Trojan.NSIS.StartPage_d699edf6e8

by malwarelabrobot on January 6th, 2014 in Malware Descriptions.

Trojan.Win32.Badur.gcfu (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: d699edf6e8b50d9403f451a4f458deaf
SHA1: b596b499805357b1892f9c61648f7720a31cf970
SHA256: 719fe3978430a0547e66e9390d2ae33575066e612e90f44a597e6ac4a931a2f4
SSDeep: 24576:B6Ggtk4Z6mR3FYze0YRQKYgaNzjG4u2fU55QBr/t:UG4ZT1YzH0QKYDNfG4u2fU55Qd1
Size: 1110377 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: *Rapiddown*
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ctfmon.exe:252
365weatherIns_61.exe:2080
pcWeather365.ex:2496
bbxknhz_30448.exe:3540
greendou.exe:3092
weatherRealTime:2400
xblzy_70304.exe:3792

The Trojan injects its code into the following process(es):

%original file name%.exe:2644

File activity

The process 365weatherIns_61.exe:2080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\md5dll.dll (8 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\newfeather1.jpg (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\btn_complete.bmp (3616 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\nsWindows.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\loading2.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\inetc.dll (784 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\btn_next.bmp (3616 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\bg.bmp (18424 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\loading1.bmp (456 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\ToggleImages.html (1 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\newfeather2.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\aztongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\newfeather3.jpg (784 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp (79841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ð¶ÔØ.lnk (804 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\checkbox2.bmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\cnzzonline.html (2 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\btn_close.bmp (2 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\checkbox1.bmp (5 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport (0 bytes)

The process bbxknhz_30448.exe:3540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMReport.dll.bdl (36482 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb7.tmp (156906 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMNet.dll.bdl (47520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\58db90517c3c93bec106085e60b3f9ed.bdt (487 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\dl.dll (65945 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\33f59beac1c942dd19f41a7fd30f3f9b.bdt (647 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\tmpfjem5c.dll (76650 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg6.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

The process greendou.exe:3092 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\u_13741[1].htm (12388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\lvdou_300duo_com[1].htm (351 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (2254 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\global[1].css (64585 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)

The process %original file name%.exe:2644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
%Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (100631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\processwork.dll (6140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\System.dll (11 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
%Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
%Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
%Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
%Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
%Program Files%\greeou\GreenDou.exe (25580 bytes)
%Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\NSISdl.dll (14 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
%Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
%Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
%Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\Inetc.dll (20 bytes)
%Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
%Program Files%\greeou\profile\Template\start\index.html (832 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
%Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
%Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
%Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
%Program Files%\greeou\profile\Template\start\style.css (3 bytes)
%Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
%Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
%Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
%Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
%Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
%Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\xID.dll (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
%Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
%Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
%Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
%Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\Md5dll.dll (8 bytes)
%Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
%Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
%Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
%Program Files%\greeou\ico\Thumbs.db (15 bytes)
%Program Files%\greeou\profile\Template\start\left.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (315025 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
%Program Files%\greeou\profile\Defaults\config.ini (902 bytes)
%Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
%Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
%Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
%Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xblzy_70304.exe (170439 bytes)
%Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
%Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
%Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
%Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\open.ini (3 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bbxknhz_30448.exe (158120 bytes)
%Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
%Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
%Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
%Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
%Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
%Program Files%\greeou\profile\Defaults\last.ini (348 bytes)
%Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
%Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
%Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
%Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
%Program Files%\greeou\ico\taobao.ico (2104 bytes)
%Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
%Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)

The process xblzy_70304.exe:3792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\tmpddxyd4.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMReport.dll.bdl (38647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\v.exe.bdl (110457 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMNet.dll.bdl (49608 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\224b984faf5cf92bdb1ec47086915af6.bdt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg4.tmp (124743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl3.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

Registry activity

The process ctfmon.exe:252 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

The process 365weatherIns_61.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"UninstallString" = "%Program Files%\pcWeather365\uninst.exe"
"DisplayIcon" = "%Program Files%\pcWeather365\pcWeather365.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"appdata" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"URLInfoAbout" = "http://114tq.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"Publisher" = "365ÆøÏó¹¤×÷ÊÒ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"(Default)" = "%Program Files%\pcWeather365\pcWeather365.exe"
"desk" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"pcWeather365/weatherRealTimeService.exe" = "weatherRealTimeService"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayName" = "pcWeather365 1.0.0.1004"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Mac" = "00-0C-29-3B-DF-2F"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 B0 D5 30 0D AE 20 0C 10 07 25 0D A0 A5 6D E1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayVersion" = "1.0.0.1004"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"jieguo" = "mac=00-0C-29-3B-DF-2F&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=f72e066ddb1d94ae63e1d32390e05757"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process pcWeather365.ex:2496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 41 0A 61 66 A5 C3 F2 57 D3 7A 0E 0B 83 16 F1"

The process bbxknhz_30448.exe:3540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E BB 6D 8B 46 41 E6 0B 8A D7 F9 12 A9 0C F4 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process greendou.exe:3092 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@shell32.dll,-12693" = "Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010520140106]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010520140106]
"CachePrefix" = ":2014010520140106:"
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014010520140106"

[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010520140106]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 56 FD 80 8E 2A C1 ED 5E 97 F6 8F 20 48 14 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014010520140106]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Gie]
"update2" = "2"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Disable Script Debugger" = "yes"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\System\CurrentControlSet\Services\Tcpip\Performance]
"Error Count"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process %original file name%.exe:2644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayName" = "Â̶¹ä¯ÀÀÆ÷ 1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"Publisher" = "aaa9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹ä¯ÀÀÆ÷]
"DisplayVersion" = "1.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process weatherRealTime:2400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 0F F6 95 5F 42 C0 A0 31 13 76 0A 08 2E BD 68"

[HKCR\AppID\weatherService.EXE]
"AppID" = "{636DA746-D508-400B-86A0-AE7F3C4008F7}"

[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService" = "weatherRealTimeService"
"(Default)" = "weatherService"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService"

The process xblzy_70304.exe:3792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 79 B0 DF 1D 59 23 F0 8C CA 68 A3 A9 9E 76 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\metnsd\clsid]
"SequenceID" = "D4 B1 5C 55 32 99 41 4C 9A EC E2 07 58 4A 99 0E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

Network activity (URLs)

URL IP
hxxp://lvdou.300duo.com/favicon.ico 223.255.145.200
hxxp://lvdou.300duo.com/
hxxp://123.125.65.162/index/minidownload/30448
hxxp://117.21.189.102/qdmn/coufxzp_30448.exe
hxxp://117.21.189.52/dl1sw.baidu.com/qdmn/coufxzp_30448.exe?wsiphost=local (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://pxsw.n.shifen.com/
hxxp://dh.cdn.etedns.com/u_13741.html
hxxp://dh.cdn.etedns.com/theme/hao123v3_1/css/global.css
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://dh.cdn.etedns.com/update/365/365weatherIns_61.rar
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMNet.dll (ET POLICY PE EXE or DLL Windows file download , Malicious)
js.hao2266.com 122.225.100.200
jp.download.iyuntian.com 123.125.65.154
rc.download.iyuntian.com 123.125.65.153
tk.download.iyuntian.com 123.125.69.209
dlsw.baidu.com 61.155.165.27
lm.beilequ.com 122.225.100.200
cfg.download.iyuntian.com 123.125.65.132
res.download.iyuntian.com 123.125.65.129
dtrp.download.iyuntian.com 123.125.65.150
p.x.baidu.com 123.125.65.152
utk.download.iyuntian.com 123.125.65.147
www.h1231.com 122.225.100.200
www.biso.cc 67.198.240.190
res2.download.iyuntian.com Unresolvable
qr.download.iyuntian.com Unresolvable
res3.download.iyuntian.com Unresolvable
sn.download.iyuntian.com Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    365weatherIns_61.exe:2080
    pcWeather365.ex:2496
    bbxknhz_30448.exe:3540
    greendou.exe:3092
    weatherRealTime:2400
    xblzy_70304.exe:3792

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
    %Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\SkinBtn.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\md5dll.dll (8 bytes)
    %Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\newfeather1.jpg (784 bytes)
    %Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
    %Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
    %Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\btn_complete.bmp (3616 bytes)
    %Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
    %Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\nsWindows.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\loading2.bmp (456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\inetc.dll (784 bytes)
    %Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\btn_next.bmp (3616 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
    %Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
    %Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
    %Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\bg.bmp (18424 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
    %Program Files%\pcWeather365\config.ini (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\loading1.bmp (456 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
    %Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
    %Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
    %Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\ToggleImages.html (1 bytes)
    %Program Files%\pcWeather365\msweather.dll (5520 bytes)
    %Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
    %Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
    %Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
    %Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
    %Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\newfeather2.jpg (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\aztongji_61[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\newfeather3.jpg (784 bytes)
    %Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsuA.tmp (79841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\System.dll (11 bytes)
    %Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
    %Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ð¶ÔØ.lnk (804 bytes)
    %Program Files%\pcWeather365\skins\common\close.png (873 bytes)
    %Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\checkbox2.bmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\nsDialogs.dll (9 bytes)
    %Program Files%\pcWeather365\weather.db (6584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
    %Program Files%\pcWeather365\skins\common\err.png (784 bytes)
    %Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\cnzzonline.html (2 bytes)
    %Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
    %Program Files%\pcWeather365\uninst.exe (2691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\btn_close.bmp (2 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
    %Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp\checkbox1.bmp (5 bytes)
    %Program Files%\pcWeather365\areacode.db (3 bytes)
    %Program Files%\pcWeather365\skins\common\min.png (440 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMReport.dll.bdl (36482 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\res\onlineWnd.zip (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb7.tmp (156906 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMNet.dll.bdl (47520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bdt\58db90517c3c93bec106085e60b3f9ed.bdt (487 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (762 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\hu.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\dl.dll (65945 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDLogicUtils.dll (30968 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMDownload.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\BDMSkin.dll (38495 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bdt\33f59beac1c942dd19f41a7fd30f3f9b.bdt (647 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq8.tmp\tmpfjem5c.dll (76650 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\u_13741[1].htm (12388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\lvdou_300duo_com[1].htm (351 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
    %Program Files%\greeou\profile\Defaults\last.ini (2254 bytes)
    %Program Files%\greeou\profile\Defaults\config.ini (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\global[1].css (64585 bytes)
    %Program Files%\greeou\skin\Default\control\tab_hover.png (346 bytes)
    %Program Files%\greeou\skin\Default\control\tab_bg.png (314 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_new3.png (1 bytes)
    %Program Files%\greeou\skin\Default\misc\16_ad_hunter.png (716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (100631 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\processwork.dll (6140 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\System.dll (11 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_back3.png (1 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_favorites2.png (696 bytes)
    %Program Files%\greeou\skin\Default\control\MenuItem_Hover.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Program Files%\greeou\skin\Default\misc\24_go.png (650 bytes)
    %Program Files%\greeou\skin\Default\shared\16_new.png (650 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_favorites.png (700 bytes)
    %Program Files%\greeou\profile\Defaults\CommandBars.ini (1 bytes)
    %Program Files%\greeou\skin\Default\mskin.ini (10 bytes)
    %Program Files%\greeou\GreenDou.exe (25580 bytes)
    %Program Files%\greeou\skin\Default\control\status_bar_bg.png (445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\NSISdl.dll (14 bytes)
    %Program Files%\greeou\skin\Default\control\combo_dropdown_hover.png (774 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_forward.png (947 bytes)
    %Program Files%\greeou\skin\Default\control\win_minimize.png (202 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_refresh.png (1 bytes)
    %Program Files%\greeou\skin\Default\control\combo_dropdown.png (794 bytes)
    %Program Files%\greeou\profile\Template\start\images\logo.gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\Inetc.dll (20 bytes)
    %Program Files%\greeou\skin\Default\control\Button_Pressed.png (1 bytes)
    %Program Files%\greeou\profile\Template\start\index.html (832 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_home.png (1 bytes)
    %Program Files%\greeou\skin\Default\misc\16_website_info.png (1 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_new.png (879 bytes)
    %Program Files%\greeou\skin\Default\control\title_bg.png (655 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_home2.png (1 bytes)
    %Program Files%\greeou\profile\Template\start\images\header_logo.gif (2 bytes)
    %Program Files%\greeou\skin\Default\shared\16_edit.png (646 bytes)
    %Program Files%\greeou\skin\Default\control\tab_sidebar.png (321 bytes)
    %Program Files%\greeou\profile\SearchEngine\config.ini (226 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_new2.png (801 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_page_zoom2.png (724 bytes)
    %Program Files%\greeou\profile\Template\start\style.css (3 bytes)
    %Program Files%\greeou\profile\Template\start\images\dian.gif (376 bytes)
    %Program Files%\greeou\skin\Default\control\win_close.png (362 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_refresh2.png (1 bytes)
    %Program Files%\greeou\profile\Template\start\images\header_bg.gif (83 bytes)
    %Program Files%\greeou\skin\Default\control\tab_active.png (1 bytes)
    %Program Files%\greeou\skin\Default\control\mainframe.png (288 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_back2.png (1 bytes)
    %Program Files%\greeou\skin\Default\control\tab_inactive.png (281 bytes)
    %Program Files%\greeou\skin\Default\control\sidebar_tab_inactive.png (259 bytes)
    %Program Files%\greeou\skin\Default\misc\16_folder_open.png (614 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_search.png (871 bytes)
    %Program Files%\greeou\skin\Default\control\combosearch_dropdown.png (794 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_stop2.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\xID.dll (3 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_search2.png (969 bytes)
    %Program Files%\greeou\skin\Default\control\win_maximum.png (275 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_new.png (637 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_page_zoom.png (733 bytes)
    %Program Files%\greeou\skin\Default\control\tab_sidebar_hover.png (322 bytes)
    %Program Files%\greeou\skin\Default\control\sidebar_tab_active.png (957 bytes)
    %Program Files%\greeou\skin\Default\control\progress.png (708 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_back.png (953 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\Md5dll.dll (8 bytes)
    %Program Files%\greeou\profile\Defaults\searchkeys.ini (14 bytes)
    %Program Files%\greeou\skin\Default\control\tab_new.png (350 bytes)
    %Program Files%\greeou\skin\Default\control\combosearch_dropdown_hover.png (774 bytes)
    %Program Files%\greeou\ico\Thumbs.db (15 bytes)
    %Program Files%\greeou\profile\Template\start\left.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (315025 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_forward2.png (1 bytes)
    %Program Files%\greeou\skin\Default\control\skin_selector.png (283 bytes)
    %Program Files%\greeou\skin\Default\control\win_restore.png (302 bytes)
    %Program Files%\greeou\skin\Default\control\Button_Checked.png (976 bytes)
    %Program Files%\greeou\skin\Default\misc\16_page.png (519 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xblzy_70304.exe (170439 bytes)
    %Program Files%\greeou\skin\Default\control\tab_close.png (259 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_history2.png (994 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_undo2.png (840 bytes)
    %Program Files%\greeou\skin\Default\control\tab_new_hover.png (346 bytes)
    %Program Files%\greeou\profile\SearchEngine\taobao.ico (1 bytes)
    %Program Files%\greeou\skin\Default\control\Button_Hover.png (1 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_new2.png (1 bytes)
    %Program Files%\greeou\skin\Default\misc\16_folder_closed.png (587 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\open.ini (3 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_stop.png (1 bytes)
    %Program Files%\greeou\skin\Default\misc\16_open_in_bg.png (507 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Â̶¹ä¯ÀÀÆ÷\Â̶¹ä¯ÀÀÆ÷.lnk (678 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bbxknhz_30448.exe (158120 bytes)
    %Documents and Settings%\%current user%\Desktop\Â̶¹ä¯ÀÀÆ÷.lnk (666 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_history.png (847 bytes)
    %Program Files%\greeou\skin\Default\toolbar\16_undo.png (748 bytes)
    %Program Files%\greeou\skin\Default\control\combo.png (260 bytes)
    %Program Files%\greeou\profile\SearchEngine\baidu.ico (2 bytes)
    %Program Files%\greeou\skin\Default\misc\24_go2.png (648 bytes)
    %Program Files%\greeou\skin\Default\control\combo_hover.png (261 bytes)
    %Program Files%\greeou\skin\Default\control\tab_close_hover.png (2 bytes)
    %Program Files%\greeou\profile\SearchEngine\google.ico (1 bytes)
    %Program Files%\greeou\skin\Default\toolbar\24_forward3.png (1 bytes)
    %Program Files%\greeou\ico\taobao.ico (2104 bytes)
    %Program Files%\greeou\skin\Default\misc\16_open_in_new.png (548 bytes)
    %Program Files%\greeou\profile\Template\start\images\logo2.gif (596 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\dl.dll (65945 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\tmpddxyd4.dll (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMReport.dll.bdl (38647 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\v.exe.bdl (110457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\res\onlineWnd.zip (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMNet.dll.bdl (49608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDLogicUtils.dll (31856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMDownload.dll (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bdt\224b984faf5cf92bdb1ec47086915af6.bdt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg4.tmp (124743 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\BDMSkin.dll (36698 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp\hu.dll (3312 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now