Trojan.Win32.Farfli_1299cdab2f
Trojan.Win32.Jorik.Nbdd.pfu (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.Jorik!IK (Emsisoft), Trojan.Win32.Farfli.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: 1299cdab2fe3894ffe774d23bb0d3a01
SHA1: 501a1fd063ea40012ba80a186bf34c27f8b6fcdf
SHA256: 9b8227c178d65935b7996d226dd17a45da5f047a9d26694c446e34fa54c836cf
SSDeep: 384:c85ujj jr85eEVPBytTlN1M YCus FRsPMFRsPVk:ctjyjw5eEVPstTlzM Yns IPMIPVk
Size: 28672 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6, Armadillov171
Company: no certificate found
Created at: 2012-11-26 09:21:45
Summary:
Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
ping.exe:2088
FrorqfnXwk.EXE:1604
FrorqfnXwk.EXE:956
TXSSOSetup[1].exe:3628
IinhxiwXhl.EXE:1772
1299cdab2fe3894ffe774d23bb0d3a01.exe:224
npygteto.src:1276
schovt.exe:1204
rundll32.exe:972
setup_2951-4090.exe:1328
skyzxkb.exe:524
taskkill.exe:1980
uuu.exe:1708
verclsid.exe:4020
verclsid.exe:3960
verclsid.exe:3864
InstTXSSO.exe:3804
9026.exe:1608
9902.exe:1008
GbgthwdZhs.EXE:1976
regsvr32.exe:2172
regsvr32.exe:1204
regsvr32.exe:4064
KhtcbheVeb.EXE:540
HrtcwrmPge.EXE:496
File activity
The process FrorqfnXwk.EXE:1604 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Help\windowsz32.txt (80 bytes)
%WinDir%\zoues\svchost.exe (897 bytes)
The process TXSSOSetup[1].exe:3628 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\TXSSO\TXSSO\I18N\SSOConfig.xml (394 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\SSOStringBundle.xml (3 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin (4 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOCommon.dll (42222 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOPlatform.dll (36698 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\npSSOAxCtrlForPTLogin.dll (7192 bytes)
%WinDir%\Temp\nsg8.tmp (81053 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\PGFStringBundle.xml (6 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOLUIControl.dll (16944 bytes)
%WinDir%\Temp\TXSSO\InstTXSSO.exe (3312 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\TXSSO\TXSSO (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\SSOConfig.xml (0 bytes)
%WinDir%\Temp\TXSSO (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOCommon.dll (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052 (0 bytes)
%WinDir%\Temp\nsq7.tmp (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOPlatform.dll (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\npSSOAxCtrlForPTLogin.dll (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\SSOStringBundle.xml (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\PGFStringBundle.xml (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOLUIControl.dll (0 bytes)
%WinDir%\Temp\TXSSO\InstTXSSO.exe (0 bytes)
The process 1299cdab2fe3894ffe774d23bb0d3a01.exe:224 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bc.ini (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BindPlugIn[1].ini (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\uuu[1].exe (13570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bc\uuu.exe (7772 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bc (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bc\uuu.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BindPlugIn[1].ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bc.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\uuu[1].exe (0 bytes)
The process npygteto.src:1276 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%System%\534607C4.tmp (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\stinst.log (928 bytes)
The process schovt.exe:1204 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\o.ini (45 bytes)
%System%\dllone.txt (98 bytes)
\Device\Harddisk0\DR0 (4559 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\tp_6.tmp (0 bytes)
The process skyzxkb.exe:524 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\DownloadSave\FrorqfnXwk.EXE (5500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\IinhxiwXhl.EXE (79612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\1[1].exe (443649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\4[1].exe (79068 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\GbgthwdZhs.EXE (18796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\HrtcwrmPge.EXE (444304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\5[1].exe (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\list2[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\2[1].exe (18340 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\KhtcbheVeb.EXE (8284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\t[1].exe (4708 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\count[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\baidu[1].htm (0 bytes)
The process uuu.exe:1708 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\DownloadSave\skyzxkb.exe (62 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RecordPath (260 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RCX1.tmp (106862 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\DownloadSave\skyzxkb.exe (0 bytes)
The process InstTXSSO.exe:3804 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\Tencent\TXSSO\I18N\2052\PGFStringBundle.xml (6 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOLUIControl.dll (3073 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll (9605 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\SSOConfig.xml (394 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\2052\SSOStringBundle.xml (3 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOCommon.dll (9605 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\npSSOAxCtrlForPTLogin.dll (1281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\2052\PGFStringBundle.xml (6 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOPlatform.dll (8281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll (3073 bytes)
%Program Files%\Common Files\Tencent\TXSSO\I18N\2052\SSOStringBundle.xml (3 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll (8281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll (1281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\I18N\SSOConfig.xml (394 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\TXSSO\SetupLogs\setuplog.log (2026 bytes)
The process 9026.exe:1608 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\TXSSOSetup[1].exe (139392 bytes)
The process 9902.exe:1008 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\man4.bat (171 bytes)
%WinDir%\Fonts\com15.ttf (28 bytes)
%System%\services.exe.rzxcp (601 bytes)
%System%\dllcache\services.exe (1137 bytes)
The Trojan deletes the following file(s):
%System%\services.exe.bzxck (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\man4.tmp (0 bytes)
The process GbgthwdZhs.EXE:1976 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (198 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gWzXbSlJTZ[1].css (2112 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (145 bytes)
%System%\system.ini (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\hao123[1].htm (7139 bytes)
The process regsvr32.exe:1204 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Tencent\Logs\regsvr32.tlg (0 bytes)
The process regsvr32.exe:4064 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\Tencent\Logs\regsvr32.tlg (0 bytes)
The process KhtcbheVeb.EXE:540 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%System%\al.ini (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\count[1].htm (434 bytes)
%System%\PulgFile.log (50 bytes)
%System%\PulgConfig.log (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\count1[1].htm (195 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\count[1].htm (0 bytes)
%System%\PulgConfig.log (0 bytes)
The process HrtcwrmPge.EXE:496 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\setup_2951-4090.exe (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9902.exe (47 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ope2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ope3.tmp (0 bytes)
Registry activity
The process ping.exe:2088 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B B7 D1 35 92 74 EE AA 12 68 C1 26 98 8C 35 82"
The process FrorqfnXwk.EXE:1604 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 10 B2 DB 2A 14 44 0C E8 E8 69 8A 1A 33 55 79"
The process FrorqfnXwk.EXE:956 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 51 69 5A 2B 5C DF 8C 69 78 8D 8A 68 34 C2 4D"
The process TXSSOSetup[1].exe:3628 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 13 09 F9 91 D2 3C D0 A7 DF 03 4E D9 2D 91 BA"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The process IinhxiwXhl.EXE:1772 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 3D FD 05 B4 DC A2 00 18 49 48 26 4D 5B 2C 02"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDPI]
"FontSize" = "20121222"
The process 1299cdab2fe3894ffe774d23bb0d3a01.exe:224 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E CB 31 FE 38 8D 9C C0 13 DC 32 5D 61 E4 D0 CC"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process npygteto.src:1276 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0010409]
"Layout Text" = "52D0637C"
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0010409]
"Layout File" = "KBDUS.DLL"
The Trojan deletes the following registry key(s):
[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0010409]
The process schovt.exe:1204 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 09 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 84 BE 3F E5 7D 59 63 7B 7F E8 BE CA 59 4B 3C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
The process rundll32.exe:972 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 34 9C E5 7A 8A E9 DE 49 6F 54 B2 39 BC 31 BB"
The process setup_2951-4090.exe:1328 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 82 9B A4 93 3A 21 99 5D 02 20 E4 C6 C1 49 B1"
The process skyzxkb.exe:524 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Application Data\DownloadSave\skyzxkb.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 95 A9 B8 E6 E1 19 7C 00 48 09 BB A8 04 10 07"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process taskkill.exe:1980 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 54 10 7E 25 4F FB AD D1 AB BC 84 70 4C 57 75"
The process uuu.exe:1708 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 14 FF 4B 9B D5 54 5E 44 0E 4A 60 F5 A6 7A EB"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process verclsid.exe:4020 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 0D D4 D4 13 47 3B 0D DC EE 1C 55 D2 CE 10 9B"
The process verclsid.exe:3960 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 1A DA 4E 71 9E 81 1A D2 94 AB D5 C4 6A D8 56"
The process verclsid.exe:3864 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 D3 8B 7E 1B 23 0C 7A 35 F9 87 5E F0 F1 8B D6"
The process InstTXSSO.exe:3804 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 38 0A FC 4D 42 AB 76 5E 97 C1 86 48 94 D2 E4"
[HKLM\SOFTWARE\Tencent\TXSSO]
"Version" = "1.2.1.77"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{67EA19A0-CCEF-11D0-8024-00C04FD75D13} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 7C 6C 9C 7C 04 C1 4C 8B F7 A9 CE 01"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{ECF03A33-103D-11D2-854D-006008059367} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 E6 6F DD 77 FC 3E 4E 8C F7 A9 CE 01"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 E6 6F DD 77 6C 77 87 8C F7 A9 CE 01"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The process 9026.exe:1608 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 A3 8F 8A F1 1D 99 8D 42 AE 56 EC 81 79 E5 2F"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
The process 9902.exe:1008 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 A7 AB E0 91 E4 28 F4 98 72 C3 10 0E 45 08 23"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%System%\services.exe.bzxck,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
The process GbgthwdZhs.EXE:1976 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Application Data\DownloadSave\GbgthwdZhs.EXE,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%Documents and Settings%\All Users\Application Data\DownloadSave\GbgthwdZhs.EXE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 3E E9 92 F7 F6 7F 23 54 B0 E8 7C DD 88 E9 C1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process regsvr32.exe:2172 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}]
"(Default)" = "ISSOForPTLogin3"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin2\CurVer]
"(Default)" = "SSOAxCtrlForPTLogin.SSOForPTLogin.2"
[HKCR\AppID\SSOAxCtrlForPTLogin.DLL]
"AppID" = "{A956F47E-83F6-4F72-92EE-679C8687CD19}"
[HKCR\AppID\{A956F47E-83F6-4F72-92EE-679C8687CD19}]
"(Default)" = "SSOAxCtrlForPTLogin"
[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin.2\CLSID]
"(Default)" = "{EAAED308-7322-4b9b-965E-171933ADD473}"
[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\VersionIndependentProgID]
"(Default)" = "SSOAxCtrlForPTLogin.SSOForPTLogin2"
[HKCR\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\npSSOAxCtrlForPTLogin.dll"
[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin.2]
"(Default)" = "SSOForPTLogin2 Class"
[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"Version" = "1.0.0.1"
[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"Version" = "2.0"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"Version" = "2.0"
[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}]
"(Default)" = "_ISSOForPTLoginEvents"
[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\ProgID]
"(Default)" = "SSOAxCtrlForPTLogin.SSOForPTLogin.2"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"Path" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\npSSOAxCtrlForPTLogin.dll"
[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}]
"AppID" = "{A956F47E-83F6-4F72-92EE-679C8687CD19}"
[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}]
"(Default)" = "ISSOForPTLogin2"
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\TypeLib]
"Version" = "2.0"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKCR\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\HELPDIR]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 68 B6 71 D0 B9 74 7C 84 47 19 09 04 5E 6A A5"
[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin2]
"(Default)" = "SSOForPTLogin2 Class"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"Version" = "2.0"
[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin2\CLSID]
"(Default)" = "{EAAED308-7322-4b9b-965E-171933ADD473}"
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"Version" = "2.0"
[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\TypeLib]
"Version" = "2.0"
[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}\TypeLib]
"Version" = "2.0"
[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"
[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\TypeLib]
"(Default)" = "{29A32150-EA24-42c2-882E-879152560C1E}"
[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"ProductName" = "Tencent SSO Platform"
[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"Vendor" = "Tencent"
[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\npSSOAxCtrlForPTLogin.dll"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"Version" = "2.0"
[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"Description" = "QQ QuickLogin Helper"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"Version" = "2.0"
[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0]
"(Default)" = "SSOAxCtrlForPTLogin 2.0 Type Library"
[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}]
"(Default)" = "SSOForPTLogin2 Class"
[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
The process regsvr32.exe:1204 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}]
"(Default)" = "ITXSSOConfig"
[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ProgID]
"(Default)" = "SSOLUIControl.SSOLUICtrl.1"
[HKCR\SSOLUIControl.SSOLUICtrl.1\CLSID]
"(Default)" = "{83335675-FCF0-45CE-A9E6-38C150EFBE63}"
[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\SSOLUIControl.dll"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}]
"(Default)" = "_ISSOLUICtrlEvents"
[HKCR\SSOLUIControl.SSOLUICtrl.1]
"(Default)" = "SSOLUICtrl Class"
[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\VersionIndependentProgID]
"(Default)" = "SSOLUIControl.SSOLUICtrl"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\SSOLUIControl.dll"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\SSOLUIControl.SSOLUICtrl\CLSID]
"(Default)" = "{83335675-FCF0-45CE-A9E6-38C150EFBE63}"
[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0]
"(Default)" = "SSOLUIControl 1.0 Type Library"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\SSOLUIControl.SSOLUICtrl\CurVer]
"(Default)" = "SSOLUIControl.SSOLUICtrl.1"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}]
"(Default)" = "ISSOLUICtrl"
[HKCR\SSOLUIControl.SSOLUICtrl]
"(Default)" = "SSOLUICtrl Class"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 4E E6 C6 C7 14 11 50 50 6E 65 0E 33 0C 4B BD"
[HKCR\AppID\{611AC3D9-E60C-4138-83AE-9B1C8D4082BF}]
"(Default)" = "SSOLUIControl"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}]
"(Default)" = "SSOLUICtrl Class"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus]
"(Default)" = "0"
[HKCR\AppID\SSOLUIControl.DLL]
"AppID" = "{611AC3D9-E60C-4138-83AE-9B1C8D4082BF}"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}]
"AppID" = "{611AC3D9-E60C-4138-83AE-9B1C8D4082BF}"
[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ToolboxBitmap32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\SSOLUIControl.dll, 102"
The process regsvr32.exe:4064 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}]
"(Default)" = "ITXSSOEnumData"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}]
"(Default)" = "ITXSSOBuffer"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}]
"(Default)" = "ITXSSOArray"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\AppID\{4C2BAEAE-B4D1-4b29-8BB5-9455F06BB871}]
"(Default)" = "SSOCommonDllBuild"
[HKCR\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0]
"(Default)" = "TXSSO Common 1.0 Type Library"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"Version" = "1.0"
[HKCR\AppID\SSOCommonDllBuild.DLL]
"AppID" = "{4C2BAEAE-B4D1-4b29-8BB5-9455F06BB871}"
[HKCR\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"
[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}]
"(Default)" = "ITXSSOArrayRead"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}]
"(Default)" = "ITXSSODataRead"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\SSOCommon.dll"
[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 D1 3F 3C 17 88 70 40 88 FF 62 68 F7 ED A7 56"
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}]
"(Default)" = "ITXSSOData"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
The process KhtcbheVeb.EXE:540 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}]
"(Default)" = "Search Results Folder"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\IE]
"(Default)" = "¿ì½Ã·½Ê½"
[HKCR\JE]
"(Default)" = "¿ì½Ã·½Ê½"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCR\JE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\360se_PC_]
"D" = "487"
[HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE http://hao.meixie8.com/?id=31324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\.IE]
"(Default)" = "IE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]
"(Default)" = "Recycle Bin"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\IE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE http://hao.meixie8.com/?id=31324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://hao.meixie8.com/?id=31324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}]
"Removal Message" = "@mydocs.dll,-900"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}.default" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 02 16 87 D0 45 73 3D C8 8B B2 A7 EB C9 00 9D"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://hao.meixie8.com/?id=31324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}.default" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell\OpenHomePage]
"(Default)" = "´ò¿ªÖ÷Ò³(&O)"
[HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell\OpenHomePage\Command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE http://hao.meixie8.com/?id=31324"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\360se_PC_]
"Y" = "4163"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "2"
[HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command]
"(Default)" = "Explorer.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\.JE]
"(Default)" = "JE"
[HKCU\Software\360se_PC_]
"M" = "421"
[HKCR\IE\DefaultIcon]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\\tbhdz.ico"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "2"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"360safeman" = "%System%\Vanlid.exe"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder]
[HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
[HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command]
[HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon]
[HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag]
"InitString"
The process HrtcwrmPge.EXE:496 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 78 7B E8 51 AD DC 91 D9 DB 8D E7 6E 73 48 05"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"9902.exe" = "2345"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"setup_2951-4090.exe" = "音ä¹FM安装程åº"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://222.187.222.227/down/2.exe |  |
| hxxp://222.187.222.227/down/4.exe | |
| hxxp://222.187.222.227/down/5.exe | |
| hxxp://222.187.222.227/down/t.exe | |
| hxxp://222.187.222.227/count.asp?mac=00-0C-29-EC-7F-C5&ver=6-27&makedate=53C766C3DC8BE56DECD3D692BE45DB18&userID=uuu&ComPut=XP1&Key=FA3FCB570D0598BCEADAA1CEC224114B | |
| hxxp://o.lijnl.com/tj/tongji/Count.asp?ver=9902&Mac=00-0c-29-ec-7f-c5&ProcessNum=30 |  199.188.111.145 |
| hxxp://vip.jjlzc.com/vip/count.asp?mac=00-0C-29-EC-7F-C5&ver=13.1&TG=10001&CP=1&Key=38575&JC=0&YP=a8a67a25 | 222.186.63.176 |
| hxxp://member.tiancity.com/Handler/NewCommonRegChkHandler.ashx?userid=kumsr&randcode= | 114.80.72.209 |
| hxxp://pay.9you.com/funpay/index.php | 101.226.5.32 |
| hxxp://member.tiancity.com/Handler/NewCommonRegChkHandler.ashx?userid=236260440&randcode= | |
| hxxp://dl_dir3.tcdn.qq.com/minigamefile/TXSSOSetup.exe (Malicious) | |
| hxxp://member.tiancity.com/Handler/NewCommonRegChkHandler.ashx?userid=804336776&randcode= | |
| hxxp://member.tiancity.com/Handler/NewCommonRegChkHandler.ashx?userid=ai33answer&randcode= | |
| pu.5pug.com | 124.237.78.108 |
| myxd.coupeso.com | 174.139.114.148 |
| dl_dir3.qq.com | 61.158.251.61 |
| kz.kz5n.com | 124.237.78.108 |
| tj.coupeso.com | 174.139.114.148 |
| login.passport.9you.com | 60.206.13.24 |
| www.jlnle.com | 142.0.141.90 |
| www.asp0202.com | 183.61.171.73 |
| it.safe7788.com |  59.188.73.7 |
| passport.tiancity.com | 114.80.72.208 |
| www.intlj.com | 142.0.133.29 |
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwLoadDriver
ZwReadFile
ZwSetSystemInformation
ZwSetValueKey
The Trojan intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:
DriverStartIo
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
ping.exe:2088
FrorqfnXwk.EXE:1604
FrorqfnXwk.EXE:956
TXSSOSetup[1].exe:3628
IinhxiwXhl.EXE:1772
1299cdab2fe3894ffe774d23bb0d3a01.exe:224
npygteto.src:1276
schovt.exe:1204
rundll32.exe:972
setup_2951-4090.exe:1328
skyzxkb.exe:524
taskkill.exe:1980
uuu.exe:1708
verclsid.exe:4020
verclsid.exe:3960
verclsid.exe:3864
InstTXSSO.exe:3804
9026.exe:1608
9902.exe:1008
GbgthwdZhs.EXE:1976
regsvr32.exe:2172
regsvr32.exe:1204
regsvr32.exe:4064
KhtcbheVeb.EXE:540
HrtcwrmPge.EXE:496 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Help\windowsz32.txt (80 bytes)
%WinDir%\zoues\svchost.exe (897 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\SSOConfig.xml (394 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\SSOStringBundle.xml (3 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin (4 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOCommon.dll (42222 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOPlatform.dll (36698 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\npSSOAxCtrlForPTLogin.dll (7192 bytes)
%WinDir%\Temp\nsg8.tmp (81053 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\PGFStringBundle.xml (6 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOLUIControl.dll (16944 bytes)
%WinDir%\Temp\TXSSO\InstTXSSO.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bc.ini (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BindPlugIn[1].ini (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\uuu[1].exe (13570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bc\uuu.exe (7772 bytes)
%System%\534607C4.tmp (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\stinst.log (928 bytes)
%WinDir%\o.ini (45 bytes)
%System%\dllone.txt (98 bytes)
\Device\Harddisk0\DR0 (4559 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\FrorqfnXwk.EXE (5500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\IinhxiwXhl.EXE (79612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\1[1].exe (443649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\4[1].exe (79068 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\GbgthwdZhs.EXE (18796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\HrtcwrmPge.EXE (444304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\5[1].exe (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\list2[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\2[1].exe (18340 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\KhtcbheVeb.EXE (8284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\t[1].exe (4708 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\skyzxkb.exe (62 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RecordPath (260 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RCX1.tmp (106862 bytes)
%Program Files%\Common Files\Tencent\TXSSO\I18N\2052\PGFStringBundle.xml (6 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOLUIControl.dll (3073 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll (9605 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\SSOConfig.xml (394 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\2052\SSOStringBundle.xml (3 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOCommon.dll (9605 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\npSSOAxCtrlForPTLogin.dll (1281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\2052\PGFStringBundle.xml (6 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOPlatform.dll (8281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll (3073 bytes)
%Program Files%\Common Files\Tencent\TXSSO\I18N\2052\SSOStringBundle.xml (3 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll (8281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll (1281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\I18N\SSOConfig.xml (394 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\TXSSO\SetupLogs\setuplog.log (2026 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\TXSSOSetup[1].exe (139392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\man4.bat (171 bytes)
%WinDir%\Fonts\com15.ttf (28 bytes)
%System%\services.exe.rzxcp (601 bytes)
%System%\dllcache\services.exe (1137 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (198 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gWzXbSlJTZ[1].css (2112 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (145 bytes)
%System%\system.ini (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\hao123[1].htm (7139 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\Logs\regsvr32.tlg (0 bytes)
%System%\al.ini (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\count[1].htm (434 bytes)
%System%\PulgFile.log (50 bytes)
%System%\PulgConfig.log (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\count1[1].htm (195 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_2951-4090.exe (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9902.exe (47 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"360safeman" = "%System%\Vanlid.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
