Trojan.Win32.Swrort_2f826cc155

by malwarelabrobot on February 1st, 2014 in Malware Descriptions.

Trojan.NSIS.StartPage.eg (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 2f826cc155ad25916c48f8181676d6ad
SHA1: 06c8649150e9004b9b266e2ec6d71d8429bc2cbc
SHA256: 443b20da65766f56026857798dd01ebf2d2e0bf313250f59d2f965b0ba506d77
SSDeep: 3072:ygXdZt9P6D3XJ82mRVHw3wSOLhOZFl5KJ:ye34VwSKhkFlUJ
Size: 103385 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WeatherRadar.exe:1724
365weatherIns_61.exe:912
pihhrpg_30310.exe:960
WeatherRadarUpdate.3001.exe:912
mscorsvw.exe:1912
akradl_70254.exe:472
WeatherRadarSVR.exe:1360

The Trojan injects its code into the following process(es):

setup_qd334.exe:3200
2f826cc155ad259:540

File activity

The process WeatherRadar.exe:1724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\WeatherRadar\3.0.0.3001\weatherData.tmp (333 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherRadarCfg.ini (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tongji[1].htm (657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon_9[1].gif (893 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (139 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (308 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)

The process 365weatherIns_61.exe:912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\WeatherRadar\3.0.0.3001\skins\common\topbar.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\newfeather1.jpg (1856 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\sqliteApi.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\checkbox1.bmp (2 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\future\tips.ico (784 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_max.jpg (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarCfg.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WeatherRadar\ÃÔÄãÌìÆøͨжÔØ.lnk (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\cnzzonline.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\checkbox2.bmp (2 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\sqlite3.dll (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WeatherRadar\ÃÔÄãÌìÆøͨ.lnk (943 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\bg_large.png (784 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_close.jpg (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\skin.xml (6 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\areacode.db (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\PM10Radar.exe (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cnzz_61[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\SkinBtn.dll (4 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\close.png (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\newfeather2.jpg (1856 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\AQIRadar.exe (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\inetc.dll (784 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\large\n99.png (784 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\min.png (440 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\uninst.exe (2691 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\i.gif (170 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\PM25Radar.exe (11344 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\weather.db (6584 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\un_update.html (1 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db (423 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherRadarCfg.ini (325 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\nsWindows.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\bg.bmp (18424 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\loading.png (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\update.html (2 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarSVR.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\btn_next.bmp (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\md5dll.dll (8 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\kz.png (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe (19096 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\bg_small.png (9 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherContext\WeatherContext.db (423 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\future\n99.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\loading1.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\btn_close.bmp (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\RadarMfc.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\loading2.bmp (456 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\err.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\btn_complete.bmp (2392 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\loading.gif (8 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarUpdate.3001.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\newfeather3.jpg (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\ToggleImages.html (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\KillProcDLL.dll (4 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\updateContext\updateRecord.db (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\updateRecord.db (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_move.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstA.tmp (85185 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\updateContext\AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport (0 bytes)

The process pihhrpg_30310.exe:960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\tmptjufdg.dll (76078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNet.dll.bdl (44452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd7.tmp (151988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\vl.exe.bdl (564028 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMReport.dll.bdl (35901 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNetGetInfo.dll (9608 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

The process setup_qd334.exe:3200 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsbD.tmp (8533 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrE.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrE.tmp\metadl.dll (12024 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsrE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmC.tmp (0 bytes)

The process 2f826cc155ad259:540 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (108613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\xID.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\akradl_70254.exe (189626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (2737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (103342 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\ok.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_qd334.exe (16719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe (203915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg1.tmp (0 bytes)

The process WeatherRadarUpdate.3001.exe:912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\WeatherRadar\PM10Context\PM10Context.db.!mv (604 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherRadarCfg.ini (1192 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\PM25Context\PM25Context.db.!mv (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AQIContext[1].xml (332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\369[1].ico (16369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PM10Context[1].xml (604 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarCfg.ini (200 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db.!mv (571 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PM25Context[1].xml (615 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\AQIContext\AQIContext.db.!mv (332 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\369.ico.!mv (16369 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\WeatherContext[1].xml (571 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db (0 bytes)

The process mscorsvw.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (474 bytes)

The process akradl_70254.exe:472 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\res\onlineWnd.zip (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\tmpbhjmp5.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (125790 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp (0 bytes)

Registry activity

The process WeatherRadar.exe:1724 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\WeatherRadar\3.0.0.3001]
"WeatherRadarUpdate.3001.exe" = "天气通升级模块"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 C1 0B 25 F6 21 08 9E 4C 5E 1D 91 E0 7B C3 B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 365weatherIns_61.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"URLInfoAbout" = "http://114tq.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"appdata" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"desk" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"DisplayIcon" = "%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"DisplayName" = "ÃÔÄãÌìÆøͨ 3.0.0.3001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"jieguo" = "mac=00-0C-29-7C-CD-1F&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=84c8b24c6597ce51c54789a9b4632126"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"Publisher" = "ÌìÆøͨ¹¤×÷ÊÒ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"Mac" = "00-0C-29-7C-CD-1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"DisplayVersion" = "3.0.0.3001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 0B 62 DE 57 65 7E 2E 0E 34 B5 6C 44 5C 66 31"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"(Default)" = "%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\WeatherRadar]
"3.0.0.3001/WeatherRadarSVR.exe" = "气象雷达"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"UninstallString" = "%Program Files%\WeatherRadar\3.0.0.3001\uninst.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WeatherRadar" = "%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe /autorun"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process pihhrpg_30310.exe:960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\metnsd\clsid]
"SequenceID" = "EE 67 65 8A 6D 60 D6 40 85 FA 24 E0 87 93 7D A4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F 97 3F 97 31 F0 01 9E EE 47 17 47 6A A6 4A 85"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"pihhrpg_30310.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe:*:Enabled:百度杀毒在线安装程序"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"pihhrpg_30310.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe:*:Enabled:百度杀毒在线安装程序"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup_qd334.exe:3200 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 AA B5 A5 41 2A 40 2C F7 6A B4 89 8B 67 89 D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process 2f826cc155ad259:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayVersion" = "1.0.0.2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayName" = "Â̶¹ 1.0.0.2"
"Publisher" = "aaa559"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E CC B8 7F D0 61 16 59 FB F8 1E 46 44 76 9A 88"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The process WeatherRadarUpdate.3001.exe:912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD C7 8C B2 F2 0F 19 6A 49 35 24 CC F8 E5 8C 6A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process akradl_70254.exe:472 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 D0 0E C3 DD 95 8B CF EC 48 75 CE 23 80 F5 56"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process WeatherRadarSVR.exe:1360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 61 4A 60 62 CE 43 A0 B2 01 9E 1C 5D 49 74 52"

[HKCR\AppID\{C4D6FCA7-2C8D-4091-A4A1-F91D267C4AC8}]
"LocalService" = "WeatherRadarSVR"
"(Default)" = "WeatherRadarSVR"

[HKCR\AppID\WeatherRadarSVR.EXE]
"AppID" = "{C4D6FCA7-2C8D-4091-A4A1-F91D267C4AC8}"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{C4D6FCA7-2C8D-4091-A4A1-F91D267C4AC8}]
"LocalService"

Network activity (URLs)

URL IP
hxxp://pxsw.n.shifen.com/
hxxp://lm.beilequ.com/update/365/365weatherIns_61.rar (ET POLICY PE EXE or DLL Windows file download , Malicious) 122.225.100.200
hxxp://sj88.www.web.glb0.ldcache.net/hezi/jm/setup_a7158.rar
hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/3.0.0.3001/cnzz/cnzz_61.html 122.225.104.211
hxxp://shadu.n.shifen.com/api/openapi/json_get_shadu_down_url_v4/30310
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://weather51la.cnzz.alivcd.com/post/
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMNet.dll (ET POLICY PE EXE or DLL Windows file download , Malicious)
hxxp://baidubrs.dlmix.glb0.lxdns.com/client/v1196/0125/Baidusd_Setup_1.0.99.378.exe
hxxp://weather51la.cnzz.alivcd.com/cnzz/weather/weatherPng/cnzz.html
jp.download.iyuntian.com 123.125.65.154
tk.download.iyuntian.com 123.125.69.209
rc.download.iyuntian.com 123.125.65.153
dlsw.baidu.com 61.155.165.27
www.xzsky.com 122.225.104.211
dtrp.download.iyuntian.com 123.125.65.150
dl1sw.baidu.com 117.21.189.102
www.sj88.com 202.97.174.68
res.download.iyuntian.com 123.125.65.129
shadu.baidu.com 123.125.65.162
p.x.baidu.com 123.125.65.152
utk.download.iyuntian.com 123.125.65.147
cfg.download.iyuntian.com 123.125.65.132
weather51la.cnzz.uujzy.com 122.225.104.211
res2.download.iyuntian.com Unresolvable
qr.download.iyuntian.com Unresolvable
res3.download.iyuntian.com Unresolvable
sn.download.iyuntian.com Unresolvable


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WeatherRadar.exe:1724
    365weatherIns_61.exe:912
    pihhrpg_30310.exe:960
    WeatherRadarUpdate.3001.exe:912
    mscorsvw.exe:1912
    akradl_70254.exe:472
    WeatherRadarSVR.exe:1360

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\WeatherRadar\3.0.0.3001\weatherData.tmp (333 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherRadarCfg.ini (288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\tongji[1].htm (657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\15909623[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\icon_9[1].gif (893 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (147 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@uujzy[1].txt (139 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (308 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\topbar.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\newfeather1.jpg (1856 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\sqliteApi.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\checkbox1.bmp (2 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\future\tips.ico (784 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_max.jpg (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarCfg.ini (325 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WeatherRadar\ÃÔÄãÌìÆøͨжÔØ.lnk (911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\cnzzonline.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\checkbox2.bmp (2 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\sqlite3.dll (20416 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WeatherRadar\ÃÔÄãÌìÆøͨ.lnk (943 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\bg_large.png (784 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_close.jpg (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\skin.xml (6 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\areacode.db (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\PM10Radar.exe (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cnzz_61[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\SkinBtn.dll (4 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\close.png (873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\newfeather2.jpg (1856 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\AQIRadar.exe (8184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\inetc.dll (784 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\large\n99.png (784 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\min.png (440 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\uninst.exe (2691 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\i.gif (170 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\PM25Radar.exe (11344 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\weather.db (6584 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\un_update.html (1 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db (423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\nsWindows.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\bg.bmp (18424 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\loading.png (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\update.html (2 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarSVR.exe (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\btn_next.bmp (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\md5dll.dll (8 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\kz.png (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe (19096 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\bg_small.png (9 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherContext\WeatherContext.db (423 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\future\n99.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\loading1.bmp (456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\btn_close.bmp (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\RadarMfc.dll (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\loading2.bmp (456 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\err.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\btn_complete.bmp (2392 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\loading.gif (8 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarUpdate.3001.exe (11048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\newfeather3.jpg (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\ToggleImages.html (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_min.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsjB.tmp\KillProcDLL.dll (4 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_setting.jpg (3 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\updateContext\updateRecord.db (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\updateRecord.db (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_move.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nstA.tmp (85185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\tmptjufdg.dll (76078 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNet.dll.bdl (44452 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMDownload.dll (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd7.tmp (151988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMSkin.dll (38495 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\vl.exe.bdl (564028 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDLogicUtils.dll (30968 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (1115 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMReport.dll.bdl (35901 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\dl.dll (65930 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (200 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\res\onlineWnd.zip (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\hu.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsbD.tmp (8533 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrE.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsrE.tmp\metadl.dll (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (108613 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\xID.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\akradl_70254.exe (189626 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (2737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (103342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\ok.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_qd334.exe (16719 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\Inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\Md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe (203915 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr2.tmp\System.dll (11 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\PM10Context\PM10Context.db.!mv (604 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\PM25Context\PM25Context.db.!mv (615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\AQIContext[1].xml (332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\369[1].ico (16369 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\PM10Context[1].xml (604 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db.!mv (571 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (194 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\PM25Context[1].xml (615 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\AQIContext\AQIContext.db.!mv (332 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\369.ico.!mv (16369 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\WeatherContext[1].xml (571 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (474 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMDownload.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\dl.dll (65945 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\res\onlineWnd.zip (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\hu.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\tmpbhjmp5.dll (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDLogicUtils.dll (31856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh5.tmp\BDMSkin.dll (36698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (125790 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WeatherRadar" = "%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe /autorun"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now