Trojan.Win32.FlyStudio_85bb67b4c7

by malwarelabrobot on November 10th, 2013 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!SB.0 (VIPRE), Trojan.Win32.Hider!IK (Emsisoft), Backdoor.Win32.Farfli.FD, Installer.Win32.InnoSetup.2.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Backdoor, Installer


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 85bb67b4c761bd0622df20a6452d9fab
SHA1: f7f28afcf66d3baa11af6f15c9e57849bf840842
SHA256: 4cfa2e5a3eb189a363fd486dfae97780eb864c6392c3d74b3b96ecf13ceb5dd6
SSDeep: 98304:c1BcXBBTyoxepTn5k/9YwIc I38 ojhd7O2QynrJmzwYD7ldSn:xwT5k/9h uY/7WcgddSn
Size: 4694016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2013-11-02 13:48:15


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Ghost3.exe:304
tcp32.exe:588
3.exe:196
statistics.exe:576
zhainan.exe:452
BeeWeather.exe:1284
BeeWeather.exe:1648
BeeWeather.exe:588
BeeWeather.exe:128
BeeWeather.exe:296
BeeWeather.exe:224
BeeWeather.exe:1368
%original file name%.exe:1148
Х¬ДРУ°Тф_91_5869_.exe:512
Х¬ДРУ°Тф_91_5869_.tmp:1516
kbsetup_dubo_65606.exe:1592

File activity

The process Ghost3.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\kbsetup_dubo_65606.exe (2719557 bytes)

The process tcp32.exe:588 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\2228500.dll (134656 bytes)
C:\NT_Path.jpg (27 bytes)

The process 3.exe:196 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\weigei.exe (18944 bytes)

The process statistics.exe:576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\TianXingTV\config.dat (1726 bytes)

The process zhainan.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Х¬ДРУ°Тф_91_5869_.exe (2265336 bytes)

The process %original file name%.exe:1148 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\3.exe (18944 bytes)
C:\Ghost3.exe (3817472 bytes)
C:\zhainan.exe (3358720 bytes)
%System%\drivers\etc\hosts (311 bytes)
C:\tcp32.exe (141824 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat (32768 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041220130413 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041220130413\index.dat (0 bytes)

The process Х¬ДРУ°Тф_91_5869_.exe:512 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (1298712 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (0 bytes)

The process Х¬ДРУ°Тф_91_5869_.tmp:1516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\BeeWeather13110900\Images\small\is-7U17S.tmp (7262 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\UpdateIcon.dll (33280 bytes)
%Program Files%\BeeWeather13110900\unins000.dat (37183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_iscrypt.dll (2560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\WaterLib.dll (492032 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\BeeWeather.lnk (678 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\4472ѕшЙ«µзУ°Нш.url (45 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\BeeWeather НшХѕ.url (47 bytes)
%Program Files%\BeeWeather13110900\is-NH8BO.tmp (559896 bytes)
%Documents and Settings%\%current user%\Application Data (8192 bytes)
%Program Files%\BeeWeather13110900\is-BJVLD.tmp (766468 bytes)
%Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\ЕдЦГ\Р¶ФШ BeeWeather.lnk (674 bytes)
%Documents and Settings%\%current user%\Application Data\Sogou.ico (38022 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (774424 bytes)
%Documents and Settings%\All Users\Рабочий стол\BeeWeather.lnk (666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_RegDLL.tmp (4096 bytes)
%Documents and Settings%\%current user%\Application Data\ѕшЙ«µзУ°.ico (38022 bytes)
%Documents and Settings%\%current user%\Рабочий стол\ѕшЙ«µзУ°.lnk (1102 bytes)
%Program Files%\BeeWeather13110900 (4096 bytes)
%Program Files%\BeeWeather13110900\Images\future\is-4NALB.tmp (6027 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\License.txt (2543 bytes)
%Program Files%\BeeWeather13110900\Images\large\is-TQFUS.tmp (18745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\Unis.ico (18718 bytes)
%Program Files%\BeeWeather13110900\is-8M6BF.tmp (559896 bytes)
%Program Files%\BeeWeather13110900\unins000.msg (6975 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\RCX86.tmp (851039 bytes)
%Program Files%\BeeWeather13110900\is-AIOC8.tmp (492032 bytes)
%Documents and Settings%\%current user%\Рабочий стол\Internet Sogou.lnk (1072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_shfoldr.dll (23312 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\Unis.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_RegDLL.tmp (0 bytes)
%Program Files%\BeeWeather13110900\BeeWeather.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_iscrypt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\UpdateIcon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\License.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\WaterLib.dll (0 bytes)

The process kbsetup_dubo_65606.exe:1592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\TianXingTV\Skin\default\normal_btn.PNG (939 bytes)
%Program Files%\TianXingTV\Skin\default\DownLoadWnd.png (4917 bytes)
%Program Files%\TianXingTV\Data\SystemSetting.ini (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\yt.bmp (206680 bytes)
%Program Files%\TianXingTV\Skin\default\BT_CLOSE1 (2).PNG (2825 bytes)
%Program Files%\TianXingTV\Skin\default\150.bmp (8486 bytes)
%Program Files%\TianXingTV\tb.ico (84030 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NsDialogs.dll (9728 bytes)
%Program Files%\TianXingTV\Skin\default\BT4.png (15646 bytes)
%Program Files%\TianXingTV\TXPlayer.exe (282624 bytes)
%Program Files%\TianXingTV\TXPlayData.dll (135168 bytes)
%Program Files%\TianXingTV\Skin\default\big_tip_logo.png (63869 bytes)
%Program Files%\TianXingTV\Skin\default\page_forward_btn.png (1978 bytes)
%Program Files%\TianXingTV\Skin\default\BT8.png (15475 bytes)
%Program Files%\TianXingTV\Skin\default\progress.png (3332 bytes)
%Program Files%\TianXingTV\krnln.fnr (1138688 bytes)
%Program Files%\TianXingTV\Skin\default\hmin.png (3035 bytes)
%Program Files%\TianXingTV\Skin\default\SettingWnd2.png (3320 bytes)
%Program Files%\TianXingTV\Unins.exe (149840 bytes)
%Program Files%\TianXingTV\Skin\default\subwnd_close_btn.PNG (2255 bytes)
%Program Files%\TianXingTV\Skin\default\BT_MIN1.png (3620 bytes)
%Documents and Settings%\%current user%\Мои документы\dh.ico (82151 bytes)
%Program Files%\TianXingTV\eAPI.fne (344064 bytes)
%Program Files%\TianXingTV\Skin\default\box_logo.png (14365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NSISdl.dll (14848 bytes)
%Program Files%\TianXingTV\Skin\default\BT3.png (15428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc84.tmp (5586052 bytes)
%Program Files%\TianXingTV\Skin\default\down_finish.png (3114 bytes)
%Program Files%\TianXingTV\Skin\default\white_bkg.png (116 bytes)
%Program Files%\TianXingTV\kb.ini (707 bytes)
%Program Files%\TianXingTV\Skin\default\Setup.png (3480 bytes)
%Documents and Settings%\%current user%\Рабочий стол\МФ±¦ИИВф.lnk (1260 bytes)
%Program Files%\TianXingTV\Skin\default\system.button.menu.png (3807 bytes)
%Program Files%\TianXingTV\Skin\default\player_mode_btn.PNG (902 bytes)
%Program Files%\TianXingTV\Skin\default\Exit.png (3382 bytes)
%Program Files%\TianXingTV\Skin\default\down_recycle.png (3170 bytes)
%Program Files%\TianXingTV\config.dat (585 bytes)
%Program Files%\TianXingTV\Skin\default\BT7.png (14173 bytes)
%Program Files%\TianXingTV\Skin\default\BT6.png (14566 bytes)
%Documents and Settings%\%current user%\Главное меню\Программы\МмРРУ°Тф\Р¶ФШМмРРУ°Тф.lnk (515 bytes)
%Program Files%\TianXingTV\Skin\default\SettingWnd.png (1374 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\blk.bmp (570864 bytes)
%Program Files%\TianXingTV\Skin\default\shortcut_btn.PNG (2442 bytes)
%Program Files%\TianXingTV\Skin\default\BT1.png (15041 bytes)
%Program Files%\TianXingTV\Skin\default\mainwndbkg.png (50704 bytes)
%Program Files%\TianXingTV\Skin\default\BT2.png (13456 bytes)
%Program Files%\TianXingTV\TianXingTV.exe (282624 bytes)
%Program Files%\TianXingTV\Skin\default\SettingWnd1.png (4253 bytes)
%Program Files%\TianXingTV\Skin\default\down_manager_btn.png (1471 bytes)
%Documents and Settings%\%current user%\Рабочий стол\Hao123.lnk (1144 bytes)
%Program Files%\TianXingTV\com.run (282624 bytes)
%Program Files%\TianXingTV\Skin\default\download_category1.PNG (2991 bytes)
%Program Files%\TianXingTV\Skin\default\bottom.png (2984 bytes)
%Program Files%\TianXingTV\Skin\default\folder.png (3569 bytes)
%Program Files%\TianXingTV\Skin\default\BT0.png (13527 bytes)
%Program Files%\TianXingTV\Skin\default\download_category.PNG (3082 bytes)
%Program Files%\TianXingTV\Skin\default\MENU.png (3492 bytes)
%Program Files%\TianXingTV\shell.fne (77824 bytes)
%Program Files%\TianXingTV\Skin\default\edit.png (3040 bytes)
%Program Files%\TianXingTV\Skin\default\BT_CLOSE.png (4418 bytes)
%Program Files%\TianXingTV\Skin\default\BT5.png (13619 bytes)
%Program Files%\TianXingTV\Skin\default\topshow_btn.PNG (2603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\modern-wizard.bmp (206680 bytes)
%Program Files%\TianXingTV\Skin\default\record_btn.PNG (5905 bytes)
%Program Files%\TianXingTV\Skin\default\arrow.png (2954 bytes)
%Program Files%\TianXingTV\dp1.fne (147456 bytes)
%Program Files%\TianXingTV\Skin\default\playClose.png (3160 bytes)
%Program Files%\TianXingTV\Skin\default\Down.png (2952 bytes)
%Program Files%\TianXingTV\Skin\default\Setting_Browse_Btn.png (1032 bytes)
%Program Files%\TianXingTV\Skin\default\toolbar_item.png (7349 bytes)
%Program Files%\TianXingTV\statistics.exe (48128 bytes)
%Program Files%\TianXingTV\Skin\default\BT_MIN.PNG (2128 bytes)
%Documents and Settings%\%current user%\Главное меню\Программы\МмРРУ°Тф\МмРРУ°Тф.lnk (622 bytes)
%Program Files%\TianXingTV\Skin\default\page_back_btn.png (1942 bytes)
%Program Files%\TianXingTV\Skin\default\playmode_html.png (3180 bytes)
%Program Files%\TianXingTV\Skin\default\BT_MAX.PNG (3530 bytes)
%Program Files%\TianXingTV\Skin\default\topshow2_btn.PNG (2587 bytes)
%Documents and Settings%\%current user%\Рабочий стол\МмРРУ°Тф.lnk (610 bytes)
%Program Files%\TianXingTV\Skin\default\BT9.png (13308 bytes)
%Program Files%\TianXingTV\Data\Histroy.xml (114 bytes)
%Program Files%\TianXingTV\Skin\default\CHECK_BOX.png (3860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\System.dll (11264 bytes)
%Program Files%\TianXingTV\Skin\default\BT_MAX1.png (3929 bytes)
%Program Files%\TianXingTV\Skin\default\playmode_min.png (2964 bytes)
%Program Files%\TianXingTV\Skin\default\about_logo.png (24678 bytes)
%Documents and Settings%\%current user%\Мои документы\tb.ico (67646 bytes)
%Program Files%\TianXingTV\Skin\default\bk.bmp (1136440 bytes)
%Program Files%\TianXingTV\Skin\default\MainWnd.png (78508 bytes)
%Program Files%\TianXingTV\Skin\default\SubWnd.png (3074 bytes)
%Program Files%\TianXingTV\dh.ico (98535 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx83.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\GuaGua5.1.5Setup_09121643_6068.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\IFoxInstall-y-c204421885-nsi-s-run-x.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\blk.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\yt.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NsDialogs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\Setup_37wanWd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\WanDouJiaSetup_daocaoren2_kb.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\modern-wizard.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\setup_qjr_30923.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\360Inst_tianxing.exe (0 bytes)

Registry activity

The process Ghost3.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 A4 2A D8 3F 2B 9D 06 1B DC 91 E1 38 12 65 8A"

The process tcp32.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 28 9A A7 D6 6E A9 EF 98 A3 27 8E 24 7E 89 71"

[HKLM\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip]
"DLLPath" = "C:\2228500.dll"

The process 3.exe:196 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 06 0A 7E EC 31 52 82 1E 87 EB 10 91 C0 70 67"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process statistics.exe:576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 32 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 78 12 85 70 C8 A1 90 4E B7 55 40 A8 E7 21 4E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process zhainan.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 70 F2 7F 11 15 9C 2B 48 24 5A 9D 2B 04 6F CF"

The process BeeWeather.exe:1284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 5F E5 90 02 8D 72 8C 0B 31 1A 6D F2 D1 62 5A"

The process BeeWeather.exe:1648 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 1D 59 E1 8C 9E A2 66 31 2F 7B 60 20 52 8E 1D"

The process BeeWeather.exe:588 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 91 FC 70 11 28 53 59 D7 06 39 42 25 2E 48 D5"

The process BeeWeather.exe:128 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 CB EF FA BE 6B AE 2E B1 4E 19 E6 D0 70 74 E2"

The process BeeWeather.exe:296 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 B3 96 8D B6 A1 A3 2F 27 FE C8 4A 34 B9 8A 05"

The process BeeWeather.exe:224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 03 A7 4A 7B BD F3 A3 96 C8 F7 0D 62 49 7F 2C"

The process BeeWeather.exe:1368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 7D 3B 4C BA 5C FA 01 FF 2B 78 83 66 75 07 26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 33 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1148 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013110920131110]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013110920131110\"
"CacheOptions" = "11"

"CachePrefix" = ":2013110920131110:"
"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoControlPanel" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 31 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF A5 34 B2 62 82 9E 5B B9 36 A4 D7 96 9E AA 42"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.duba.com/?un_4_374118"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013110920131110]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZDYY" = "C:\Ghost3.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041220130413]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Х¬ДРУ°Тф_91_5869_.exe:512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 90 E0 16 4C 92 60 0B 61 11 8A 92 E4 EC 4F 29"

The process Х¬ДРУ°Тф_91_5869_.tmp:1516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"Inno Setup: User" = "%CurrentUserName%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Главное меню\Программы"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"HelpLink" = "http://ppw.43994.com/"
"UninstallString" = "%Program Files%\BeeWeather13110900\unins000.exe"
"NoModify" = "1"
"QuietUninstallString" = "%Program Files%\BeeWeather13110900\unins000.exe /SILENT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"InstallLocation" = "%Program Files%\BeeWeather13110900\"
"Publisher" = "ЙПИДКР»ЄУОїЖјјУРПЮ№«Лѕ"
"Inno Setup: Selected Tasks" = "appdesktopicon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"Inno Setup: Icon Group" = "BeeWeather"
"Inno Setup: App Path" = "%Program Files%\BeeWeather13110900"
"DisplayVersion" = "1.5.0.183"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"MajorVersion" = "1"
"Inno Setup: Setup Version" = "5.5.1.e2 (a)"

"URLUpdateInfo" = "http://ppw.43994.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"MinorVersion" = "5"
"DisplayIcon" = "%Program Files%\BeeWeather13110900\unins000.exe"
"DisplayName" = "BeeWeather"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 35 24 CF A6 36 B0 04 9D AE 73 75 EF 95 A5 E6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Главное меню\Программы"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://hao.budexing.com/"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"Inno Setup: Language" = "chinesesimp"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp.tmp,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"Inno Setup: Deselected Tasks" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"InstallDate" = "20131109"
"UninstallDataFile" = "%Program Files%\BeeWeather13110900\unins000.dat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BeeWeather_is1]
"URLInfoAbout" = "http://ppw.43994.com/"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BeeWeather" = "%Program Files%\BeeWeather13110900\BeeWeather.exe -system"

The process kbsetup_dubo_65606.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\TianXingTV]
"Service_Releation" = "1"
"InstallName" = "kbsetup_dubo_65606.exe"
"InstallPath" = "%Program Files%\TianXingTV"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Главное меню"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\МмРРУ°Тф]
"DisplayName" = "МмРРУ°Тф V3.10.11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\TianXingTV]
"Service_Update" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Документы\Моя музыка"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\МмРРУ°Тф]
"URLInfoAbout" = "http://www.tianxingkj.com"
"Publisher" = "ФжЧЇКРМмРРРЕПўјјКхУРПЮ№«Лѕ"
"UninstallString" = "%Program Files%\TianXingTV\Unins.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\Мои документы\Мои рисунки"
"Start Menu" = "%Documents and Settings%\%current user%\Главное меню"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Документы\Мои видеозаписи"
"CommonPictures" = "%Documents and Settings%\All Users\Документы\Мои рисунки"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 22 93 9A E4 32 7F B0 BB F9 AE 46 5B DC 21 98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"
"Programs" = "%Documents and Settings%\%current user%\Главное меню\Программы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\МмРРУ°Тф]
"DisplayVersion" = "V3.10.11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

Network activity (URLs)

URL IP
spx.tianqi.com
www.halou114.com
ppw.43994.com
img.users.51.la
cdn.866dy.com
xy.mgzm520.com
union.267dh.com
www.vip5866.net
beikecount.43994.com


HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 311 bytes in size. The following strings are added to the hosts file listed below:

127.0.0.1 www.kelepan.com
127.0.0.1 www.789pan.com
127.0.0.1 www.supan.la
127.0.0.1 www.cfwudao.cc
127.0.0.1 www.75ts.com
127.0.0.1 www.cfmimang.com
127.0.0.1 www.cfbingpo.com
127.0.0.1 www.cfyuandun.com
127.0.0.1 www.lepan.cn
127.0.0.1 www.9ap.cc
127.0.0.1 www.qidianwp.com


Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Ghost3.exe:304
    tcp32.exe:588
    3.exe:196
    statistics.exe:576
    zhainan.exe:452
    BeeWeather.exe:1284
    BeeWeather.exe:1648
    BeeWeather.exe:588
    BeeWeather.exe:128
    BeeWeather.exe:296
    BeeWeather.exe:224
    BeeWeather.exe:1368
    %original file name%.exe:1148
    Х¬ДРУ°Тф_91_5869_.exe:512
    Х¬ДРУ°Тф_91_5869_.tmp:1516
    kbsetup_dubo_65606.exe:1592

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\kbsetup_dubo_65606.exe (2719557 bytes)
    C:\2228500.dll (134656 bytes)
    C:\NT_Path.jpg (27 bytes)
    %WinDir%\weigei.exe (18944 bytes)
    %Program Files%\TianXingTV\config.dat (1726 bytes)
    C:\Х¬ДРУ°Тф_91_5869_.exe (2265336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\3.exe (18944 bytes)
    C:\Ghost3.exe (3817472 bytes)
    C:\zhainan.exe (3358720 bytes)
    %System%\drivers\etc\hosts (311 bytes)
    C:\tcp32.exe (141824 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013110920131110\index.dat (32768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\Х¬ДРУ°Тф_91_5869_.tmp (1298712 bytes)
    %Program Files%\BeeWeather13110900\Images\small\is-7U17S.tmp (7262 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\UpdateIcon.dll (33280 bytes)
    %Program Files%\BeeWeather13110900\unins000.dat (37183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_iscrypt.dll (2560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\WaterLib.dll (492032 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\BeeWeather.lnk (678 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\4472ѕшЙ«µзУ°Нш.url (45 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\BeeWeather НшХѕ.url (47 bytes)
    %Program Files%\BeeWeather13110900\is-NH8BO.tmp (559896 bytes)
    %Documents and Settings%\%current user%\Application Data (8192 bytes)
    %Program Files%\BeeWeather13110900\is-BJVLD.tmp (766468 bytes)
    %Documents and Settings%\All Users\Главное меню\Программы\BeeWeather\ЕдЦГ\Р¶ФШ BeeWeather.lnk (674 bytes)
    %Documents and Settings%\%current user%\Application Data\Sogou.ico (38022 bytes)
    %Documents and Settings%\All Users\Рабочий стол\BeeWeather.lnk (666 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_RegDLL.tmp (4096 bytes)
    %Documents and Settings%\%current user%\Application Data\ѕшЙ«µзУ°.ico (38022 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\ѕшЙ«µзУ°.lnk (1102 bytes)
    %Program Files%\BeeWeather13110900\Images\future\is-4NALB.tmp (6027 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\License.txt (2543 bytes)
    %Program Files%\BeeWeather13110900\Images\large\is-TQFUS.tmp (18745 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\Unis.ico (18718 bytes)
    %Program Files%\BeeWeather13110900\is-8M6BF.tmp (559896 bytes)
    %Program Files%\BeeWeather13110900\unins000.msg (6975 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-I6RDE.tmp\RCX86.tmp (851039 bytes)
    %Program Files%\BeeWeather13110900\is-AIOC8.tmp (492032 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\Internet Sogou.lnk (1072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-EO2ST.tmp\_isetup\_shfoldr.dll (23312 bytes)
    %Program Files%\TianXingTV\Skin\default\normal_btn.PNG (939 bytes)
    %Program Files%\TianXingTV\Skin\default\DownLoadWnd.png (4917 bytes)
    %Program Files%\TianXingTV\Data\SystemSetting.ini (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\yt.bmp (206680 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_CLOSE1 (2).PNG (2825 bytes)
    %Program Files%\TianXingTV\Skin\default\150.bmp (8486 bytes)
    %Program Files%\TianXingTV\tb.ico (84030 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NsDialogs.dll (9728 bytes)
    %Program Files%\TianXingTV\Skin\default\BT4.png (15646 bytes)
    %Program Files%\TianXingTV\TXPlayer.exe (282624 bytes)
    %Program Files%\TianXingTV\TXPlayData.dll (135168 bytes)
    %Program Files%\TianXingTV\Skin\default\big_tip_logo.png (63869 bytes)
    %Program Files%\TianXingTV\Skin\default\page_forward_btn.png (1978 bytes)
    %Program Files%\TianXingTV\Skin\default\BT8.png (15475 bytes)
    %Program Files%\TianXingTV\Skin\default\progress.png (3332 bytes)
    %Program Files%\TianXingTV\krnln.fnr (1138688 bytes)
    %Program Files%\TianXingTV\Skin\default\hmin.png (3035 bytes)
    %Program Files%\TianXingTV\Skin\default\SettingWnd2.png (3320 bytes)
    %Program Files%\TianXingTV\Unins.exe (149840 bytes)
    %Program Files%\TianXingTV\Skin\default\subwnd_close_btn.PNG (2255 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_MIN1.png (3620 bytes)
    %Documents and Settings%\%current user%\Мои документы\dh.ico (82151 bytes)
    %Program Files%\TianXingTV\eAPI.fne (344064 bytes)
    %Program Files%\TianXingTV\Skin\default\box_logo.png (14365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\NSISdl.dll (14848 bytes)
    %Program Files%\TianXingTV\Skin\default\BT3.png (15428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc84.tmp (5586052 bytes)
    %Program Files%\TianXingTV\Skin\default\down_finish.png (3114 bytes)
    %Program Files%\TianXingTV\Skin\default\white_bkg.png (116 bytes)
    %Program Files%\TianXingTV\kb.ini (707 bytes)
    %Program Files%\TianXingTV\Skin\default\Setup.png (3480 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\МФ±¦ИИВф.lnk (1260 bytes)
    %Program Files%\TianXingTV\Skin\default\system.button.menu.png (3807 bytes)
    %Program Files%\TianXingTV\Skin\default\player_mode_btn.PNG (902 bytes)
    %Program Files%\TianXingTV\Skin\default\Exit.png (3382 bytes)
    %Program Files%\TianXingTV\Skin\default\down_recycle.png (3170 bytes)
    %Program Files%\TianXingTV\Skin\default\BT7.png (14173 bytes)
    %Program Files%\TianXingTV\Skin\default\BT6.png (14566 bytes)
    %Documents and Settings%\%current user%\Главное меню\Программы\МмРРУ°Тф\Р¶ФШМмРРУ°Тф.lnk (515 bytes)
    %Program Files%\TianXingTV\Skin\default\SettingWnd.png (1374 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\blk.bmp (570864 bytes)
    %Program Files%\TianXingTV\Skin\default\shortcut_btn.PNG (2442 bytes)
    %Program Files%\TianXingTV\Skin\default\BT1.png (15041 bytes)
    %Program Files%\TianXingTV\Skin\default\mainwndbkg.png (50704 bytes)
    %Program Files%\TianXingTV\Skin\default\BT2.png (13456 bytes)
    %Program Files%\TianXingTV\TianXingTV.exe (282624 bytes)
    %Program Files%\TianXingTV\Skin\default\SettingWnd1.png (4253 bytes)
    %Program Files%\TianXingTV\Skin\default\down_manager_btn.png (1471 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\Hao123.lnk (1144 bytes)
    %Program Files%\TianXingTV\com.run (282624 bytes)
    %Program Files%\TianXingTV\Skin\default\download_category1.PNG (2991 bytes)
    %Program Files%\TianXingTV\Skin\default\bottom.png (2984 bytes)
    %Program Files%\TianXingTV\Skin\default\folder.png (3569 bytes)
    %Program Files%\TianXingTV\Skin\default\BT0.png (13527 bytes)
    %Program Files%\TianXingTV\Skin\default\download_category.PNG (3082 bytes)
    %Program Files%\TianXingTV\Skin\default\MENU.png (3492 bytes)
    %Program Files%\TianXingTV\shell.fne (77824 bytes)
    %Program Files%\TianXingTV\Skin\default\edit.png (3040 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_CLOSE.png (4418 bytes)
    %Program Files%\TianXingTV\Skin\default\BT5.png (13619 bytes)
    %Program Files%\TianXingTV\Skin\default\topshow_btn.PNG (2603 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\modern-wizard.bmp (206680 bytes)
    %Program Files%\TianXingTV\Skin\default\record_btn.PNG (5905 bytes)
    %Program Files%\TianXingTV\Skin\default\arrow.png (2954 bytes)
    %Program Files%\TianXingTV\dp1.fne (147456 bytes)
    %Program Files%\TianXingTV\Skin\default\playClose.png (3160 bytes)
    %Program Files%\TianXingTV\Skin\default\Down.png (2952 bytes)
    %Program Files%\TianXingTV\Skin\default\Setting_Browse_Btn.png (1032 bytes)
    %Program Files%\TianXingTV\Skin\default\toolbar_item.png (7349 bytes)
    %Program Files%\TianXingTV\statistics.exe (48128 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_MIN.PNG (2128 bytes)
    %Documents and Settings%\%current user%\Главное меню\Программы\МмРРУ°Тф\МмРРУ°Тф.lnk (622 bytes)
    %Program Files%\TianXingTV\Skin\default\page_back_btn.png (1942 bytes)
    %Program Files%\TianXingTV\Skin\default\playmode_html.png (3180 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_MAX.PNG (3530 bytes)
    %Program Files%\TianXingTV\Skin\default\topshow2_btn.PNG (2587 bytes)
    %Documents and Settings%\%current user%\Рабочий стол\МмРРУ°Тф.lnk (610 bytes)
    %Program Files%\TianXingTV\Skin\default\BT9.png (13308 bytes)
    %Program Files%\TianXingTV\Data\Histroy.xml (114 bytes)
    %Program Files%\TianXingTV\Skin\default\CHECK_BOX.png (3860 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi85.tmp\System.dll (11264 bytes)
    %Program Files%\TianXingTV\Skin\default\BT_MAX1.png (3929 bytes)
    %Program Files%\TianXingTV\Skin\default\playmode_min.png (2964 bytes)
    %Program Files%\TianXingTV\Skin\default\about_logo.png (24678 bytes)
    %Documents and Settings%\%current user%\Мои документы\tb.ico (67646 bytes)
    %Program Files%\TianXingTV\Skin\default\bk.bmp (1136440 bytes)
    %Program Files%\TianXingTV\Skin\default\MainWnd.png (78508 bytes)
    %Program Files%\TianXingTV\Skin\default\SubWnd.png (3074 bytes)
    %Program Files%\TianXingTV\dh.ico (98535 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ZDYY" = "C:\Ghost3.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BeeWeather" = "%Program Files%\BeeWeather13110900\BeeWeather.exe -system"

  5. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
    127.0.0.1 localhost
  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now