Trojan.Win32.Delphi_1031f90b56
Gen:Variant.Graftor.121661 (BitDefender), Trojan-Downloader.Win32.Genome.fmxz (Kaspersky), Gen:Variant.Graftor.121661 (B) (Emsisoft), Win32/DH{QSAjJVdO} (AVG), Trojan.Win32.Delphi.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Worm, EmailWorm, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 1031f90b5664fcc57190458a8a418120
SHA1: e9fbf7c5a99fadcd2c68f4397eb8b3536fd3cae0
SHA256: 84d52b3d321e1e9d9d1310165665be666fcb5c3d39a75648e2a5918be4ec3d92
SSDeep: 192:qE0isr1BEd7ADos0VChdgApI6jW bpYHhUlPKgP1oyLwBDt1yIrAQHsoNR:qE03BBEuDos0VwZjq bpT1lwP1xHs
Size: 24576 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftWindowsShortcutfile, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6, Armadillov171
Company: WinterSoft
Created at: 2013-11-16 11:45:51
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
643b.exe:2884
wan.exe:1580
kaka13_kaka13.exe:1516
%original file name%.exe:1268
02ef.exe:1972
wangame.exe:1280
The Trojan injects its code into the following process(es):
4da3.exe:2720
File activity
The process 4da3.exe:2720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[2].htm (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\15972107[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[3].htm (315 bytes)
%Documents and Settings%\%current user%\Cookies\5V3VK2OH.txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\AFY1AXXA.txt (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[1].htm (315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[2].htm (945 bytes)
%WinDir%\Update.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\tj2[1].htm (945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tj2[1].htm (1575 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[3].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\AFY1AXXA.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[2].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\OBT4T7O6.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\tj2[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\15972107[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tj2[1].htm (0 bytes)
The process wan.exe:1580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\drivers\operyuae.sys (102 bytes)
The process kaka13_kaka13.exe:1516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\wangame\skin\toolbar_hover.png (2 bytes)
%Program Files%\wangame\skin\ÃÀÅ®Ö÷²¥.png (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃæÃ汦ºÃ\ÃæÃ汦ºÃ.lnk (1181 bytes)
%Program Files%\wangame\skin\SubWnd.png (703 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\inetc.dll (20 bytes)
%Program Files%\wangame\webzm.exe (7750 bytes)
%Program Files%\wangame\skin\y.bmp (486 bytes)
%Program Files%\wangame\wan.exe (6700 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃæÃ汦ºÃ\öÔØ ÃæÃ汦ºÃ.lnk (499 bytes)
%Program Files%\wangame\ubo.ub (278 bytes)
%Program Files%\wangame\ico.ico (1568 bytes)
%Program Files%\wangame\skin\left.jpg (11 bytes)
%Program Files%\wangame\skin\ÃøÒ³ÓÎ÷.png (5 bytes)
%Program Files%\wangame\skin\bj.jpg (1 bytes)
%Program Files%\wangame\skin\±³¾°.png (3 bytes)
%Program Files%\wangame\skin\center.jpg (10 bytes)
%Program Files%\wangame\update.exe (6405 bytes)
%Program Files%\wangame\uninst.exe (2718 bytes)
%Documents and Settings%\%current user%\Desktop\ÃæÃ汦ºÃ.lnk (666 bytes)
%Program Files%\wangame\skin\ÃÃÃÃÓÎ÷.png (6 bytes)
%Program Files%\wangame\wangame.exe (7662 bytes)
%Program Files%\wangame\skin\line.bmp (1 bytes)
%Program Files%\wangame\Config.ini (24 bytes)
%Program Files%\wangame\skin\line1.bmp (1 bytes)
%Program Files%\wangame\skin\z.bmp (1 bytes)
%Program Files%\wangame\skin\line2.bmp (3 bytes)
%Program Files%\wangame\skin\ÓéÀÖ°ËØÔ.png (7 bytes)
%Program Files%\wangame\skin\right.jpg (7 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Program Files%\wangame\VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (0 bytes)
The process %original file name%.exe:1268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4da3.exe (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\02ef.exe (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\41ac.exe (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\643b.exe (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[1].htm (400 bytes)
%Documents and Settings%\%current user%\Cookies\2UHU3K0P.txt (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\40f8.exe (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\OBT4T7O6.txt (243 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013112420131125\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\15972107[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\80326_al.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kaka13_kaka13.exe (3691 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013040820130415\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\2UHU3K0P.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041520130416 (0 bytes)
The process wangame.exe:1280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\54510[1].jpg (5713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54531[1].jpg (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\userLevel_v30[1].png (2509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\mmListIco_v3[1].png (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\87102[1].jpg (7721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\104036[1].jpg (16749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\83937[1].jpg (15349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\88243[1].jpg (15033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\hz_haomm_com[1].htm (16147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\54627[1].jpg (9641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\imageshow[1].swf (2900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\bg[1].jpg (19009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\51142[1].jpg (24989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\55017[1].jpg (4688 bytes)
%Program Files%\wangame\ubo.ub (275 bytes)
%Documents and Settings%\%current user%\Cookies\OUZRPSEW.txt (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\83003[1].jpg (23761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\87927[1].jpg (11264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\jquery.tmpl.min[1].js (635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\83994[1].jpg (25329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\images[1].xml (642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\jquery.tmplPlus.min[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\82995[1].jpg (2876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\90356[1].jpg (16864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\setting2[1].txt (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tongji[1].js (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\103140[1].jpg (22789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\88650[1].jpg (27637 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\86490[1].jpg (9181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\jquery[1].js (51097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\87604[1].jpg (22249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\86220[1].jpg (24989 bytes)
%Documents and Settings%\%current user%\Cookies\2ZKSJG3I.txt (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54911[1].jpg (6735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\55037[1].jpg (8442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\rev_sprite[1].gif (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\94877[1].jpg (17149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54546[1].jpg (10061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\hmmBox[1].css (2941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\107038[1].jpg (28141 bytes)
Registry activity
The process 643b.exe:2884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 45 2A EE 97 30 63 CA 15 C4 47 94 52 E2 99 2B"
The process 4da3.exe:2720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 2A 0A 28 94 CF 5B 61 64 6C CC B3 DE 24 2F 15"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"shell" = "Explorer.exe %WinDir%\\Update.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 45 00 00 00 01 00 00 00 00 00 00 00"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iedop.exe" = "%WinDir%\\Update.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process wan.exe:1580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 E1 67 72 F4 D6 38 88 C4 A4 45 E3 E8 01 18 97"
The process kaka13_kaka13.exe:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"Publisher" = "ÃæÃ汦ºÃ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"DisplayIcon" = "%Program Files%\wangame\wangame.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wangame.exe]
"(Default)" = "%Program Files%\wangame\wangame.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"DisplayName" = "ÃæÃ汦ºÃ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"UninstallString" = "%Program Files%\wangame\ÃæÃ汦ºÃ\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃæÃ汦ºÃ]
"DisplayVersion" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 30 DA 4E 9A 27 04 3D 77 1F 5E 33 E5 2B B5 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wangame" = "%Program Files%\wangame\webzm.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version" = "WS not installed"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013112420131125]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013112420131125"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013112420131125]
"CachePrefix" = ":2013112420131125:"
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013112420131125]
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 D1 78 A6 7F CE 4C 0C 86 AE B2 32 EF BD CA A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013112420131125]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041520130416]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013040820130415]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process 02ef.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 C5 37 F0 B3 6E 3B 76 E1 50 A8 B1 9D F5 93 B5"
The process wangame.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 A1 DE B2 6A DA 3A 82 B9 7B 4E 85 DC A2 CC 2E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"VerCache" = "00 0D CA DA A6 B1 C6 01 00 0D CA DA A6 B1 C6 01"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 43 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1380985189"
"Name" = "wangame.exe"
[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "wangame.exe"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://js.users.51.la/15972107.js |  117.21.191.223 |
| hxxp://icon.ajiang.net/icon_9.gif | 125.46.49.200 |
| hxxp://count.9511.com/tongjiGateway.php?id=B0-67-1D-D6-8F-6E&tgid=kaka13&khd=kaka13&ver=4.0 | 122.226.223.36 |
| hxxp://count.9511.com/tongjiGateway.php?id=00-0C-29-3B-DF-2F&tgid=kaka13&khd=kaka13&ver=4.0 | |
| hxxp://ncloud.sfppp.com/down/setup.xml | 121.12.123.75 |
| hxxp://count.9511.com/setting2.txt | |
| hxxp://hz.haomm.com/ | 61.130.146.103 |
| hxxp://www.rybao.com/myfile/2227921967/Pack/taobaoshua1.jpg | 117.21.160.10 |
| hxxp://hz.haomm.com/js/jquery.js | |
| hxxp://www.rybao.com/myfile/2227921967/Pack/779.jpg | |
| hxxp://www.rybao.com/myfile/2227921967/Pack/qqq.jpg | |
| hxxp://163.xdwscache.glb0.lxdns.com/ziMyJqmPVbX4Wce6znYgzw==/6597712980960620449.jpg | |
| hxxp://hz.haomm.com/js/jquery.tmpl.min.js | |
| hxxp://hz.haomm.com/js/jquery.tmplPlus.min.js | |
| hxxp://hz.haomm.com/hmmBox/hmmBox.css | |
| hxxp://hz.haomm.com/images/bg.jpg | |
| hxxp://hz.haomm.com/imageshow.swf | |
| hxxp://count37.51yes.com/sa.htm?id=372356607&refe=&location=test&color=32x&resolution=1024*768&returning=0&language=zh-cn&ua=drivers | 61.147.67.212 |
| hxxp://ncloud.sfppp.com/rujia520/setup1.xml | |
| hxxp://taurus.danuoyi.tbcache.com/3296853/tongji.js |  |
| hxxp://www.rybao.com/myfile/2227921967/Pack/c03-1.jpg | |
| hxxp://hz.haomm.com/images/rev_sprite.gif | |
| hxxp://hz.haomm.com/xml/images.xml | |
| hxxp://hz.haomm.com/images/mmListIco_v3.png | |
| hxxp://dt.tongji.linezing.com/tongji.do?unit_id=3296853&uv_id=2339120901613402543&uv_new=1&cna=&cg=&mid=&mmland=&ade=&adtm=&sttm=&cpa=&ss_id=1388213249&ss_no=0&ec=1&ref=&url=http://hz.haomm.com/&title=%u597D%u7F8E%u7709%u76D2%u5B50&charset=utf-8&domain=haomm.com&hashval=895&filtered=0&app=Microsoft Internet Explorer&agent=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C; .NET4.0E)&color=32-bit&screen=1176x885&lg=en-us&je=1&fv=6.0&st=1385328088&vc=dda3f635&ut=0&url_id=0&cnu=0.5129425905390432 | 110.75.80.118 |
| hxxp://hz.haomm.com/images/userLevel_v30.png | |
| hxxp://cc00087.f.cncssr.chinacache.net/imges/pixel.gif | |
| hxxp://haomm.com/img/room/avatar/87604.jpg | 121.12.175.254 |
| hxxp://haomm.com/img/room/avatar/104036.jpg | |
| hxxp://23.106.214.24/tj2/ |  |
| hxxp://haomm.com/img/room/avatar/88243.jpg | |
| hxxp://haomm.com/img/room/avatar/88650.jpg | |
| hxxp://haomm.com/img/room/avatar/54531.jpg | |
| hxxp://haomm.com/img/room/avatar/87927.jpg | |
| hxxp://haomm.com/img/room/avatar/83003.jpg | |
| hxxp://haomm.com/img/room/avatar/94877.jpg | |
| hxxp://haomm.com/img/room/avatar/82995.jpg | |
| hxxp://haomm.com/img/room/avatar/83994.jpg | |
| hxxp://haomm.com/img/room/avatar/55017.jpg | |
| hxxp://haomm.com/img/room/avatar/90356.jpg | |
| hxxp://haomm.com/img/room/avatar/86490.jpg | |
| hxxp://haomm.com/img/room/avatar/54546.jpg | |
| hxxp://a.16cy.cn/a.php | 183.61.138.64 |
| hxxp://haomm.com/img/room/avatar/51142.jpg | |
| hxxp://haomm.com/img/room/avatar/55037.jpg | |
| hxxp://haomm.com/img/room/avatar/86220.jpg | |
| hxxp://haomm.com/img/room/avatar/107038.jpg | |
| hxxp://a.16cy.cn/c.php?b=Opera.exe | |
| hxxp://haomm.com/img/room/avatar/103140.jpg | |
| hxxp://haomm.com/img/room/avatar/87102.jpg | |
| hxxp://haomm.com/img/room/avatar/54627.jpg | |
| hxxp://haomm.com/img/room/avatar/83937.jpg | |
| hxxp://haomm.com/img/room/avatar/54510.jpg | |
| hxxp://haomm.com/img/room/avatar/54911.jpg | |
| hxxp://a.16cy.cn/count.php?u=c03_643b&n=CSEKFZGWCFDNGUGHBUEJGEFYCGEMFZGJCS&r=Opera.exe&m=CSEKFZGWCFDNGUGHBUEJGEFYCGEMFZGJCS&a=c03&t=3&v=1 | |
| hxxp://www.rybao.com/myfile/2227921967/Pack/80326_al.jpg | |
| hxxp://a.16cy.cn/count.php?u=c03_02ef&n=CDDUFZGECODNGCGEBUDTGXFYCAEHFZGFCT&r=Opera.exe&m=CDDUFZGECODNGCGEBUDTGXFYCAEHFZGFCT&a=c03&t=3&v=1 | |
| hxxp://ncloud.sfppp.com/rujia520/cloud1.jpg | |
| hxxp://count37.51yes.com/sa.htm?id=372808883&refe=&location=test&color=32x&resolution=1024*768&returning=0&language=zh-cn&ua=drivers | |
| vr0.6.cn | 218.59.215.194 |
| www.haomm.com | 121.12.175.254 |
| cloud.rujia520.com | 121.12.123.75 |
| www.baidu.com | 180.76.3.151 |
| web1.51.la | 222.187.223.75 |
| js.tongji.linezing.com | 195.27.31.250 |
| img1.ph.126.net | 113.107.76.19 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
643b.exe:2884
wan.exe:1580
kaka13_kaka13.exe:1516
%original file name%.exe:1268
02ef.exe:1972
wangame.exe:1280 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[2].htm (630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\15972107[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[3].htm (315 bytes)
%Documents and Settings%\%current user%\Cookies\5V3VK2OH.txt (241 bytes)
%Documents and Settings%\%current user%\Cookies\AFY1AXXA.txt (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[1].htm (315 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj2[2].htm (945 bytes)
%WinDir%\Update.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\tj2[1].htm (945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tj2[1].htm (1575 bytes)
%System%\drivers\operyuae.sys (102 bytes)
%Program Files%\wangame\skin\toolbar_hover.png (2 bytes)
%Program Files%\wangame\skin\ÃÀÅ®Ö÷²¥.png (9 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃæÃ汦ºÃ\ÃæÃ汦ºÃ.lnk (1181 bytes)
%Program Files%\wangame\skin\SubWnd.png (703 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst2.tmp\inetc.dll (20 bytes)
%Program Files%\wangame\webzm.exe (7750 bytes)
%Program Files%\wangame\skin\y.bmp (486 bytes)
%Program Files%\wangame\wan.exe (6700 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃæÃ汦ºÃ\öÔØ ÃæÃ汦ºÃ.lnk (499 bytes)
%Program Files%\wangame\ubo.ub (278 bytes)
%Program Files%\wangame\ico.ico (1568 bytes)
%Program Files%\wangame\skin\left.jpg (11 bytes)
%Program Files%\wangame\skin\ÃøÒ³ÓÎ÷.png (5 bytes)
%Program Files%\wangame\skin\bj.jpg (1 bytes)
%Program Files%\wangame\skin\±³¾°.png (3 bytes)
%Program Files%\wangame\skin\center.jpg (10 bytes)
%Program Files%\wangame\update.exe (6405 bytes)
%Program Files%\wangame\uninst.exe (2718 bytes)
%Documents and Settings%\%current user%\Desktop\ÃæÃ汦ºÃ.lnk (666 bytes)
%Program Files%\wangame\skin\ÃÃÃÃÓÎ÷.png (6 bytes)
%Program Files%\wangame\wangame.exe (7662 bytes)
%Program Files%\wangame\skin\line.bmp (1 bytes)
%Program Files%\wangame\Config.ini (24 bytes)
%Program Files%\wangame\skin\line1.bmp (1 bytes)
%Program Files%\wangame\skin\z.bmp (1 bytes)
%Program Files%\wangame\skin\line2.bmp (3 bytes)
%Program Files%\wangame\skin\ÓéÀÖ°ËØÔ.png (7 bytes)
%Program Files%\wangame\skin\right.jpg (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4da3.exe (1668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\02ef.exe (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\41ac.exe (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\643b.exe (66 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tj2[1].htm (400 bytes)
%Documents and Settings%\%current user%\Cookies\2UHU3K0P.txt (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\40f8.exe (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\OBT4T7O6.txt (243 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013112420131125\index.dat (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\15972107[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\80326_al.exe (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kaka13_kaka13.exe (3691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\54510[1].jpg (5713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54531[1].jpg (4136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\userLevel_v30[1].png (2509 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\mmListIco_v3[1].png (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\87102[1].jpg (7721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\104036[1].jpg (16749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\83937[1].jpg (15349 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\88243[1].jpg (15033 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\hz_haomm_com[1].htm (16147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\54627[1].jpg (9641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\imageshow[1].swf (2900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\bg[1].jpg (19009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\51142[1].jpg (24989 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\55017[1].jpg (4688 bytes)
%Documents and Settings%\%current user%\Cookies\OUZRPSEW.txt (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\83003[1].jpg (23761 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\87927[1].jpg (11264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\jquery.tmpl.min[1].js (635 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\83994[1].jpg (25329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\images[1].xml (642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\jquery.tmplPlus.min[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\82995[1].jpg (2876 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\90356[1].jpg (16864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\setting2[1].txt (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\tongji[1].js (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\103140[1].jpg (22789 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\88650[1].jpg (27637 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\86490[1].jpg (9181 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\jquery[1].js (51097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\87604[1].jpg (22249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\86220[1].jpg (24989 bytes)
%Documents and Settings%\%current user%\Cookies\2ZKSJG3I.txt (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54911[1].jpg (6735 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\55037[1].jpg (8442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\rev_sprite[1].gif (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\94877[1].jpg (17149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\54546[1].jpg (10061 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\hmmBox[1].css (2941 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\pixel[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\107038[1].jpg (28141 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iedop.exe" = "%WinDir%\\Update.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wangame" = "%Program Files%\wangame\webzm.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
