (143 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeSkin.dll (1552 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\buttons.png (5 bytes)
%Program Files%\KS2015010306\V21860\install.exe (1856 bytes)
%Program Files%\KS2015010306\V21860\imetool.exe (6360 bytes)
%Program Files%\KS2015010306\V21860\imeword.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\¹Ì¶¥×Ö.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeTool.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\j2f.dat (11048 bytes)
%Program Files%\KS2015010306\V21860\msvcp100.dll (14184 bytes)
%Program Files%\KS2015010306\V21860\nsis.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeMini.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÇÄÜABCË«Æ´.ini (686 bytes)
%Program Files%\KS2015010306\V21860\sqlite3.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\plugin.db (2 bytes)
%Program Files%\KS2015010306\V21860\DirectUI.dll (22192 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\DOSË«Æ´.ini (674 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÐÞ¸´.lnk (834 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\theme\menu_buttons.bmp (920 bytes)
%Program Files%\KS2015010306\V21860\KS21860.exe (7192 bytes)
%Documents and Settings%\%current user%\Application Data\kusuInput\wordlib\user.wlb (3 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÐÎÄ·ûºÅ.ini (560 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Ë«Æ´.ini (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\жÔØ.lnk (621 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\Æ´Òô¼Ó¼ÓË«Æ´.ini (538 bytes)
%System%\ksime.ime (126018 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\΢ÈíË«Æ´.ini (682 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\phrase\ϵͳ¶ÌÓï¿â.ini (784 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\ini\×ÔÈ»ÂëË«Æ´.ini (580 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\zi\hzpy.dat (18424 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeWord.dll (1552 bytes)
%Program Files%\KS2015010306\V21860\atl100.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\KS2015010306\V21860\config.exe (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB9.tmp (285959 bytes)
%Program Files%\KS2015010306\V21860\Library.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeUnit.dll (2392 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\nsis.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB8.tmp (0 bytes)

The process %original file name%.exe:1540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\appbd.txt (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\ksimekusu_zhim_007.exe (229152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\Browser_V3.0.1354.0_r_4182_(Build14092214).exe (314625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\CreateShortcut.exe (13850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\Furt.exe (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\OneDay.exe (122112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB3.tmp (19754 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nshB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp (0 bytes)

The process CreateShortcut.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Desktop\Ó°ÊÓ´óÈ«.lnk (1 bytes)
%Program Files%\Favorite\ico\123.ico (3 bytes)
%Program Files%\Favorite\ico\360.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp (13218 bytes)
%Program Files%\Favorite\ico\tb1.ico (15 bytes)
%Program Files%\Favorite\ico\ay.ico (784 bytes)
%Documents and Settings%\%current user%\Desktop\hao123ÍøÖ·µ¼º½.lnk (1 bytes)
%Program Files%\Favorite\ico\sg1.ico (9 bytes)
%Documents and Settings%\%current user%\Desktop\Internet Explroer.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\Ëѹ·ÍøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\360ÍøÖ·µ¼º½.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\°®ÌÔ±¦.lnk (1 bytes)
%Program Files%\Favorite\ico\movie.ico (12536 bytes)
%Program Files%\Favorite\ico\ie.ico (784 bytes)
%Program Files%\Favorite\ico\23451.ico (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsyB7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB5.tmp (0 bytes)

Registry activity

The process install.exe:352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Ime File" = "KSIME.IME"
"Layout File" = "kbdus.dll"

[HKU\.DEFAULT\Keyboard Layout\Preload]
"2" = "E0200804"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Layout" = "E0200804"

[HKCU\Keyboard Layout\Preload]
"2" = "E0200804"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804]
"Layout Text" = "快速拼音输入法"

The process OneDay.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 3C 26 09 AE 4C D6 81 3D 76 EC 90 33 7C CD A4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

The process ksimekusu_zhim_007.exe:680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Qudao" = "ksimekusu_zhim_007"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsxBA.tmp\nsis.dll,"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Count" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Proc" = "KS21860.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayIcon" = "%Program Files%\KS2015010306\V21860\KS21860.exe"

[HKCR\JiSu.file\DefaultIcon]
"(Default)" = "%Program Files%\KS2015010306\V21860\config.exe,0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 12 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"UninstallString" = "%Program Files%\KS2015010306\V21860\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"date" = "20150103"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayName" = "¿ìËÙÆ´ÒôÊäÈë·¨ 3.0.3.9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\JiSu.file\shell\open\command]
"(Default)" = "%Program Files%\KS2015010306\V21860\config.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\.wlb]
"(Default)" = "JiSu.file"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"Publisher" = "cxmx, Inc."

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCR\JiSu.file\shell\open]
"(Default)" = "°²×°×Ö¿â"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"DisplayVersion" = "3.0.3.9"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"InstallDir" = "%Program Files%\KS2015010306\V21860"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\¿ìËÙÆ´ÒôÊäÈë·¨]
"URLInfoAbout" = "http://jiguangshurufa.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 02 B8 43 E3 78 D1 81 C9 07 81 0C 9E 6F 97 7E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCR\JiSu.file]
"(Default)" = "×Ö¿âÎļþ (.wlb)"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ksinput.exe]
"(Default)" = "%Program Files%\KS2015010306\V21860\KS21860.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\JiSu.file\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Entry" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"KS21860.exe" = "%Program Files%\KS2015010306\V21860\KS21860.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KS21860.exe" = "%Program Files%\KS2015010306\V21860\KS21860.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process KS21860.exe:136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 F7 4D 38 C6 D9 56 01 BE E1 BF 88 AD 61 87 06"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"Config" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
"Count" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\JisuSoft\KusuInput\3.0]
"CRand" = "903"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:1540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 88 C8 C6 4E BF 5E 62 D1 E8 C0 D0 FB BF 07 30"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process CreateShortcut.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 50 A3 89 D3 22 50 E5 DA C4 CB 38 09 66 2D 34"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

Dropped PE files

MD5 File path
9ec7343e965f1f5da63daa34515be40e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\CreateShortcut.exe
678e0ebb76fd1af1fce5ac082d682f94 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\Furt.exe
254f13dfd61c5b7d2119eb2550491e1d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\NSISdl.dll
cba2bb678b7095db0d11c997c953903c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\OneDay.exe
144bd6f3a3e1e040ffb03648e49c366d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nscB4.tmp\ksimekusu_zhim_007.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: traensparyent
Product Version:
Legal Copyright: ???? (C) 2014
Legal Trademarks:
Original Filename: traensparyent setup
Internal Name: traensparyent setup
File Version:
File Description:
Comments:
Language: Finnish (Finland)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23488 23552 4.48909 7ebfade271f75cb4c180603ab653af42
.rdata 28672 4496 4608 3.59139 9d6e96915262c9d1129a16fa0b02a19a
.data 36864 110456 1024 3.27356 dbf10679c897d0edeee280fffdad552f
.ndata 147456 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 188416 70104 70144 4.18344 2d96061016ef26c79c77b41870e3a397

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.baidu.traensparyent.com.moyan.cc/db/appbd.txt 124.232.146.41


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile
GPL SHELLCODE x86 NOOP

Traffic

GET /db/appbd.txt HTTP/1.0
Host: VVV.baidu.traensparyent.com.moyan.cc
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Length: 1660
Content-Type: text/plain
Last-Modified: Tue, 30 Dec 2014 06:12:52 GMT
Accept-Ranges: bytes
ETag: "eee11fa5f723d01:fe4"
Server: IIS
X-Powered-By: WAF/2.0
Date: Sat, 03 Jan 2015 09:53:19 GMT
Connection: close
/*Setting*/..[ff1]..aa=OneDay..bb=OneDay.exe..cc=hXXp://124.232.152.11
9:18168/db/OneDay.zip..dd=..[ff2]..aa=lnk..bb=CreateShortcut.exe..cc=h
ttp://124.232.152.119:18168/db/CreateShortcut.zip..dd=..[ff3]..aa=....
..bb=ksimekusu_zhim_007.exe..cc=hXXp://124.232.152.119:18168/db/ksimek
usu_zhim_007.zip..dd=..[ff4]..aa=uc..bb=Browser_V3.0.1354.0_r_4182_(Bu
ild14092214).exe..cc=hXXp://124.232.152.119:18168/db/Browser_V3.0.1354
.0_r_4182_(Build14092214).zip..dd=..[ff500]..aa=sd..bb=bgrhf_30279.exe
..cc=hXXp://124.232.152.119:18168/db/bgrhf_30279.zip..dd=..[ff6]..aa=.
.......bb=-2406_1_mp.exe..cc=hXXp://124.232.152.119:18168/db/-2406_1_m
p.zip..dd=..[ff7]..aa=..............bb=jfzhzszm-1.exe..cc=hXXp://124.2
32.152.119:18168/db/jfzhzszm-1.zip..dd=..[ff700]..aa=....FM..bb=setup_
2948-180095.exe..cc=hXXp://124.232.152.119:18168/db/setup_2948-180095.
zip..dd=..[ff8]..aa=tqrl..bb=tqrl_93_2508.exe..cc=hXXp://124.232.152.1
19:18168/db/tqrl_93_2508.zip..dd=..[ff9]..aa=......bb=weather_b_90045.
exe..cc=hXXp://124.232.152.119:18168/db/weather_b_90045.zip..dd=..[ff1
0]..aa=..........bb=apples_19_2508.exe..cc=hXXp://124.232.152.119:1816
8/db/apples_19_2508.zip..dd=..[ff11]..aa=......bb=xueba_v2.1.0.0_1013.
exe..cc=hXXp://124.232.152.119:18168/db/xueba_v2.1.0.0_1013.zip..dd=..
[ff12]..aa=......bb=xksd_50091169079.exe..cc=hXXp://124.232.152.119:18
168/db/xksd_50091169079.zip..dd=..[ff13]..aa=......bb=zhezi_setup_Z853
.exe..cc=hXXp://124.232.152.119:18168/db/zhezi_setup_Z853.zip..dd=..[f
f14]..aa=......bb=CoolRAR1001.exe..cc=hXXp://124.232.152.119:18168
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1540:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\LOCALS~1\Temp\nscB4.tmp\NSISdl.dll
zhim_007.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp
V3.0.1354.0_r_4182_(Build14092214).zip
WS2_32.dll
NSISdl.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
KERNEL32.DLL
comdlg32.dll
OLEAUT32.dll
oledlg.dll
SHLWAPI.dll
WININET.dll
WINSPOOL.DRV
RegEnumKeyW
.reloc
.GHT,
QH.oY
appbd.txt
_r_4182_(Build14092214).zip
14).exe
2014.09.15.113236
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nscB4.tmp\traensparyent
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nshB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Browser_V3.0.1354.0_r_4182_(Build14092214).exe
hXXp://124.232.152.119:18168/db/Browser_V3.0.1354.0_r_4182_(Build14092214).zip
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
FFR.D9DD.CN
2.0.0.1
FreeFastRecovery.exe

KS21860.exe_136:

.text
`.rdata
@.data
.rsrc
@.reloc
E:\Calendar2.0.2.0\kssrf\code\build\x86\ksinput.pdb
SHLWAPI.dll
ShellExecuteW
SHELL32.dll
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCloseKey
RegOpenKeyW
RegCreateKeyW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
DeleteUrlCacheEntryW
WININET.dll
URLDownloadToFileW
urlmon.dll
MSVCP100.dll
sqlite3_open
sqlite3_close
sqlite3_get_table
sqlite3_free
sqlite3_free_table
sqlite3_exec
sqlite3.dll
Library.dll
?OnKeyDown@WindowImplBase@DUILIB@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DUILIB@@MBEPBUDUI_MSGMAP@2@XZ
DirectUI.dll
MSVCR100.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
GetProcessHeap
.?AVTable@SQLite@@
.?AVUTF8MBSTR@SQLite@@
.?AVDatabase@SQLite@@
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
0#0*00060
; ;$;(;,;0;4;8;<;
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
%USER%
ksinput.exe
config %d
config.exe
3.0.3.9*%s*%s*%s*0*1*0*0*0
3.0.3.9*%s*%s*%s*0*0*1*0*0
php.ijgnot/moc.8szmx.jtfrs//:ptth
%s?k=%s
select * from plugin where item=%d
n\plugin\plugin.db
CREATE TABLE "plugin" ("item" INTEGER PRIMARY KEY, "vers" INTEGER, "name" VARCHAR, "path" VARCHAR, "file" VARCHAR, "down" VARCHAR)
%s%s%d.zip
update plugin set ver=%d, name='%s', path='%s', file='%s' down='%s' where item=%d
insert into plugin(item,vers,name,path,file,down) values(%d,%d,'%s','%s','%s','%s')
update plugin set vers=%d, name='%s', path='%s', file='%s', down='%s' where item=%d
php.gifnoc/moc.8szmx.afuruhs//:ptth
%s?v=3.0.3.9&t=1&x=%s&c=%d
20150103
3.0.3.9


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    install.exe:352
    OneDay.exe:340
    ksimekusu_zhim_007.exe:680
    KS21860.exe:136
    %original file name%.exe:1540
    CreateShortcut.exe:1500

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\nsis.dll (3616 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÐÎÄÖ®ÐÇË«Æ´.ini (526 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\wordlib\sys.wlb (39329 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\bg_main.png (4 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\bg_status.png (4 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\Ìáʾ.ini (960 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\zi\hzjf.dat (784 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÉèÖÃ.lnk (826 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\À¶ÌìË«Æ´.ini (912 bytes)
    %Program Files%\KS2015010306\V21860\imeunit.exe (4992 bytes)
    %Documents and Settings%\%current user%\Application Data\kusuInput\phrase\ÎҵĶÌÓï.ini (24 bytes)
    %Program Files%\KS2015010306\V21860\msvcr100.dll (25824 bytes)
    %Program Files%\KS2015010306\V21860\uninst.exe (838 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\theme.ini (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\System.dll (11 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\line.png (143 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeSkin.dll (1552 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\ĬÈÏÖ÷Ìâ\buttons.png (5 bytes)
    %Program Files%\KS2015010306\V21860\install.exe (1856 bytes)
    %Program Files%\KS2015010306\V21860\imetool.exe (6360 bytes)
    %Program Files%\KS2015010306\V21860\imeword.exe (4992 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\¹Ì¶¥×Ö.ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeTool.dll (2392 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\zi\j2f.dat (11048 bytes)
    %Program Files%\KS2015010306\V21860\msvcp100.dll (14184 bytes)
    %Program Files%\KS2015010306\V21860\nsis.dll (3616 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeMini.dll (5064 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÇÄÜABCË«Æ´.ini (686 bytes)
    %Program Files%\KS2015010306\V21860\sqlite3.dll (22192 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\plugin.db (2 bytes)
    %Program Files%\KS2015010306\V21860\DirectUI.dll (22192 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\DOSË«Æ´.ini (674 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\ÐÞ¸´.lnk (834 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\theme\menu_buttons.bmp (920 bytes)
    %Program Files%\KS2015010306\V21860\KS21860.exe (7192 bytes)
    %Documents and Settings%\%current user%\Application Data\kusuInput\wordlib\user.wlb (3 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\ÖÐÎÄ·ûºÅ.ini (560 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\Ë«Æ´.ini (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\¿ìËÙÆ´ÒôÊäÈë·¨\жÔØ.lnk (621 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\Æ´Òô¼Ó¼ÓË«Æ´.ini (538 bytes)
    %System%\ksime.ime (126018 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\΢ÈíË«Æ´.ini (682 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\phrase\ϵͳ¶ÌÓï¿â.ini (784 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\ini\×ÔÈ»ÂëË«Æ´.ini (580 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\zi\hzpy.dat (18424 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeWord.dll (1552 bytes)
    %Program Files%\KS2015010306\V21860\atl100.dll (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxBA.tmp\KillProcDLL.dll (4 bytes)
    %Program Files%\KS2015010306\V21860\config.exe (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshB9.tmp (285959 bytes)
    %Program Files%\KS2015010306\V21860\Library.dll (5064 bytes)
    %Documents and Settings%\All Users\Application Data\kusuInput\plugin\ImeUnit.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\appbd.txt (1660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\ksimekusu_zhim_007.exe (229152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\Browser_V3.0.1354.0_r_4182_(Build14092214).exe (314625 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\CreateShortcut.exe (13850 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\Furt.exe (16944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscB4.tmp\OneDay.exe (122112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nshB3.tmp (19754 bytes)
    %Documents and Settings%\%current user%\Desktop\Ó°ÊÓ´óÈ«.lnk (1 bytes)
    %Program Files%\Favorite\ico\123.ico (3 bytes)
    %Program Files%\Favorite\ico\360.ico (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsyB6.tmp (13218 bytes)
    %Program Files%\Favorite\ico\tb1.ico (15 bytes)
    %Program Files%\Favorite\ico\ay.ico (784 bytes)
    %Documents and Settings%\%current user%\Desktop\hao123ÍøÖ·µ¼º½.lnk (1 bytes)
    %Program Files%\Favorite\ico\sg1.ico (9 bytes)
    %Documents and Settings%\%current user%\Desktop\Internet Explroer.lnk (1 bytes)
    %Documents and Settings%\%current user%\Desktop\Ëѹ·ÍøÖ·µ¼º½.lnk (1 bytes)
    %Documents and Settings%\%current user%\Desktop\360ÍøÖ·µ¼º½.lnk (1 bytes)
    %Documents and Settings%\%current user%\Desktop\°®ÌÔ±¦.lnk (1 bytes)
    %Program Files%\Favorite\ico\movie.ico (12536 bytes)
    %Program Files%\Favorite\ico\ie.ico (784 bytes)
    %Program Files%\Favorite\ico\23451.ico (9 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "KS21860.exe" = "%Program Files%\KS2015010306\V21860\KS21860.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "KS21860.exe" = "%Program Files%\KS2015010306\V21860\KS21860.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now