Trojan.NSIS.StartPage_f81415fd56
Trojan.Win32.Badur.ggad (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: f81415fd56098d4d249af83c756bd3c4
SHA1: a9ca0b7fa81de7812d1ddd1c0023f7dec0a67e68
SHA256: 8c030699c02bf0dc9716c68d926dadaa7dd12b5b6f732b21dddbf38bd9df99c6
SSDeep: 3072:4gXdZt9P6D3XJDVwvOOgevMEFcwX46a0hfb7DN4M6BXIEOn5KZjhOZFZ:4e34pivOOgyME86aCfb/N6XIEYUZjhkf
Size: 155001 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
weatherRealTimeService.exe:1512
365weatherIns_61.exe:1988
pihhrpg_30310.exe:2796
weatherPng2Ico.exe:2916
pcWeather365.exe:1044
tianqiUpdate.10:1788
svcpm25svr.exe:3440
mscorsvw.exe:1912
pczh_62.exe:3008
akradl_70254.exe:664
The Trojan injects its code into the following process(es):
pmAqiFunction.exe:3360
setup_qd334.exe:1556
ZhiHui1.9.exe:2612
%original file name%.exe:1268
File activity
The process pmAqiFunction.exe:3360 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\pcWeather365\msweather.dll (673 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\svcpm25svr.exe (673 bytes)
The process 365weatherIns_61.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\newfeather1.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\loading1.bmp (456 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aztongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\checkbox1.bmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\ToggleImages.html (1 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\btn_close.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\newfeather3.jpg (784 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\loading2.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\inetc.dll (784 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\checkbox2.bmp (5 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ã¶ÔØ.lnk (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\cnzzonline.html (2 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\btn_complete.bmp (3616 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\btn_next.bmp (3616 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (79841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\bg.bmp (18424 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\nsWindows.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\newfeather2.jpg (784 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp (0 bytes)
The process pihhrpg_30310.exe:2796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbD.tmp (154630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMReport.dll.bdl (35301 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (733 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\tmppopddp.dll (72992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMNet.dll.bdl (44728 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsvC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
The process weatherPng2Ico.exe:2916 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DF4D45.tmp (0 bytes)
The process setup_qd334.exe:1556 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso8.tmp\setup_qd334.gif.partial (37274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso8.tmp\metadl.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj7.tmp (8533 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj6.tmp (0 bytes)
The process pcWeather365.exe:1044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tongji[1].htm (657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (296 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Program Files%\pcWeather365\weatherData.tmp (371 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Program Files%\pcWeather365\config.ini (8 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
The process tianqiUpdate.10:1788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (67 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pm25Info\pm25Info.db.!mv (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\363[1].ico (145 bytes)
%Program Files%\pcWeather365\skins\common\363.ico.!mv (145 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db.!mv (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\updateInfo[1].xml (608 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pngicoInfo\pngicoInfo.db.!mv (571 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\updateInfo.db.!mv (608 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pmAqiInfo\pmAqiInfo.db.!mv (331 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (1390 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pngicoInfo[1].xml (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pmAqiInfo[1].xml (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\weatherInfo[1].xml (584 bytes)
%Program Files%\pcWeather365\config.ini (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pm25Info[1].xml (615 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\~DFB518.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (0 bytes)
The process ZhiHui1.9.exe:2612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\ZhiHui1420141\set1420141\Setzh1420141.ini (23 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui1420141\min.ini (14 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui1420141\zhibo.html (764 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui1420141\set.ini (7 bytes)
The process mscorsvw.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (1088 bytes)
The process pczh_62.exe:3008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé ÖÇ»Û1.9\öÔØ.lnk (689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\skin.bmp (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\°®Çé ÖÇ»Û1.9.lnk (712 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé ÖÇ»Û1.9\°®Çé ÖÇ»Û1.9.lnk (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\next.bmp (1856 bytes)
%Program Files%\aqzhui1.8\ZhiHui1.9.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].htm (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\qx.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\tj.html (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp (17699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\System.dll (11 bytes)
%Program Files%\aqzhui1.8\uninst.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\KillProcDLL.dll (784 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\skin.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\qx.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\tj.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\next.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\SkinBtn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\KillProcDLL.dll (0 bytes)
The process akradl_70254.exe:664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\lhan.exe.bdl (75750 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMReport.dll.bdl (32966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMNet.dll.bdl (43296 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstA.tmp (125790 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\tmpbhjmp5.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMSkin.dll (36698 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn9.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
The process %original file name%.exe:1268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (102590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_qd334.exe (15994 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe (189865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\akradl_70254.exe (207232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\open.ini (658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\xID.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pczh_62.exe (23090 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (200021 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)
Registry activity
The process weatherRealTimeService.exe:1512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE FB 2A 73 00 AD 5C 2B 0A 5D 2E 7C 8D BC E0 2B"
[HKCR\AppID\weatherService.EXE]
"AppID" = "{636DA746-D508-400B-86A0-AE7F3C4008F7}"
[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService" = "weatherRealTimeService"
"(Default)" = "weatherService"
The Trojan deletes the following value(s) in system registry:
[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService"
The process pmAqiFunction.exe:3360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\pcWeather365]
"svcpm25svr.exe" = "pm2.5实时详情"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 68 7C 1E BC C9 E6 2D D7 19 AE 4E D8 AB 6D B6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 365weatherIns_61.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"UninstallString" = "%Program Files%\pcWeather365\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayIcon" = "%Program Files%\pcWeather365\pcWeather365.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"appdata" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"URLInfoAbout" = "http://114tq.com/"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"Publisher" = "365ÆøÃó¹¤×÷ÊÒ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"(Default)" = "%Program Files%\pcWeather365\pcWeather365.exe"
"desk" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"pcWeather365/weatherRealTimeService.exe" = "weatherRealTimeService"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayName" = "pcWeather365 1.0.0.1004"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Mac" = "00-0C-29-7C-CD-1F"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 C4 33 AD 4B 77 F9 FE 8F AA 46 CA E5 EA 6E 3E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayVersion" = "1.0.0.1004"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"jieguo" = "mac=00-0C-29-7C-CD-1F&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=84c8b24c6597ce51c54789a9b4632126"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process pihhrpg_30310.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 33 A2 A5 BE 96 FA 84 1E A7 FD E7 E1 FB 30 C6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process weatherPng2Ico.exe:2916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 97 70 08 71 7D 25 39 50 65 5B 5E 6D 34 8E 73"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process setup_qd334.exe:1556 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 38 8F AD 21 68 51 09 DE 65 5E 52 B1 6B 1E 9E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process pcWeather365.exe:1044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"tianqiUpdate.1004.exe" = "气象å‡çº§æ›´æ–°"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"pmAqiFunction.exe" = "空气质é‡(AQI)æ•°æ®ç›‘控"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC D6 D3 11 74 67 AD FD C3 84 39 A5 5F AA E1 B9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process tianqiUpdate.10:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\pcWeather365]
"weatherPng2Ico.exe" = "æ°”è±¡å›¾æ ‡è‡ªåŠ¨æ ¡æ£æ¨¡å—"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD C3 31 19 3B 0A F3 E1 0A 2B 2D 7F 0F 2F D8 65"
[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache" = "E3 04 00 00 02 00 00 00 A8 03 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process ZhiHui1.9.exe:2612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 F0 2D C5 9D 55 26 D3 3A 41 E6 46 FD 27 7B 46"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process svcpm25svr.exe:3440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 98 5E 3A 98 F1 DE CC F0 30 85 3E A4 ED 11 DC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process pczh_62.exe:3008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"DisplayName" = "°®Çé ÖÇ»Û1.9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\uuzhverr]
"EXETim" = "1420141"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"URLInfoAbout" = "www.aiqingzhihui.com"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"DisplayVersion" = "1.0.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Inzhuii]
"install" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\uuzhverr]
"EXETim2" = "1711"
"EXETim3" = "uniudloxgej"
"EXETim4" = "jkcxov1711"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"DisplayIcon" = "%Program Files%\aqzhui1.8\uninst.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\uuzhverr]
"EXETim9" = "1420141"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 6C 34 FF 3F 41 A3 A2 2D 31 CD 90 EB AB F9 8A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®ÇéÖÇ»Û]
"UninstallString" = "%Program Files%\aqzhui1.8\uninst.exe"
[HKLM\SOFTWARE\uuzhverr]
"EXEName" = "pczh_62.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"ZhiHui"
The process akradl_70254.exe:664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 BB 35 B0 F2 9C D8 4D 73 DB 4A 3F DA A7 DD 8F"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\metnsd\clsid]
"SequenceID" = "33 7D CC BE 9B B6 AD 4B 9F F9 5D E7 83 7F 50 E3"
The process %original file name%.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayVersion" = "1.0.0.2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayName" = "Â̶¹ 1.0.0.2"
"Publisher" = "a16"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "06 3D A5 0E 02 C9 BC 38 29 B4 80 21 C4 24 0D AE"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://www.xzsky.com/post/ |  122.225.104.211 |
| hxxp://08911.xdwscache.glb0.lxdns.com/qdn/setup_qd334.txt | |
| hxxp://08911.xdwscache.glb0.lxdns.com/qdn/setup_qd334.gif | |
| hxxp://www.xzsky.com/cnzz/weather/weatherPng/cnzz.html | |
| hxxp://tongji.uujzy.com/tongji.html?1.0.1004_id61_md1_os1 | 60.190.171.236 |
| hxxp://js.users.51.la/15909623.js | 222.187.221.28 |
| hxxp://icon.ajiang.net/icon_9.gif | 125.46.49.200 |
| hxxp://www.xzsky.com/cnzz/weather/1.0.0.1004/weatherdata/_61/cnzz.html | |
| hxxp://www.xzsky.com/cnzz/weather/1.0.0.1004/weatherdata/cnzz.html | |
| hxxp://www.xzsky.com/cnzz/weather/1.0.0.1004/weatherdata/weatherInfo.xml | |
| hxxp://int.dpool.sina.com.cn/iplookup | 123.125.29.252 |
| hxxp://pxsw.n.shifen.com/ | |
| weather51la.cnzz.beilequ.com | 122.225.104.211 |
| weather51la.cnzz.alivcd.com | 122.225.104.211 |
| web2.51.la | 117.21.224.8 |
| p.x.baidu.com | 123.125.65.152 |
| down.guangsu.cn | 116.10.190.62 |
| down.andlu.org | 222.186.60.2 |
| weather.uujzy.com | 122.225.203.94 |
| cfg.download.iyuntian.com | Unresolvable |
| rc.download.iyuntian.com | Unresolvable |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
weatherRealTimeService.exe:1512
365weatherIns_61.exe:1988
pihhrpg_30310.exe:2796
weatherPng2Ico.exe:2916
pcWeather365.exe:1044
tianqiUpdate.10:1788
svcpm25svr.exe:3440
mscorsvw.exe:1912
pczh_62.exe:3008
akradl_70254.exe:664 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\pcWeather365\msweather.dll (673 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\svcpm25svr.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\newfeather1.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\loading1.bmp (456 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\aztongji_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\checkbox1.bmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\ToggleImages.html (1 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\nsDialogs.dll (9 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\btn_close.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\newfeather3.jpg (784 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\loading2.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\inetc.dll (784 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\checkbox2.bmp (5 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ã¶ÔØ.lnk (804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\cnzzonline.html (2 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\btn_complete.bmp (3616 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\btn_next.bmp (3616 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (79841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\bg.bmp (18424 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\nsWindows.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp\newfeather2.jpg (784 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbD.tmp (154630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMReport.dll.bdl (35301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\tmppopddp.dll (72992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqE.tmp\BDMNet.dll.bdl (44728 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso8.tmp\setup_qd334.gif.partial (37274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso8.tmp\metadl.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj7.tmp (8533 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tongji[1].htm (657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Program Files%\pcWeather365\weatherData.tmp (371 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pm25Info\pm25Info.db.!mv (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\363[1].ico (145 bytes)
%Program Files%\pcWeather365\skins\common\363.ico.!mv (145 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db.!mv (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\updateInfo[1].xml (608 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pngicoInfo\pngicoInfo.db.!mv (571 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\updateInfo.db.!mv (608 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\pmAqiInfo\pmAqiInfo.db.!mv (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pngicoInfo[1].xml (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\pmAqiInfo[1].xml (331 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\weatherInfo[1].xml (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\pm25Info[1].xml (615 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui1420141\set1420141\Setzh1420141.ini (23 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui1420141\min.ini (14 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui1420141\zhibo.html (764 bytes)
%Documents and Settings%\%current user%\Application Data\ZhiHui1420141\set.ini (7 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (1088 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé ÖÇ»Û1.9\öÔØ.lnk (689 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\skin.bmp (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\°®Çé ÖÇ»Û1.9.lnk (712 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé ÖÇ»Û1.9\°®Çé ÖÇ»Û1.9.lnk (706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\next.bmp (1856 bytes)
%Program Files%\aqzhui1.8\ZhiHui1.9.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\tj[1].htm (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\qx.bmp (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\tj.html (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr10.tmp (17699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\System.dll (11 bytes)
%Program Files%\aqzhui1.8\uninst.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm11.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\lhan.exe.bdl (75750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMReport.dll.bdl (32966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMNet.dll.bdl (43296 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstA.tmp (125790 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\tmpbhjmp5.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (102590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_qd334.exe (15994 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe (189865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\akradl_70254.exe (207232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\open.ini (658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\xID.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pczh_62.exe (23090 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (200021 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
