Trojan.NSIS.StartPage_a5deadb6a4

by malwarelabrobot on August 3rd, 2013 in Malware Descriptions.

Trojan-Dropper.Win32.Delf.ahi (Kaspersky), BehavesLike.Win32.Malware.ahc (mx-v) (VIPRE), P2P-Worm.Win32.Delf!IK (Emsisoft), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, P2P-Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: a5deadb6a435eb232107e0d8504cb5ef
SHA1: b25eab4073566a95d78c6a7723be05ddb1eea03b
SHA256: 9a3cb836e41e125dee77fdbdbb7500cd9a32ef5f9f3d1970932c7d9e689e1c86
SSDeep: 6144:Eso yfd y64rRBJ1eP0No Gd9amuIV/iG6EYCwT8GUv7fNu7JVNKn8OPOZk:qo4rRY0ab3z5V/zQ0sJSMZk
Size: 386785 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ikfpap.exe:2376
pbbbdk.exe:2244
kjbhsdfh.exe:1840
kjbhsdfh.exe:1100
winhlp.exe:868
ahhdhfklhsd.exe:3744
lbiuidfajhk.exe:3768
cmxrur.exe:3056
QvodSetup3.5.0.63.exe:3628
wwxugl.exe:2440
iofraq.exe:2132
net.exe:1824
net.exe:564
net.exe:424
net1.exe:2096
net1.exe:1672
net1.exe:1188
ipconfig.exe:4052
cjuern.exe:2620
ping.exe:2520
ping.exe:3200
taskkill.exe:3060
taskkill.exe:2356
yydtjx.exe:260
svhost.exe:3104
QvodSetupPlus_old.exe:3712
lhjvjkdfah.exe:3900
sc.exe:2124
Reader_sl.exe:1064
ogtht.exe:404
a5deadb6a435eb232107e0d8504cb5ef.exe:2004

The Trojan injects its code into the following process(es):

zohfdsb.exe:1336
winhlp.exe:1204
luiahdfsf.exe:3916
kldsfhb.exe:1204
QvodPlayer.exe:2016
ogtht.exe:1684
oqqbis.exe:840

File activity

The process zohfdsb.exe:1336 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\cjuern.exe (7296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\87W9GR2J\desktop.ini (67 bytes)
%System%\pbbbdk.exe (7296 bytes)
%System%\cmxrur.exe (2296 bytes)
%System%\Configs (225 bytes)
%System%\oqqbis.exe (2200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9F8ZLKU\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\17TRGW94\desktop.ini (67 bytes)
%System%\yydtjx.exe (6168 bytes)
%System%\iofraq.exe (7296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEJGDMN\desktop.ini (67 bytes)
%System%\ikfpap.exe (19592 bytes)
%System%\wwxugl.exe (7296 bytes)

The process pbbbdk.exe:2244 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe.bak (87 bytes)

The Trojan deletes the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe (0 bytes)

The process kjbhsdfh.exe:1100 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\ogtht.exe (44 bytes)
C:\MyTemp (23 bytes)

The Trojan deletes the following file(s):

%WinDir%\ms.ini (0 bytes)

The process winhlp.exe:1204 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Cookies\index.dat (4656 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][1].txt (202 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\66.5173sf[1].htm (11787 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\OCFXKJHVFJNGG1[1].jpg (6466 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\828kk[1].htm (4403 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000[1].jpg (3310 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\stat[1].php (6068 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][2].txt (951 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\szxinmeng[1].htm (5465 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][1].txt (504 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\stat[1].php (337 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ad[1].js (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\stylebdt[1].css (337 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\click[2].htm (25 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\cnzz_core[1].php (468 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\szxinmeng[1].htm (2730 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\828kk[1].htm (1877 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\991dc[2].htm (736 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\gg[1].jpg (5519 bytes)
%Documents and Settings%\LocalService\Cookies\system@mmstat[1].txt (168 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\click[1].htm (25 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Footer[1].css (1391 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\yb3658[1].htm (892 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ac[1].js (373 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000[1].jpg (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\click[1].htm (50 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\dffhgfh[1].jpg (6974 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][1].txt (161 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\pic[1].gif (719 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\style[1].css (675 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\991dc[1].htm (2478 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\stat[1].gif (43 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ac[1].htm (747 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\style[1].css (1350 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][2].txt (302 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\991dc[1].htm (1727 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][1].txt (558 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ac[1].js (373 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\EU00HOZ0V46EY560P3Y[1].jpg (40336 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ad[1].js (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\991dc[1].htm (2540 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ac[1].js (373 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\991dc[2].htm (954 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000[1].jpg (3310 bytes)
%Documents and Settings%\LocalService\Cookies\system@cnzz[1].txt (163 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\991dc[1].htm (2554 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\count2[1].gif (2 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ac[1].htm (1494 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\OCFXKJHVFJNGG[1].jpg (3672 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\stylebdt[1].css (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\OCFXKJHVFJNGG1[1].jpg (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\828kk[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000[1].jpg (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\stat[1].php (0 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][2].txt (0 bytes)
%System%\winhlp.txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\szxinmeng[1].htm (0 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\MSHist012013080220130803 (0 bytes)
%System%\yydtjx.exe (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\CA2BO5EZ.htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\stat[1].php (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\click[2].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\cnzz_core[1].php (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\991dc[1].htm (0 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\szxinmeng[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\991dc[2].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\gg[1].jpg (0 bytes)
%Documents and Settings%\LocalService\Local Settings\History\History.IE5\MSHist012013080220130803\index.dat (0 bytes)
%Documents and Settings%\LocalService\Cookies\system@mmstat[1].txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Footer[1].css (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\yb3658[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ac[1].js (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\click[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\dffhgfh[1].jpg (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\EU00HOZ0V46EY560P3Y[1].jpg (0 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\pic[1].gif (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\style[1].css (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\991dc[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\stat[1].gif (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ac[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\style[1].css (0 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\991dc[1].htm (0 bytes)
%Documents and Settings%\LocalService\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ac[1].js (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ad[1].js (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ad[1].js (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\991dc[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ac[1].js (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\CAM7MRA9.htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\991dc[2].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000[1].jpg (0 bytes)
%Documents and Settings%\LocalService\Cookies\system@cnzz[1].txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\count2[1].gif (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ac[1].htm (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\OCFXKJHVFJNGG[1].jpg (0 bytes)

The process ahhdhfklhsd.exe:3744 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\Infortmp.txt (980 bytes)

The process cmxrur.exe:3056 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\svhost.exe (63 bytes)

The process QvodSetup3.5.0.63.exe:3628 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\QvodSetupPlus_old.exe (292652 bytes)
%WinDir%\lhjvjkdfah.exe (22050 bytes)
%WinDir%\lhgbdbsdfi.exe (6473 bytes)
%WinDir%\ahhdhfklhsd.exe (12298 bytes)
%WinDir%\luiahdfsf.exe (12626 bytes)
%WinDir%\lbiuidfajhk.exe (73557 bytes)

The process wwxugl.exe:2440 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe.bak (87 bytes)
%Program Files%\DNSProtectSupport\svchost.exe (18660 bytes)

The Trojan deletes the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe (0 bytes)
%Program Files%\DNSProtectSupport\svchost.exe.bak (0 bytes)

The process iofraq.exe:2132 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe.bak (87 bytes)
%Program Files%\DNSProtectSupport\svchost.exe (18660 bytes)

The Trojan deletes the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe.bak (0 bytes)

The process cjuern.exe:2620 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe.bak (87 bytes)
%Program Files%\DNSProtectSupport\svchost.exe (18660 bytes)

The Trojan deletes the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe (0 bytes)
%Program Files%\DNSProtectSupport\svchost.exe.bak (0 bytes)

The process yydtjx.exe:260 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%System%\winhlp.txt (31 bytes)
%System%\winhlp.exe (673 bytes)

The process luiahdfsf.exe:3916 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Cursors\taskhost.exe (113 bytes)

The process QvodSetupPlus_old.exe:3712 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\LangDLL.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\qvod1.ini (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\QvodInit.exe (3963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\ioSpecial.ini (4631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\modern-wizard.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\InstallOptions.dll (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (0 bytes)

The process kldsfhb.exe:1204 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%System%\2C8602B4.tmp (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C864500.log (2500 bytes)
%Documents and Settings%\Infortmp.txt (980 bytes)

The process QvodPlayer.exe:2016 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\QvodSetup3.5.0.63.exe.!qd (814711 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C__WINDOWS_QvodSetup3.5.0.63.exe.mem (9548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\C__WINDOWS_QvodSetup3.5.0.63.exe.torrent (196 bytes)

The process lhjvjkdfah.exe:3900 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe.bak (87 bytes)
%Program Files%\DNSProtectSupport\svchost.exe (18660 bytes)

The Trojan deletes the following file(s):

%Program Files%\DNSProtectSupport\svchost.exe (0 bytes)
%Program Files%\DNSProtectSupport\svchost.exe.bak (0 bytes)

The process ogtht.exe:1684 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\9418.cpl (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8061.cpl (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\9418.cpl (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9F8ZLKU\Count[1].htm (0 bytes)
%WinDir%\ms.ini (0 bytes)
%WinDir%\kjbhsdfh.exe (0 bytes)
C:\MyTemp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\8061.cpl (0 bytes)

The process a5deadb6a435eb232107e0d8504cb5ef.exe:2004 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\kjbhsdfh.exe (6406 bytes)
%WinDir%\QvodPlayer.exe (17643 bytes)
%WinDir%\zohfdsb.exe (6473 bytes)
%WinDir%\kldsfhb.exe (12067 bytes)

The process oqqbis.exe:840 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\17TRGW94\15605566[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\87W9GR2J\17tj[1].htm (104 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\87W9GR2J\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (441 bytes)
%System%\drivers\etc\hosts (1260 bytes)
%Program Files%\QQNews\QQNews.exe (60 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\17TRGW94\15605569[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEJGDMN\h[1].txt (1130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEJGDMN\htj[1].htm (104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UG1.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UG1.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)

Registry activity

The process ikfpap.exe:2376 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 76 A9 C6 7B 5C 12 44 B8 0D DA 65 4B 4A BD 1C"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDPI]
"FontSize" = "20121221"

The process zohfdsb.exe:1336 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 41 E9 4A 31 E4 3D 09 DD 10 88 0C 5C F5 64 50"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process pbbbdk.exe:2244 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 25 44 5A 10 CF 16 B7 2E E7 1D 85 4D 2E 7D 58"

The process kjbhsdfh.exe:1840 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 71 F9 49 14 68 3C 12 C1 9A AC 89 8C 55 64 D9"

The process kjbhsdfh.exe:1100 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 11 1F 0F BC 22 49 0F 14 8E 47 5D 29 1B 85 16"

The process winhlp.exe:868 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 A3 AE 02 62 50 BC C8 08 4A A1 56 71 86 4D E1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\winhlp]
"EventMessageFile" = "%System%\winhlp.exe internal_start"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\winhlp]
"TypesSupported" = "7"

The process winhlp.exe:1204 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013080220130803]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013080220130803]
"CacheRepair" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013080220130803]
"CachePrefix" = ":2013080220130803:"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013080220130803]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013080220130803\"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 44 2C BB 5A A8 3F AD D6 87 7D C7 55 4D 6C 97"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013080220130803]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan deletes the following registry key(s):

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013080220130803]
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130212]

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

The process ahhdhfklhsd.exe:3744 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 FC 26 3D B0 89 CF F5 FD C6 60 82 D0 51 38 51"

The process lbiuidfajhk.exe:3768 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 36 52 69 AD A7 43 94 D5 83 4D AD 7A 0E 32 21"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDPI]
"FontSize" = "20121221"

The process cmxrur.exe:3056 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 94 48 B4 58 02 5C 5A CC BA A8 59 D6 BC 62 E3"

The process QvodSetup3.5.0.63.exe:3628 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC CB 3D 9F 58 D3 DA C8 2B 88 DE 74 9B AC 6D 72"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"lhgbdbsdfi.exe" = "lhgbdbsdfi"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"lhjvjkdfah.exe" = "lhjvjkdfah"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"lbiuidfajhk.exe" = "lbiuidfajhk"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"ahhdhfklhsd.exe" = "ahhdhfklhsd"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"luiahdfsf.exe" = "luiahdfsf"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"QvodSetupPlus_old.exe" = "QvodSetup"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process wwxugl.exe:2440 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 DB B2 A7 36 B3 BC 22 74 B3 F5 C5 77 DA 84 17"

The process iofraq.exe:2132 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 08 4B F1 67 90 C5 C8 84 E2 F4 11 F3 C9 4D 20"

The process net.exe:1824 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E AE D5 65 3D E6 37 70 D8 0C 8B E9 B7 DE 1F FF"

The process net.exe:564 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 A6 73 62 81 29 07 21 B5 DD 58 A3 0E 2E 9D 05"

The process net.exe:424 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 0A DD 6C 84 01 06 50 2F D3 F8 9C 7D 21 39 38"

The process net1.exe:2096 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 D1 F0 F5 71 62 85 21 50 74 BD B3 A4 F6 5A 02"

The process net1.exe:1672 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 B1 2F 94 23 60 0C 32 44 07 06 C8 0B 17 C3 CB"

The process net1.exe:1188 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 97 5C 1E 94 D7 39 CA 06 6B 84 89 CE 05 9B 89"

The process ipconfig.exe:4052 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 36 EF 22 AA 31 8C A3 B1 8B ED B8 A1 D1 05 33"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process cjuern.exe:2620 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF AE 29 D7 80 47 32 AD E4 3B E2 CB FC 45 E8 86"

The process ping.exe:2520 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 FC 6C D9 7F 71 83 B0 99 76 E6 C7 55 5D 42 B6"

The process ping.exe:3200 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C EF EC 37 B0 88 75 4A 32 7B B7 D2 D6 88 22 DD"

The process taskkill.exe:3060 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 54 B8 74 C1 09 FC EC B0 67 C7 D6 23 53 B9 F1"

The process taskkill.exe:2356 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 95 6E 64 A1 1B B6 5A 7F 9A 3D 0D 0C 6E 7D 08"

The process yydtjx.exe:260 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 B7 F1 FB 56 43 A8 EF CD 06 00 5B 67 4F 24 A3"

The process svhost.exe:3104 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 17 B6 51 A1 01 83 95 EF 52 23 1B 7E A0 71 B8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process luiahdfsf.exe:3916 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 95 AF 17 BA E4 8D 69 DF 13 6D 53 28 13 A4 81"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process QvodSetupPlus_old.exe:3712 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 BE 62 46 93 4A 60 A7 A4 64 6D F0 EE 1B 9B 49"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process kldsfhb.exe:1204 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 C9 BE 9D EB 98 11 03 5B 86 38 F7 53 18 AA 8C"

The process QvodPlayer.exe:2016 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 01 29 70 8E 9B 73 E4 A8 81 27 0B 65 F7 1F FE"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%WinDir%]
"QvodPlayer.exe" = "%WinDir%\QvodPlayer.exe:*:Enabled:QVOD"

The process lhjvjkdfah.exe:3900 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 81 E5 2C F9 EB 51 F8 76 49 37 D1 3D C7 B2 5B"

The process sc.exe:2124 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 07 61 38 8D 89 D1 B2 31 47 0D 4F CD 66 E6 1E"

The process Reader_sl.exe:1064 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process ogtht.exe:404 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 86 DC 13 BE 14 34 9D C0 A1 6A 1F 68 DA 0A 7A"

The process ogtht.exe:1684 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\userinit.exe,%WinDir%\ogtht.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF EE 52 E9 26 85 0D 67 75 A8 6D 0A 15 54 42 F7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process a5deadb6a435eb232107e0d8504cb5ef.exe:2004 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 8F 75 C8 71 0A E3 57 EB 6C E8 25 EB DA B0 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"QvodPlayer.exe" = "QvodInstall Module"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"kldsfhb.exe" = "kldsfhb"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"zohfdsb.exe" = "zohfdsb"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"kjbhsdfh.exe" = "adsgvacvadrdrfv"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The process oqqbis.exe:840 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 0D FB A8 0E CD CA 3A 26 80 87 03 81 16 19 85"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"QQNews" = "%Program Files%\QQNews\QQNews.exe /r"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://69.42.219.3/
hxxp://69.42.219.3/style.css
hxxp://69.42.219.3/ad.js
hxxp://122.224.9.20/ac.htm
hxxp://112.91.173.118/?111731620
hxxp://122.224.9.20/ac.js
hxxp://115.239.226.88/
hxxp://222.191.251.102/click.aspx?id=94681822&logo=2
hxxp://69.42.219.3/images/EU00HOZ0V46EY560P3Y.jpg
hxxp://112.91.173.118/
hxxp://www.828kk.com/ 115.239.224.157
hxxp://124.232.158.224/gg.jpg
hxxp://222.191.251.102/count2.gif
hxxp://69.42.219.3/images/T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000.jpg
hxxp://c.cnzz.com/stat.php?id=4262662&web_id=4262662&show=pic
hxxp://222.191.251.102/sa.htm?id=94681822&refe=&location=http://www.szxinmeng.com/&color=32x&resolution=1024x768&returning=0&language=en-us&ua=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
hxxp://66.5173sf.com/ 183.60.141.89
hxxp://69.42.219.3/images/OCFXKJHVFJNGG.jpg
hxxp://z5.cnzz.com/stat.htm?id=4262662&r=http://www.szxinmeng.com/&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1802383217-1375477871-http://aaa.hfayx.com&showp=1024x768&st=0&sin=http://www.szxinmeng.com/&rnd=1532060612
hxxp://69.42.219.3/images/OCFXKJHVFJNGG1.jpg
hxxp://c.cnzz.com/cnzz_core.php?web_id=4262662&show=pic&l=none
hxxp://count38.51yes.com/click.aspx?id=386892767&logo=12 61.147.67.174
hxxp://count38.51yes.com/sa.htm?id=386892767&refe=http://aaa.hfayx.com/ac.htm&location=http://www.828kk.com/&color=32x&resolution=1024x768&returning=0&language=en-us&ua=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
hxxp://66.5173sf.com/Images/Footer.css
hxxp://69.42.219.3/images/dffhgfh.jpg
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1149863104
hxxp://icon.cnzz.com/pic.gif 42.121.103.217
hxxp://66.5173sf.com/Images/stylebdt.css
hxxp://pcookie.split.cnzz.com/app.gif?&cna=cA6DCm5T/zACAbhrJiYna2Wp
s23.cnzz.com 1.99.192.16
hzs23.cnzz.com 42.156.140.18
fz30000.dnscccaa.com 122.224.32.196
pcookie.cnzz.com 42.121.149.44
cnzz.mmstat.com 42.121.149.43
youremax.com Unresolvable


Rootkit activity

Using the driver "%System%\QQuzKK.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.

The Trojan installs the following kernel-mode hooks:

IoGetAttachedDevice
KeInitializeApc
MmFlushImageSection

The Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:

MJ_CREATE
MJ_DIRECTORY_CONTROL

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ikfpap.exe:2376
    pbbbdk.exe:2244
    kjbhsdfh.exe:1840
    kjbhsdfh.exe:1100
    winhlp.exe:868
    ahhdhfklhsd.exe:3744
    lbiuidfajhk.exe:3768
    cmxrur.exe:3056
    QvodSetup3.5.0.63.exe:3628
    wwxugl.exe:2440
    iofraq.exe:2132
    net.exe:1824
    net.exe:564
    net.exe:424
    net1.exe:2096
    net1.exe:1672
    net1.exe:1188
    ipconfig.exe:4052
    cjuern.exe:2620
    ping.exe:2520
    ping.exe:3200
    taskkill.exe:3060
    taskkill.exe:2356
    yydtjx.exe:260
    svhost.exe:3104
    QvodSetupPlus_old.exe:3712
    lhjvjkdfah.exe:3900
    sc.exe:2124
    ogtht.exe:404
    a5deadb6a435eb232107e0d8504cb5ef.exe:2004

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\cjuern.exe (7296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\87W9GR2J\desktop.ini (67 bytes)
    %System%\pbbbdk.exe (7296 bytes)
    %System%\cmxrur.exe (2296 bytes)
    %System%\Configs (225 bytes)
    %System%\oqqbis.exe (2200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9F8ZLKU\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\17TRGW94\desktop.ini (67 bytes)
    %System%\yydtjx.exe (6168 bytes)
    %System%\iofraq.exe (7296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEJGDMN\desktop.ini (67 bytes)
    %System%\ikfpap.exe (19592 bytes)
    %System%\wwxugl.exe (7296 bytes)
    %Program Files%\DNSProtectSupport\svchost.exe.bak (87 bytes)
    %WinDir%\ogtht.exe (44 bytes)
    C:\MyTemp (23 bytes)
    %Documents and Settings%\LocalService\Cookies\index.dat (4656 bytes)
    %Documents and Settings%\LocalService\Cookies\[email protected][1].txt (202 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\66.5173sf[1].htm (11787 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\OCFXKJHVFJNGG1[1].jpg (6466 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\828kk[1].htm (4403 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000[1].jpg (3310 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\stat[1].php (6068 bytes)
    %Documents and Settings%\LocalService\Cookies\[email protected][2].txt (951 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\szxinmeng[1].htm (5465 bytes)
    %Documents and Settings%\LocalService\Cookies\[email protected][1].txt (504 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\stat[1].php (337 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\ad[1].js (1 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\stylebdt[1].css (337 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\click[2].htm (25 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\cnzz_core[1].php (468 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\szxinmeng[1].htm (2730 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\828kk[1].htm (1877 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\991dc[2].htm (736 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\gg[1].jpg (5519 bytes)
    %Documents and Settings%\LocalService\Cookies\system@mmstat[1].txt (168 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\click[1].htm (25 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Footer[1].css (1391 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\yb3658[1].htm (892 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\ac[1].js (373 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000[1].jpg (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\click[1].htm (50 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\dffhgfh[1].jpg (6974 bytes)
    %Documents and Settings%\LocalService\Cookies\[email protected][1].txt (161 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\pic[1].gif (719 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\style[1].css (675 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\991dc[1].htm (2478 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\stat[1].gif (43 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ac[1].htm (747 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\style[1].css (1350 bytes)
    %Documents and Settings%\LocalService\Cookies\[email protected][2].txt (302 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\991dc[1].htm (1727 bytes)
    %Documents and Settings%\LocalService\Cookies\[email protected][1].txt (558 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ac[1].js (373 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\EU00HOZ0V46EY560P3Y[1].jpg (40336 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ad[1].js (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\991dc[1].htm (2540 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\ac[1].js (373 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\991dc[2].htm (954 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\T17SEmXeFeXXXXXXXX_!!0-item_pic_jpg_220x10000[1].jpg (3310 bytes)
    %Documents and Settings%\LocalService\Cookies\system@cnzz[1].txt (163 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\991dc[1].htm (2554 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\count2[1].gif (2 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\ac[1].htm (1494 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\OCFXKJHVFJNGG[1].jpg (3672 bytes)
    %Documents and Settings%\Infortmp.txt (980 bytes)
    %Program Files%\svhost.exe (63 bytes)
    %WinDir%\QvodSetupPlus_old.exe (292652 bytes)
    %WinDir%\lhjvjkdfah.exe (22050 bytes)
    %WinDir%\lhgbdbsdfi.exe (6473 bytes)
    %WinDir%\ahhdhfklhsd.exe (12298 bytes)
    %WinDir%\luiahdfsf.exe (12626 bytes)
    %WinDir%\lbiuidfajhk.exe (73557 bytes)
    %System%\winhlp.txt (31 bytes)
    %System%\winhlp.exe (673 bytes)
    %WinDir%\Cursors\taskhost.exe (113 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\LangDLL.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\qvod1.ini (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\QvodInit.exe (3963 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\ioSpecial.ini (4631 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\modern-wizard.bmp (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr3.tmp\InstallOptions.dll (14 bytes)
    %System%\2C8602B4.tmp (93 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2C864500.log (2500 bytes)
    %WinDir%\QvodSetup3.5.0.63.exe.!qd (814711 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qd.ini (143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C__WINDOWS_QvodSetup3.5.0.63.exe.mem (9548 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\C__WINDOWS_QvodSetup3.5.0.63.exe.torrent (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9418.cpl (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\8061.cpl (3 bytes)
    %WinDir%\kjbhsdfh.exe (6406 bytes)
    %WinDir%\QvodPlayer.exe (17643 bytes)
    %WinDir%\zohfdsb.exe (6473 bytes)
    %WinDir%\kldsfhb.exe (12067 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\17TRGW94\15605566[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\87W9GR2J\17tj[1].htm (104 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (594 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\87W9GR2J\icon_9[1].gif (893 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (441 bytes)
    %System%\drivers\etc\hosts (1260 bytes)
    %Program Files%\QQNews\QQNews.exe (60 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (3856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\17TRGW94\15605569[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEJGDMN\h[1].txt (1130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEJGDMN\htj[1].htm (104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UG1.tmp (1 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "QQNews" = "%Program Files%\QQNews\QQNews.exe /r"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now