Trojan.NSIS.StartPage_bf6acdba2a
Trojan-Downloader.Win32.AdLoad.dyca (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: bf6acdba2afc9df673bb32ba40761f4f
SHA1: 8476b437dd63bb1d4cd80192582dff7d8ee515f0
SHA256: baae88192bebbb8454be10e3f3536b2eb1907df5b2478d5c9b0a35f83fc2171b
SSDeep: 3072:DCuFP2lXIHDgXJFyFXJdn2k4iIhGZR/I2KKgMOZFMVkvCt1sZusvA2Fh C6S9OZe:D183gJd2iRvLJkFMhtSjvAetjkFMhT
Size: 530833 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: QuickSet
Created at: 2009-12-06 00:53:24
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
dianxin_silent[108].exe:488
DianXin.exe:356
mkhoz_30071.exe:1044
wan.exe:2212
feng2_feng2.exe:2136
Online_70030.exe:1216
dianxin_silent[108].tmp:1944
The Trojan injects its code into the following process(es):
DianXin.exe:1384
%original file name%.exe:1564
wangame.exe:2204
File activity
The process dianxin_silent[108].exe:488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2FJ3S.tmp\dianxin_silent[108].tmp (3824 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-2FJ3S.tmp\dianxin_silent[108].tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-2FJ3S.tmp (0 bytes)
The process DianXin.exe:1384 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NxSmTlnGDI[2].js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\track[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a0[2].png (860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\LocalStorage[1].swf (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\track[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tip_close-ie-fs8[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wHFhxVDOgf[1].js (6527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao123[1] (10774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jocMpDthgk[1].js (1892 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\www.hao123[1].xml (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BkznmhpMso[2].js (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qXQrXDtqtK[1].js (373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\rCvuAIZSwy[2].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BkznmhpMso[1].js (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\9c487bb15d29a85bbb1e3be753292d9a[1].jpg (2848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[2].js (1141 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s1.hao123img.com\index\swf\LocalStorage.swf\$hao123$.sxx (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dtsSDXhCtS[2].css (6400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao123[1].htm (11777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\newlogo-186X68[1].png (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\icon-0924-24[1].png (647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hqquumXJbL[1].css (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGXF.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\site-tip-fs8[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\blank[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\web_png8[1].png (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eDZiFWIBdW[1].js (1783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lazy-loading[1].gif (2654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\rCvuAIZSwy[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YMhABtwmXM[2].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DBOBEbZFBn[1].js (1887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\hao.dianxin[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\gw_r[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wHFhxVDOgf[1].js (6837 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com\settings.sxx (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hf_body_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4060fb9e8e3b198dc0ad6bc893169840[1].jpg (1015 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YMhABtwmXM[1].css (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\defaultIcon0708[1].png (895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\blank[1].gif (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a0[1].png (1300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao.dianxin[1] (698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wYlsCemWIH[2].js (3466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VwPIXzctue[2].js (2978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3780[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VwPIXzctue[1].js (1801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dwLPTGuQyL[1].js (2576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dwLPTGuQyL[2].js (1362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NoRIgLJFap[1].js (710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qpXxYmkMfH[1].js (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[2].txt (1879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\coolhint[1].png (463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qXQrXDtqtK[2].js (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wYlsCemWIH[1].js (3282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baidu-form[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\textlink-ads[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dtsSDXhCtS[1].css (5557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hqquumXJbL[2].css (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jd-1112[1].jpg (1014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\newforecast[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[1].js (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\newlogo-186X68-24[1].png (1026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jocMpDthgk[2].js (2031 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\blank[1].gif (98 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (1431 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\www.hao123[1].xml (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NxSmTlnGDI[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sugdata[1].js (23 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\getinterest[1].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index_icon[1].png (8406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eDZiFWIBdW[2].js (1394 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\erjiicon_png8[1].png (50 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\qpXxYmkMfH[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\de3fdf32bb95ce1ec76aa4c66b0509f3[1].jpg (3939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NoRIgLJFap[1].js (1618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DBOBEbZFBn[2].js (2218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a0[1].png (3061 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jocMpDthgk[1].js (0 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\www.hao123[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qXQrXDtqtK[1].js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a0[2].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wYlsCemWIH[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hqquumXJbL[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\blank[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DBOBEbZFBn[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\rCvuAIZSwy[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YMhABtwmXM[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\blank[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao.dianxin[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BkznmhpMso[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NoRIgLJFap[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qpXxYmkMfH[1].js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s1.hao123img.com\index\swf\LocalStorage.swf\$hao123$.sxx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a0[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VwPIXzctue[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dtsSDXhCtS[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dwLPTGuQyL[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\blank[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NxSmTlnGDI[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eDZiFWIBdW[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wHFhxVDOgf[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[2].txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com\settings.sol (0 bytes)
The process DianXin.exe:356 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xtpC.tmp (86 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dxInfo_108[1].xml (2584 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (204 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (1096 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (204 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\setting.ini (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iedianxin[1].htm (161 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (8676 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\点心æµè§ˆå™¨.lnk (646 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\dxInfo.dat (1777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\iedianxin[1].htm (161 bytes)
%Documents and Settings%\All Users\Desktop\点心æµè§ˆå™¨.lnk (616 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (165 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index[1].php (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\index[1].php (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xtpC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
The process mkhoz_30071.exe:1044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\config.ini (91 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\cutm.exe.bdl (210172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\setupinfo.txt.bdtmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\KVNetInstallHelpler.dll (17848 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDMNet.dll.bdl (48700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmA.tmp (113000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\NetPluginInstallHelper.dll (3616 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDMReport.dll.bdl (37222 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx9.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
The process wan.exe:2212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\operyuae.sys (102 bytes)
The process feng2_feng2.exe:2136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\wangame\skin\toolbar_hover.png (2 bytes)
%Program Files%\wangame\skin\ÃÀÅ®Ö÷²¥.png (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃæÃ汦ºÃ\ÃæÃ汦ºÃ.lnk (1181 bytes)
%Program Files%\wangame\skin\SubWnd.png (703 bytes)
%Program Files%\wangame\webzm.exe (7750 bytes)
%Program Files%\wangame\skin\y.bmp (486 bytes)
%Program Files%\wangame\wan.exe (6700 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃæÃ汦ºÃ\öÔØ ÃæÃ汦ºÃ.lnk (499 bytes)
%Program Files%\wangame\ubo.ub (278 bytes)
%Program Files%\wangame\ico.ico (1568 bytes)
%Program Files%\wangame\skin\left.jpg (11 bytes)
%Program Files%\wangame\skin\ÃøÒ³ÓÎ÷.png (5 bytes)
%Program Files%\wangame\skin\bj.jpg (1 bytes)
%Program Files%\wangame\skin\±³¾°.png (3 bytes)
%Program Files%\wangame\skin\center.jpg (10 bytes)
%Program Files%\wangame\update.exe (6405 bytes)
%Program Files%\wangame\uninst.exe (2718 bytes)
%Documents and Settings%\%current user%\Desktop\ÃæÃ汦ºÃ.lnk (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuE.tmp\System.dll (11 bytes)
%Program Files%\wangame\skin\ÃÃÃÃÓÎ÷.png (6 bytes)
%Program Files%\wangame\wangame.exe (7662 bytes)
%Program Files%\wangame\skin\line.bmp (1 bytes)
%Program Files%\wangame\Config.ini (24 bytes)
%Program Files%\wangame\skin\line1.bmp (1 bytes)
%Program Files%\wangame\skin\z.bmp (1 bytes)
%Program Files%\wangame\skin\line2.bmp (3 bytes)
%Program Files%\wangame\skin\ÓéÀÖ°ËØÔ.png (7 bytes)
%Program Files%\wangame\skin\right.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuE.tmp\inetc.dll (20 bytes)
The Trojan deletes the following file(s):
%Program Files%\wangame\AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuE.tmp\reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuE.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuE.tmp\inetc.dll (0 bytes)
The process Online_70030.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\config.ini (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\tmpnz1y5w.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (114659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\BDMReport.dll.bdl (37808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\BDMDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\setupinfo.txt.bdtmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\BDMSkin.dll (36698 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nse10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp (0 bytes)
The process dianxin_silent[108].tmp:1944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\DianXin\uninstall\is-ENCUQ.tmp (45 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\µãÃÄä¯ÀÀÆ÷.lnk (684 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-PO1FV.tmp (1 bytes)
%Program Files%\DianXin\uninstall\is-VVH9U.tmp (62 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0GLRI.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0RVAF.tmp (318 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-2LQIU.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_logo.bmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\is-2HOPD.tmp (9 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-D7SQO.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp (4 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-DO4SH.tmp (3 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-UVIHD.tmp (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\install.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\top_bk.bmp (601 bytes)
%Program Files%\DianXin\uninstall\is-N5RSQ.tmp (10 bytes)
%Program Files%\DianXin\uninstall\is-0A1U1.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-F1JU8.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-18T7E.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-OHHCM.tmp (198 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0HFMK.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\changeDir_btn.bmp (5 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-OMJTG.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-M4ESF.tmp (1 bytes)
%Program Files%\DianXin\uninstall\is-4NMDH.tmp (4545 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-R6FHB.tmp (3 bytes)
%Program Files%\DianXin\unins000.msg (612 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-AML6V.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_logo2.bmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\µãÃÄä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\DianXin\uninstall\is-F4BQD.tmp (601 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-QS1Q3.tmp (894 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-HVS16.tmp (5 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0KC4C.tmp (25 bytes)
%Program Files%\DianXin\uninstall\is-0GR1Q.tmp (10 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-821RN.tmp (318 bytes)
%Program Files%\DianXin\uninstall\is-AHG09.tmp (10 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0951T.tmp (1 bytes)
%Program Files%\DianXin\is-AB5B6.tmp (5445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_btn2.bmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\StretchLine.bmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-8KE9V.tmp (318 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\µãÃÄä¯ÀÀÆ÷\µãÃÄä¯ÀÀÆ÷.lnk (678 bytes)
%Program Files%\DianXin\is-QSP0R.tmp (7385 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-T11U5.tmp (318 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-71HVN.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\mainbk.bmp (4545 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\setting.ini (56 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-6L7CL.tmp (1 bytes)
%Program Files%\DianXin\unins000.dat (18953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Documents and Settings%\All Users\Desktop\µãÃÄä¯ÀÀÆ÷.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_btn.bmp (14 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_logo2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\mainbk.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_logo.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\changeDir_btn.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\install.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\top_bk.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_btn.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_btn2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\StretchLine.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\_isetup (0 bytes)
The process %original file name%.exe:1564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C1F94CD5CA263ECFB1A4BAB1B832C909 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ff[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\NiuZip_Setup_1.0_201042.exe (68691 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pabc_70030[1].exe (117794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\hetwrx_30071[1].exe (95304 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\feng2_feng2[1].exe (39232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\NiuZip_Setup_1.0_201042[1].exe (68691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\other[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\dianxin_silent[108].exe (63904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\mkhoz_30071.exe (95304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\config.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\feng2_feng2.exe (39232 bytes)
%Program Files%\ffmovie\return.htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dianxin_silent[108][1].exe (63904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C1F94CD5CA263ECFB1A4BAB1B832C909 (180 bytes)
%Program Files%\ffmovie\uninst.exe (3014 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ffmovie\Uninstall.lnk (499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\Online_70030.exe (117794 bytes)
The Trojan deletes the following file(s):
%Program Files%\ffmovie\{E1070104-F404-44CE-B556-0622F9D63EE5} (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\1628736 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (0 bytes)
The process wangame.exe:2204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\107038[1].jpg (17360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88650[1].jpg (22838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\55037[1].jpg (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\hz.haomm[1].htm (12981 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\86220[1].jpg (1953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.tmpl.min[1].js (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tongji[1].js (3426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\94877[1].jpg (11589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\94877[1].jpg (16597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\83994[1].jpg (11856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\51142[1].jpg (14289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\rev_sprite[1].gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[2].gif (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\userLevel_v30[1].png (461 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\55017[1].jpg (8216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery.tmplPlus.min[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\83003[1].jpg (10145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zb3[1].jpg (17715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[2].gif (172 bytes)
%Program Files%\wangame\ubo.ub (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88243[1].jpg (7745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\images[1].xml (642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\55017[1].jpg (2227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\83003[2].jpg (18185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\86490[1].jpg (5336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[1].gif (387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zb4[1].jpg (28900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[1].gif (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\87604[1].jpg (11052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\87604[2].jpg (11891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88243[2].jpg (12245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zb6[1].jpg (13397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hmmBox[1].css (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\87927[1].jpg (8389 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zb1[1].jpg (22721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\86220[1].jpg (18809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setting2[1].txt (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zb22[1].jpg (24213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\51142[1].jpg (18328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\103140[1].jpg (16762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\87102[1].jpg (1816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\87927[1].jpg (11608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\90356[1].jpg (17089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\54531[1].jpg (7037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\imageshow[1].swf (2301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\82995[1].jpg (6177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\104036[1].jpg (7612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery[1].js (51493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\54510[1].jpg (12117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg[1].jpg (13810 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pixel[1].gif (258 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@linezing[1].txt (171 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@haomm[1].txt (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\zb5[1].jpg (13225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\83994[2].jpg (14359 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\54546[1].jpg (4900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88650[2].jpg (9647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mmListIco_v3[1].png (407 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[2].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\87604[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88650[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\94877[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\87927[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\83003[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88243[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\55017[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[2].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pixel[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\83994[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\51142[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[3].gif (0 bytes)
Registry activity
The process dianxin_silent[108].exe:488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 98 B0 10 FB BB A5 9C 0C F6 76 32 3A B3 EF 16"
The process DianXin.exe:1384 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "DianXin.exe"
[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "DianXin.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1375782933"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 C0 2C F3 5E 45 99 CC EA F4 8B 09 9A 0E 3F 26"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process DianXin.exe:356 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
"DianXin.exe" = "1"
[HKCU\Software\Classes\https\shell]
"(Default)" = "点心æµè§ˆå™¨"
[HKCU\Software\Classes\mhtmlfile\shell]
"(Default)" = "点心æµè§ˆå™¨"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Classes\https\shell\点心æµè§ˆå™¨\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Classes\InternetShortcut\shell]
"(Default)" = "点心æµè§ˆå™¨"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111920131120]
"CachePrefix" = ":2013111920131120:"
[HKCU\Software\Classes\http\shell]
"(Default)" = "点心æµè§ˆå™¨"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Classes\htmlfile\shell]
"(Default)" = "点心æµè§ˆå™¨"
[HKCU\Software\Classes\InternetShortcut\shell\open\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Classes\http\shell\点心æµè§ˆå™¨\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111920131120]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Classes\htmlfile\shell\点心æµè§ˆå™¨\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Classes\InternetShortcut\shell\点心æµè§ˆå™¨\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 40 AC EB E5 1F D8 8F 45 9F F1 61 99 30 97 19"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111920131120]
"CacheLimit" = "8192"
[HKCU\Software\Classes\htmlfile\shell\open\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111920131120]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013111920131120\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013111920131120]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\mhtmlfile\shell\open\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKCU\Software\Classes\mhtmlfile\shell\点心æµè§ˆå™¨\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\DianXin\DianXin.exe %1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process mkhoz_30071.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCR\metnsd\clsid]
"SequenceID" = "98 50 1D 0E 8C 17 23 4F A0 B3 BD 8F 42 EE 73 80"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE CD 13 E6 EC 5F C9 93 AB 09 1D 13 3B B3 71 07"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process wan.exe:2212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 F2 81 FA 13 9D 83 91 33 D5 2D 1D 4A 23 D7 6C"
The process feng2_feng2.exe:2136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"Publisher" = "ÃæÃ汦ºÃ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"DisplayIcon" = "%Program Files%\wangame\wangame.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wangame.exe]
"(Default)" = "%Program Files%\wangame\wangame.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"DisplayName" = "ÃæÃ汦ºÃ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"UninstallString" = "%Program Files%\wangame\ÃæÃ汦ºÃ\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"DisplayVersion" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB FC 91 D1 7A 79 3F C0 80 06 8E 06 0F 3F 38 9D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wangame" = "%Program Files%\wangame\webzm.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Online_70030.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 96 C3 64 F5 D3 7C 54 D5 21 01 0F B2 63 60 89"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process dianxin_silent[108].tmp:1944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"DisplayName" = "µãÃÄä¯ÀÀÆ÷ °æ±¾ 1.3.6.1157"
"URLUpdateInfo" = "DianXin.com"
"URLInfoAbout" = "DianXin.com"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"Inno Setup: Setup Version" = "5.4.0 (a)"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"HelpLink" = "DianXin.com"
"DisplayVersion" = "1.3.6.1157"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"InstallLocation" = "%Program Files%\DianXin\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"InstallDate" = "20131119"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"Inno Setup: Language" = "default"
[HKLM\SOFTWARE\DianXin]
"softname" = "µãÃÄä¯ÀÀÆ÷ 1.3.6.1157°æ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"NoRepair" = "1"
"QuietUninstallString" = "%Program Files%\DianXin\unins000.exe /SILENT"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"Inno Setup: App Path" = "%Program Files%\DianXin"
"MinorVersion" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"Inno Setup: Icon Group" = "µãÃÄä¯ÀÀÆ÷"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"Inno Setup: User" = "%CurrentUserName%"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 A5 BB 54 BA 48 BB DD 23 B9 6C 47 DD B9 9F 5F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"NoModify" = "1"
"Publisher" = "µãÃÄä¯ÀÀÆ÷ÃŶÓ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"MajorVersion" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\µãÃÄä¯ÀÀÆ÷_is1]
"UninstallString" = "%Program Files%\DianXin\unins000.exe"
The process %original file name%.exe:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\play.exe]
"(Default)" = "%Program Files%\ffmovie\lsplay.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 6F 19 C8 FE C2 D9 67 47 A4 62 01 13 DD 60 B1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process wangame.exe:2204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "wangame.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1380985189"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 67 C8 37 4A 83 C1 64 93 6D 08 32 EE 09 B3 20"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://xz.ieanquan.com/download/dianxin_silent[108].exe |  222.186.63.161 |
| hxxp://1st.ecoma.glb0.lxdns.com/api/index.php?m=soft_install&ver=1.3.6.1157&ie=6.0&os=5.1&skin=360&hid=00000000000000000001&qd_id=UAgJ&home_url=&mac_add=UQgcCXQdUAlLVwtOCFVFKHo=&install_time=1384820943&rand=567656 | |
| hxxp://1st.ecoma.glb0.lxdns.com/iedianxin.htm?install | |
| hxxp://shadu.n.shifen.com/api/openapi/json_get_full_down_url_v4/30071 | |
| hxxp://c.cnzz.com/stat.php?id=5161651&web_id=5161651 | |
| hxxp://c.cnzz.com/core.php?web_id=5161651&t=z | |
| hxxp://z10.cnzz.com/stat.htm?id=5161651&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=898260942-1384837614-http://www.iedianxin.com&showp=1024x768&st=0&sin=&t=µãÐÄä¯ÀÀÆ÷&rnd=1585555031 | |
| hxxp://1st.ecoma.glb0.lxdns.com/api/data/xml/dxInfo_108.xml | |
| hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=720546958 | |
| hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll | |
| hxxp://pcookie.split.cnzz.com/app.gif?&cna=8d8RCzYcLycCAbhrJibp3XoP | |
| hxxp://1st.ecoma.glb0.lxdns.com/api/index.php?m=soft_active&ver=1.3.6.1157&ie=6.0&os=5.1&skin=IE6&hid=00000000000000000001&qd_id=UAgJ&home_url=CUxFSQ0fTVgHDh0HUAMGElFdG1AEDBc=&mac_add=UQgcCXQdUAlLVwtOCFVFKHo=&install_time=1384820943&rand=577531 | |
| hxxp://1st.ecoma.glb0.lxdns.com/ | |
| hxxp://1st.ecoma.glb0.lxdns.com/favicon.ico | |
| hxxp://1st.ecoma.glb0.lxdns.com/iedianxin.htm?survival | |
| hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1099001386 | |
| hxxp://z10.cnzz.com/stat.htm?id=5161651&r=&lg=en-us&ntime=1384837614&repeatip=1&rtime=0&cnzz_eid=898260942-1384837614-http://www.iedianxin.com&showp=1024x768&st=-16656&sin=&t=µãÐÄä¯ÀÀÆ÷&rnd=1020166621 | |
| hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMNet.dll (Malicious) | |
| hxxp://hao123.g.shifen.com/?tn=39015028_214_hao_pg | |
| hxxp://shadu.n.shifen.com/index/minidownload/70030 | |
| hxxp://115.238.245.179/wsmn/pabc_70030.exe | |
| hxxp://115.238.245.176/dl1sw.baidu.com/wsmn/pabc_70030.exe?wsiphost=local (Malicious) | |
| hxxp://ncloud.sfppp.com/down/setup.xml | 219.138.135.95 |
| hxxp://count.9511.com/tongjiGateway.php?id=00-0C-29-68-17-BB&tgid=feng2&khd=feng2&ver=4.0 | 122.226.223.36 |
| hxxp://hao123.g.shifen.com/v4/dt/sS/DX/hC/tS/dtsSDXhCtS.css | |
| hxxp://hz.haomm.com/ | 61.130.146.103 |
| hxxp://count.9511.com/setting2.txt | |
| hxxp://hz.haomm.com/js/jquery.js | |
| hxxp://hao123.g.shifen.com/index/images/newlogo-186X68.png | |
| hxxp://ncloud.sfppp.com/down/cloud.jpg | |
| hxxp://hao123.g.shifen.com/v4/00/27/7X/CU/Rs/hf_body_bg.png | |
| hxxp://hao123.g.shifen.com/res/images/search_logo/web_png8.png | |
| hxxp://hao123.g.shifen.com/v4/Ol/jG/-y/F2/qe/3/index_icon.png | |
| hxxp://hz.haomm.com/js/jquery.tmpl.min.js | |
| hxxp://hz.haomm.com/js/jquery.tmplPlus.min.js | |
| hxxp://hz.haomm.com/hmmBox/hmmBox.css | |
| hxxp://hao123.g.shifen.com/v4/0W/m8/xk/V4/_g/2/baidu-form.png | |
| hxxp://hao123.g.shifen.com/v4/DB/OB/Eb/ZF/Bn/DBOBEbZFBn.js | |
| hxxp://hz.haomm.com/images/bg.jpg | |
| hxxp://hz.haomm.com/imageshow.swf | |
| hxxp://hz.haomm.com/images/rev_sprite.gif | |
| hxxp://hz.haomm.com/xml/images.xml | |
| hxxp://hao123.g.shifen.com/v4/hq/qu/um/XJ/bL/hqquumXJbL.css | |
| hxxp://hz.haomm.com/images/zb1.jpg | |
| hxxp://hz.haomm.com/images/zb22.jpg | |
| hxxp://taurus.danuoyi.tbcache.com/3296853/tongji.js |  |
| hxxp://hao123.g.shifen.com/res/ecom/jd-1112.jpg | |
| hxxp://dt.tongji.linezing.com/tongji.do?unit_id=3296853&uv_id=2334150377864647686&uv_new=1&cna=&cg=&mid=&mmland=&ade=&adtm=&sttm=&cpa=&ss_id=293368655&ss_no=0&ec=1&ref=&url=http://hz.haomm.com/&title=%u597D%u7F8E%u7709%u76D2%u5B50&charset=utf-8&domain=haomm.com&hashval=895&filtered=0&app=Microsoft Internet Explorer&agent=Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)&color=32-bit&screen=1024x768&lg=en-us&je=1&fv=10.0&st=1384837380&vc=d398beae&ut=0&url_id=0&cnu=0.1894211852051711 | 110.75.80.118 |
| hxxp://haomm.com/img/room/avatar/54531.jpg | 121.12.175.254 |
| hxxp://haomm.com/img/room/avatar/87927.jpg | |
| hxxp://haomm.com/img/room/avatar/87604.jpg | |
| hxxp://haomm.com/img/room/avatar/104036.jpg | |
| hxxp://baidubrs.dlmix.glb0.lxdns.com/client/v1092/1118_1/Baidusd_Setup_1.0.56.243.exe | |
| hxxp://cc00087.f.cncssr.chinacache.net/imges/pixel.gif | |
| hxxp://haomm.com/img/room/avatar/88243.jpg | |
| hxxp://haomm.com/img/room/avatar/88650.jpg | |
| hxxp://hao123.g.shifen.com/v4/YM/hA/Bt/wm/XM/YMhABtwmXM.css | |
| hxxp://haomm.com/img/room/avatar/103140.jpg | |
| hxxp://haomm.com/img/room/avatar/83994.jpg | |
| hxxp://haomm.com/img/room/avatar/51142.jpg | |
| hxxp://haomm.com/img/room/avatar/55017.jpg | |
| hxxp://haomm.com/img/room/avatar/87102.jpg | |
| hxxp://hao123.g.shifen.com/res/img/2013/lazy-loading.gif | |
| hxxp://haomm.com/img/room/avatar/83003.jpg | |
| hxxp://count37.51yes.com/sa.htm?id=372356607&refe=&location=test&color=32x&resolution=1024*768&returning=0&language=zh-cn&ua=drivers | 61.147.67.212 |
| hxxp://haomm.com/img/room/avatar/94877.jpg | |
| hxxp://haomm.com/img/room/avatar/82995.jpg | |
| hxxp://hz.haomm.com/images/zb3.jpg | |
| hxxp://115.238.245.176/dl1sw.baidu.com/client/v1092/1118_1/Baidusd_Setup_1.0.56.243.exe?wsiphost=local (Malicious) | |
| hxxp://hao123.g.shifen.com/res/img/index/icon-0924-24.png | |
| hxxp://haomm.com/img/room/avatar/90356.jpg | |
| hxxp://haomm.com/img/room/avatar/86490.jpg | |
| hxxp://hao123.g.shifen.com/res/r/image/2013-11-19/9c487bb15d29a85bbb1e3be753292d9a.jpg | |
| hxxp://haomm.com/img/room/avatar/54546.jpg | |
| hxxp://haomm.com/img/room/avatar/54510.jpg | |
| hxxp://haomm.com/img/room/avatar/55037.jpg | |
| hxxp://haomm.com/img/room/avatar/86220.jpg | |
| hxxp://haomm.com/img/room/avatar/54911.jpg | |
| hxxp://hz.haomm.com/images/zb4.jpg | |
| hxxp://bcs.jomodns.com/urlicon/3780.png | |
| hxxp://hao123.g.shifen.com/img/1L/Aw/2F/mk/ch/o/blank.gif | |
| hxxp://haomm.com/img/room/avatar/54627.jpg | |
| hxxp://haomm.com/img/room/avatar/83937.jpg | |
| hxxp://hz.haomm.com/images/zb5.jpg | |
| hxxp://hao123.g.shifen.com/res/img/defaultIcon0708.png | |
| dtrp.download.iyuntian.com | 123.125.65.150 |
| dl1sw.baidu.com | 115.238.245.179 |
| cnzz.mmstat.com | 42.121.149.45 |
| jp.download.iyuntian.com | 123.125.65.154 |
| s17.cnzz.com |  1.99.192.16 |
| dlsw.baidu.com | 61.155.165.27 |
| pcookie.cnzz.com | 42.121.149.43 |
| cfg.download.iyuntian.com | 123.125.65.132 |
| js.tongji.linezing.com | 195.27.31.240 |
| res.download.iyuntian.com | 123.125.65.129 |
| hao.dianxin.com | 218.92.221.55 |
| s0.hao123img.com | 61.135.185.29 |
| www.baidu.com | 180.76.3.151 |
| s1.hao123img.com | 123.125.112.45 |
| www.haomm.com | 121.12.175.254 |
| vr0.6.cn | 182.118.23.189 |
| img1.hao123.com | 61.155.165.27 |
| www.iedianxin.com | 218.92.221.55 |
| rja3n.baidu.com | 123.125.65.162 |
| tk.download.iyuntian.com | 123.125.69.209 |
| rc.download.iyuntian.com | 123.125.65.153 |
| hzs17.cnzz.com | 42.156.140.23 |
| utk.download.iyuntian.com | 123.125.65.147 |
| www.hao123.com | 123.125.112.45 |
| weishi.baidu.com | 123.125.65.162 |
| res2.download.iyuntian.com |  Unresolvable |
| res3.download.iyuntian.com | Unresolvable |
| sn.download.iyuntian.com | Unresolvable |
| qr.download.iyuntian.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dianxin_silent[108].exe:488
DianXin.exe:356
mkhoz_30071.exe:1044
wan.exe:2212
feng2_feng2.exe:2136
Online_70030.exe:1216
dianxin_silent[108].tmp:1944 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\is-2FJ3S.tmp\dianxin_silent[108].tmp (3824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NxSmTlnGDI[2].js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\track[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a0[2].png (860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\LocalStorage[1].swf (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\track[2].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tip_close-ie-fs8[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wHFhxVDOgf[1].js (6527 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao123[1] (10774 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jocMpDthgk[1].js (1892 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\www.hao123[1].xml (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BkznmhpMso[2].js (447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qXQrXDtqtK[1].js (373 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\rCvuAIZSwy[2].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BkznmhpMso[1].js (268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\9c487bb15d29a85bbb1e3be753292d9a[1].jpg (2848 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[2].js (1141 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\#SharedObjects\QEA5Z3QJ\s1.hao123img.com\index\swf\LocalStorage.swf\$hao123$.sxx (108 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dtsSDXhCtS[2].css (6400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao123[1].htm (11777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\newlogo-186X68[1].png (1740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\icon-0924-24[1].png (647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hqquumXJbL[1].css (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGXF.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\site-tip-fs8[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\blank[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\web_png8[1].png (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eDZiFWIBdW[1].js (1783 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\lazy-loading[1].gif (2654 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\rCvuAIZSwy[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YMhABtwmXM[2].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DBOBEbZFBn[1].js (1887 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\hao.dianxin[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\gw_r[1].png (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wHFhxVDOgf[1].js (6837 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#s1.hao123img.com\settings.sxx (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hf_body_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\4060fb9e8e3b198dc0ad6bc893169840[1].jpg (1015 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\YMhABtwmXM[1].css (767 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\defaultIcon0708[1].png (895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\blank[1].gif (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\a0[1].png (1300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hao.dianxin[1] (698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wYlsCemWIH[2].js (3466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VwPIXzctue[2].js (2978 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3780[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\VwPIXzctue[1].js (1801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dwLPTGuQyL[1].js (2576 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dwLPTGuQyL[2].js (1362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NoRIgLJFap[1].js (710 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qpXxYmkMfH[1].js (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[2].txt (1879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\track[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\coolhint[1].png (463 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\qXQrXDtqtK[2].js (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wYlsCemWIH[1].js (3282 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\baidu-form[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\textlink-ads[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dtsSDXhCtS[1].css (5557 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hqquumXJbL[2].css (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jd-1112[1].jpg (1014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\newforecast[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\track[1].js (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\newlogo-186X68-24[1].png (1026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jocMpDthgk[2].js (2031 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\blank[1].gif (98 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (1431 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\www.hao123[1].xml (314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\NxSmTlnGDI[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sugdata[1].js (23 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\getinterest[1].htm (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\index_icon[1].png (8406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\eDZiFWIBdW[2].js (1394 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\erjiicon_png8[1].png (50 bytes)
%Documents and Settings%\%current user%\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\qpXxYmkMfH[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\de3fdf32bb95ce1ec76aa4c66b0509f3[1].jpg (3939 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\NoRIgLJFap[1].js (1618 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DBOBEbZFBn[2].js (2218 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\a0[1].png (3061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xtpC.tmp (86 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\dxInfo_108[1].xml (2584 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (204 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (1096 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (204 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\setting.ini (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iedianxin[1].htm (161 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\点心æµè§ˆå™¨.lnk (646 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\dxInfo.dat (1777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\iedianxin[1].htm (161 bytes)
%Documents and Settings%\All Users\Desktop\点心æµè§ˆå™¨.lnk (616 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[2].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\config.ini (91 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\cutm.exe.bdl (210172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\setupinfo.txt.bdtmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\KVNetInstallHelpler.dll (17848 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDMNet.dll.bdl (48700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmA.tmp (113000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\NetPluginInstallHelper.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscB.tmp\BDMReport.dll.bdl (37222 bytes)
%System%\drivers\operyuae.sys (102 bytes)
%Program Files%\wangame\skin\toolbar_hover.png (2 bytes)
%Program Files%\wangame\skin\ÃÀÅ®Ö÷²¥.png (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃæÃ汦ºÃ\ÃæÃ汦ºÃ.lnk (1181 bytes)
%Program Files%\wangame\skin\SubWnd.png (703 bytes)
%Program Files%\wangame\webzm.exe (7750 bytes)
%Program Files%\wangame\skin\y.bmp (486 bytes)
%Program Files%\wangame\wan.exe (6700 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃæÃ汦ºÃ\öÔØ ÃæÃ汦ºÃ.lnk (499 bytes)
%Program Files%\wangame\ubo.ub (278 bytes)
%Program Files%\wangame\ico.ico (1568 bytes)
%Program Files%\wangame\skin\left.jpg (11 bytes)
%Program Files%\wangame\skin\ÃøÒ³ÓÎ÷.png (5 bytes)
%Program Files%\wangame\skin\bj.jpg (1 bytes)
%Program Files%\wangame\skin\±³¾°.png (3 bytes)
%Program Files%\wangame\skin\center.jpg (10 bytes)
%Program Files%\wangame\update.exe (6405 bytes)
%Program Files%\wangame\uninst.exe (2718 bytes)
%Documents and Settings%\%current user%\Desktop\ÃæÃ汦ºÃ.lnk (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuE.tmp\System.dll (11 bytes)
%Program Files%\wangame\skin\ÃÃÃÃÓÎ÷.png (6 bytes)
%Program Files%\wangame\wangame.exe (7662 bytes)
%Program Files%\wangame\skin\line.bmp (1 bytes)
%Program Files%\wangame\Config.ini (24 bytes)
%Program Files%\wangame\skin\line1.bmp (1 bytes)
%Program Files%\wangame\skin\z.bmp (1 bytes)
%Program Files%\wangame\skin\line2.bmp (3 bytes)
%Program Files%\wangame\skin\ÓéÀÖ°ËØÔ.png (7 bytes)
%Program Files%\wangame\skin\right.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuE.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\config.ini (92 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\tmpnz1y5w.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (114659 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\BDMReport.dll.bdl (37808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\BDMDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\setupinfo.txt.bdtmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse12.tmp\BDMSkin.dll (36698 bytes)
%Program Files%\DianXin\uninstall\is-ENCUQ.tmp (45 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\µãÃÄä¯ÀÀÆ÷.lnk (684 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-PO1FV.tmp (1 bytes)
%Program Files%\DianXin\uninstall\is-VVH9U.tmp (62 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0GLRI.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0RVAF.tmp (318 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-2LQIU.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_logo.bmp (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\_isetup\_shfoldr.dll (23 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\is-2HOPD.tmp (9 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-D7SQO.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-DO4SH.tmp (3 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-UVIHD.tmp (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\install.ico (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\top_bk.bmp (601 bytes)
%Program Files%\DianXin\uninstall\is-N5RSQ.tmp (10 bytes)
%Program Files%\DianXin\uninstall\is-0A1U1.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-F1JU8.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-18T7E.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-OHHCM.tmp (198 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0HFMK.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\changeDir_btn.bmp (5 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-OMJTG.tmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-M4ESF.tmp (1 bytes)
%Program Files%\DianXin\uninstall\is-4NMDH.tmp (4545 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-R6FHB.tmp (3 bytes)
%Program Files%\DianXin\unins000.msg (612 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-AML6V.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_logo2.bmp (601 bytes)
%Documents and Settings%\All Users\Start Menu\µãÃÄä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\DianXin\uninstall\is-F4BQD.tmp (601 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-QS1Q3.tmp (894 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-HVS16.tmp (5 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0KC4C.tmp (25 bytes)
%Program Files%\DianXin\uninstall\is-0GR1Q.tmp (10 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-821RN.tmp (318 bytes)
%Program Files%\DianXin\uninstall\is-AHG09.tmp (10 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-0951T.tmp (1 bytes)
%Program Files%\DianXin\is-AB5B6.tmp (5445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_btn2.bmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\StretchLine.bmp (1 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-8KE9V.tmp (318 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\µãÃÄä¯ÀÀÆ÷\µãÃÄä¯ÀÀÆ÷.lnk (678 bytes)
%Program Files%\DianXin\is-QSP0R.tmp (7385 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-T11U5.tmp (318 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-71HVN.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\mainbk.bmp (4545 bytes)
%Documents and Settings%\%current user%\Application Data\DianXin\icon\is-6L7CL.tmp (1 bytes)
%Program Files%\DianXin\unins000.dat (18953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Documents and Settings%\All Users\Desktop\µãÃÄä¯ÀÀÆ÷.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JJCGA.tmp\setup_btn.bmp (14 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C1F94CD5CA263ECFB1A4BAB1B832C909 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ff[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\NiuZip_Setup_1.0_201042.exe (68691 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pabc_70030[1].exe (117794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab3.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\hetwrx_30071[1].exe (95304 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\feng2_feng2[1].exe (39232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar6.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar4.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\NiuZip_Setup_1.0_201042[1].exe (68691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\other[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\dianxin_silent[108].exe (63904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\mkhoz_30071.exe (95304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\config.txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab7.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab5.tmp (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\feng2_feng2.exe (39232 bytes)
%Program Files%\ffmovie\return.htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\dianxin_silent[108][1].exe (63904 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar8.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C1F94CD5CA263ECFB1A4BAB1B832C909 (180 bytes)
%Program Files%\ffmovie\uninst.exe (3014 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ffmovie\Uninstall.lnk (499 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp\Online_70030.exe (117794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\107038[1].jpg (17360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88650[1].jpg (22838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\55037[1].jpg (916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\hz.haomm[1].htm (12981 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\86220[1].jpg (1953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[1].gif (387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\jquery.tmpl.min[1].js (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\tongji[1].js (3426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\94877[1].jpg (11589 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\94877[1].jpg (16597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\83994[1].jpg (11856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\51142[1].jpg (14289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\rev_sprite[1].gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[3].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pixel[2].gif (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\userLevel_v30[1].png (461 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\55017[1].jpg (8216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\jquery.tmplPlus.min[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\83003[1].jpg (10145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zb3[1].jpg (17715 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[2].gif (172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88243[1].jpg (7745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\images[1].xml (642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\55017[1].jpg (2227 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\83003[2].jpg (18185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\86490[1].jpg (5336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pixel[1].gif (387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\zb4[1].jpg (28900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\pixel[1].gif (129 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\87604[1].jpg (11052 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\87604[2].jpg (11891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88243[2].jpg (12245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\zb6[1].jpg (13397 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\hmmBox[1].css (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\87927[1].jpg (8389 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zb1[1].jpg (22721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\86220[1].jpg (18809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setting2[1].txt (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zb22[1].jpg (24213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\51142[1].jpg (18328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\103140[1].jpg (16762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\87102[1].jpg (1816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\87927[1].jpg (11608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\90356[1].jpg (17089 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\54531[1].jpg (7037 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\imageshow[1].swf (2301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\82995[1].jpg (6177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\104036[1].jpg (7612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery[1].js (51493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\54510[1].jpg (12117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg[1].jpg (13810 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pixel[1].gif (258 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@linezing[1].txt (171 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@haomm[1].txt (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\zb5[1].jpg (13225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\83994[2].jpg (14359 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\54546[1].jpg (4900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\88650[2].jpg (9647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mmListIco_v3[1].png (407 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wangame" = "%Program Files%\wangame\webzm.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
