Trojan.Win32.Swrort_45c6f48d2e

by malwarelabrobot on January 26th, 2014 in Malware Descriptions.

Trojan.NSIS.StartPage.eg (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, TrojanSwrort.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 45c6f48d2ef38a659243bef231f4d876
SHA1: f46b46b603ee1c36261ba1ad7a4c30581c26ce4f
SHA256: 49269c729c69c735cd5e7d4169bd53583e1ddadaf5d47a1a3b591e2422726308
SSDeep: 1536:epgpHzb9dZVX9fHMvG0D3XJSaM0qf26GLkqIzjbanyT6NO1uWFI:kgXdZt9P6D3XJh/qOn5K OZFI
Size: 92949 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WeatherRadar.exe:3544
AQIRadar.exe:2900
365weatherIns_61.exe:2904
YYMusic.exe:2072
PM10Radar.exe:1132
setup_3128.exe:668
WeatherRadarUpdate.3001.exe:2720
mscorsvw.exe:424
WeatherRadarSVR.exe:240
winPm25Tips.exe:848
ctfmon.exe:252

The Trojan injects its code into the following process(es):

%original file name%.exe:2452
setup_qd334.exe:2456
YYJia.exe:2140

File activity

The process WeatherRadar.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\WeatherRadar\3.0.0.3001\weatherData.tmp (377 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherRadarCfg.ini (390 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\15909623[1].js (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tongji[1].htm (657 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarCfg.ini (8 bytes)
%Documents and Settings%\%current user%\Cookies\BLMHV577.txt (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\5QGDQ5FW.txt (82 bytes)
%Documents and Settings%\%current user%\Cookies\VELQD1OT.txt (244 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\5QGDQ5FW.txt (0 bytes)

The process AQIRadar.exe:2900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\httpErrorPagesScripts[1] (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\navcancl[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\info_48[1] (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\background_gradient[1] (453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\bullet[1] (3 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\winPm25Tips.exe (1425 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\RadarMfc.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\errorPageStrings[1] (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ErrorPageTemplate[1] (2 bytes)

The process %original file name%.exe:2452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (104466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\ok.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xzrpdf_70502.exe (147238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (341995 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (1518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_qd334.exe (19364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\xID.dll (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (0 bytes)

The process 365weatherIns_61.exe:2904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\cnzzonline.html (2 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_min.jpg (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\sqliteApi.dll (784 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\un_update.html (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\future\tips.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_complete.bmp (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather2.jpg (1856 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\sqlite3.dll (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather1.jpg (1856 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\bg_large.png (784 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_close.jpg (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\skin.xml (6 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\checkbox1.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\checkbox2.bmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_close.bmp (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherContext\WeatherContext.db (423 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_next.bmp (2392 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\AQIRadar.exe (8184 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\large\n99.png (784 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\min.png (440 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\uninst.exe (2691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ToggleImages.html (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_setting.jpg (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\PM25Radar.exe (11344 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\weather.db (6584 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db (423 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherRadarCfg.ini (325 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\update.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\SkinBtn.dll (4 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\i.gif (170 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\loading.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\System.dll (11 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarSVR.exe (4992 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\PM10Radar.exe (9320 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\kz.png (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe (19096 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\bg_small.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cnzz_61[1].htm (2 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\future\n99.png (6 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarCfg.ini (325 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\RadarMfc.dll (5520 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WeatherRadar\ÃÔÄãÌìÆøͨ.lnk (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\loading1.bmp (456 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\err.png (784 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\topbar.png (3 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\loading.gif (8 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarUpdate.3001.exe (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\loading2.bmp (456 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\WeatherRadar\ÃÔÄãÌìÆøͨжÔØ.lnk (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\bg.bmp (18424 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\updateContext\updateRecord.db (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\updateContext\updateRecord.db (1 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_move.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (85185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather3.jpg (1856 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\close.png (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsWindows.dll (10 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\WeatherRadar\updateContext\VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp (0 bytes)

The process YYMusic.exe:2072 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\YYMusic\2014124\Data\server.ini (1 bytes)
%Program Files%\YYMusic\2014124\Data\client.ini (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj[1].ashx (3 bytes)
%Program Files%\YYMusic\2014124\SysConfig.ini (434 bytes)
%Documents and Settings%\%current user%\Favorites\ÌìÒí¾üÊÂÍø.url (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\a[1].ashx (3 bytes)
%Program Files%\YYMusic\2014124\Data\user2.ini (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\ver[1].txt (36 bytes)
%Documents and Settings%\%current user%\Favorites\Ãâ·ÑÉÏÍøµ¼º½.url (71 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\a[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj[1].ashx (0 bytes)

The process setup_qd334.exe:2456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\metadl.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7.tmp (8533 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp (0 bytes)

The process PM10Radar.exe:1132 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF951.tmp (0 bytes)

The process setup_3128.exe:668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\YYMusic\2014124\Skin\FrmSetWindowLrcFrame.xml (3 bytes)
%Program Files%\YYMusic\2014124\lyrics\baidu_13766042.lrc (1 bytes)
%Program Files%\YYMusic\2014124\Skin\close.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playersidebg.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_comm.png (1 bytes)
%Program Files%\YYMusic\2014124\pthreadGC2.dll (3616 bytes)
%Program Files%\YYMusic\2014124\Skin\frmlogin.xml (3 bytes)
%Program Files%\YYMusic\2014124\Skin\prev0520.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playinging.jpg (2 bytes)
%Program Files%\YYMusic\2014124\Skin\downda.png (1 bytes)
%Program Files%\YYMusic\2014124\audio.dll (3616 bytes)
%Program Files%\YYMusic\2014124\Skin\color_002highlight.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\320x225.png (784 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmSystemMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\2014124\Skin\play0520.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_bd.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmColor.xml (1 bytes)
%Program Files%\YYMusic\2014124\Skin\search.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\system_menu_btnexit.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\random01hover.jpg (2 bytes)
%Program Files%\YYMusic\2014124\Skin\ÒôÁ¿Ìõ.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\border.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\progress_fore.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionset.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\forgettt.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playerbg02.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_db.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_itself.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmDropDownMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\2014124\lyrics\baidu_13881991.lrc (1 bytes)
%Program Files%\YYMusic\2014124\Skin\sys_check_btn_whiter.png (318 bytes)
%Program Files%\YYMusic\2014124\Skin\color_001highlight.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\color_012.bmp (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pop_bkimage.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\lrclist.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\voice0520.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionclose.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_006highlight.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\ÒôÁ¿µ÷½Úµã.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionfeedbackahover.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_004highlight.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\mini.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\lyricmute.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\frmWindowLrc.xml (174 bytes)
%Program Files%\YYMusic\2014124\Skin\frmProgressToolTip.xml (393 bytes)
%Program Files%\YYMusic\2014124\Skin\loading02.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\voice00528.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\voice1000528.png (2 bytes)
%Program Files%\YYMusic\2014124\picture\baidu_c8ea15ce36d3d539f9c9305e3b87e950342ab0b2.jpg (784 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_color.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\random0520.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionfeedbacka.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\back.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\like.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\sys_check_btn_blue.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\headimg.png (784 bytes)
%Program Files%\YYMusic\2014124\Skin\hotkeytipbk.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\font_bkcolor.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\steup.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\forecolor_3.png (5 bytes)
%Program Files%\YYMusic\2014124\YYMusic.exe (32784 bytes)
%Program Files%\YYMusic\2014124\Skin\forecolor_2.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionsetahover.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\reflash.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\mineahover.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playinginga.jpg (5 bytes)
%Program Files%\YYMusic\2014124\Data\version.ini (32 bytes)
%Program Files%\YYMusic\2014124\Skin\color_004.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\bkcolor_6.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_btn_down.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmFeedBack.xml (411 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_btn_on.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensiontopahover.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playingprev.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn-delete.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\progresstooltip.png (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic\ÅäÖù¤¾ß\жÔØYYMusic.lnk (796 bytes)
%Program Files%\YYMusic\2014124\Skin\history.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\bg_2.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_big.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionbiga.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\mainframeshadow.png (4992 bytes)
%Program Files%\YYMusic\2014124\Skin\color_006.bmp (560 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_fh.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\playingvoice.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\SelectColor_SliderBar_Thumb.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmLrcChild.xml (263 bytes)
%Program Files%\YYMusic\2014124\Skin\bkcolor_2.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\bkcolor_1.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\mine.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\list.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_011.bmp (1 bytes)
%Program Files%\YYMusic\2014124\Skin\loading01.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\next0520.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensiontopa.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playingrandom.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Unins.exe (9608 bytes)
%Program Files%\YYMusic\2014124\Skin\input-user.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_008.bmp (556 bytes)
%Program Files%\YYMusic\2014124\Skin\more.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\lyriclikea.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\home.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\system_menu_btnfeedback.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\progresstooltipbk.png (1552 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensiontop.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\voiceall0528.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\remembertt.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\bg2.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\bkcolor_3.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\sound (2).jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\random.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\list_item_bg.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn-pause.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_ok.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\playingpreva.jpg (1 bytes)
%Program Files%\YYMusic\2014124\libav.dll (6360 bytes)
%Program Files%\YYMusic\2014124\Skin\color_list_bk.png (1552 bytes)
%Program Files%\YYMusic\2014124\Skin\list_title_bg.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmMenuFrame.xml (1 bytes)
%Program Files%\YYMusic\2014124\Data\dh.ini (56 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_kw.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_xm.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\min.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playerbg01.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\astop.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\sound100.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\lyriclike.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\WindowLrcbkIamge.png (732 bytes)
%Program Files%\YYMusic\2014124\Skin\collection.png (3 bytes)
%Program Files%\YYMusic\2014124\swresample-0.dll (3312 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_set.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_bg.bmp (784 bytes)
%Program Files%\YYMusic\2014124\Skin\lyricdelete.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn-next.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\random02a.jpg (2 bytes)
%Program Files%\YYMusic\2014124\Skin\lyrictoplay.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\sys_check_btn_red.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\update.xml (2 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_9k.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\loading04.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\system_menu_btnmin.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\forecolor_6.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\list_play.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\power.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\loading03.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\frmdownmenu.xml (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_close.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\system_menu_btnsteup.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_feedback.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn-play.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_play.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\DefaultUserImage.jpg (6 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_icon.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\LrcBk.png (7 bytes)
%Program Files%\YYMusic\2014124\Skin\btn-login.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\menu.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\random03a.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\fbcaptionbk.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_pause.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\forecolor_7.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\forecolor_5.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\DownLoadProgressForeImage.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmPopWnd.xml (354 bytes)
%Program Files%\YYMusic\2014124\Skin\lyricdeletea.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_prev.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_008highlight.bmp (552 bytes)
%Program Files%\YYMusic\2014124\Skin\mini´°.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_ok_blue.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\LyricFrameVoice.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\bg3.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\dash.png (955 bytes)
%Program Files%\YYMusic\2014124\Skin\normalVolume.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\slider_bg.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pushedVolume.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\tab_comm.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_forward.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\play2.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\random03hover.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionclosea.png (1 bytes)
%Program Files%\YYMusic\2014124\source.dll (6584 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmConfig.xml (4 bytes)
%Program Files%\YYMusic\2014124\Skin\playerlist.png (4 bytes)
%Program Files%\YYMusic\2014124\PlayerUpdate.exe (5064 bytes)
%Program Files%\YYMusic\2014124\Skin\color_003.bmp (560 bytes)
%Program Files%\YYMusic\2014124\Data\client.ini (38 bytes)
%Program Files%\YYMusic\2014124\SysConfig.ini (253 bytes)
%Program Files%\YYMusic\2014124\Skin\color_007.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\feedback.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionfeedback.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\AutoRunTipFrame.xml (1 bytes)
%Program Files%\YYMusic\2014124\Skin\BtnRightTop.png (1 bytes)
%Program Files%\YYMusic\2014124\avcore.dll (2392 bytes)
%Program Files%\YYMusic\2014124\Skin\sys_check_btn.png (1 bytes)
%Program Files%\YYMusic\2014124\YYJia.exe (21216 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionmina.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn-login2.png (6 bytes)
%Program Files%\YYMusic\2014124\Skin\voice0a0528.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\forecolor_4.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_ok_red.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\MessageBox.xml (1 bytes)
%Program Files%\YYMusic\2014124\Skin\random03.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\tooltipbk.png (319 bytes)
%Program Files%\YYMusic\2014124\Skin\color_007highlight.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\lista.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\PlayProgressForeImage.png (142 bytes)
%Program Files%\YYMusic\2014124\Skin\random02.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\button.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_desktop.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmLrc.xml (7 bytes)
%Program Files%\YYMusic\2014124\Skin\color_unsel.bmp (5 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_bg.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\random01a.jpg (2 bytes)
%Program Files%\YYMusic\2014124\Skin\forecolor_1.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionseta.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\downdahover.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionbigahover.png (1 bytes)
%Program Files%\YYMusic\2014124\avcodec-54.dll (23936 bytes)
%Program Files%\YYMusic\2014124\Skin\downd.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_013.bmp (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_001.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\frmplaylist.xml (5 bytes)
%Program Files%\YYMusic\2014124\Skin\color_016.bmp (1 bytes)
%Program Files%\YYMusic\2014124\lyrics\baidu_262581.lrc (993 bytes)
%Program Files%\YYMusic\2014124\Skin\musiclibrary.png (3 bytes)
%Program Files%\YYMusic\2014124\favorfm.xml (66 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_mutevol.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\listahover.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn-anonymity.png (8 bytes)
%Program Files%\YYMusic\2014124\Data\server.ini (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionbig.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\list_pause.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_close.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\prevention.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\system_menu_btntop.png (3 bytes)
%Program Files%\YYMusic\2014124\avutil-52.dll (5520 bytes)
%Program Files%\YYMusic\2014124\Skin\LoginBk.png (3312 bytes)
%Program Files%\YYMusic\2014124\Skin\input-password.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playingnext.png (4 bytes)
%Program Files%\YYMusic\2014124\Skin\system_menu_btnmini.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playingplaying.jpg (2 bytes)
%Program Files%\YYMusic\2014124\Skin\frmplayer.xml (10 bytes)
%Program Files%\YYMusic\2014124\Data\setup.ini (113 bytes)
%Program Files%\YYMusic\2014124\Skin\minea.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\lyricdeletea2.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionminahover.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\btn_sc.png (3 bytes)
%Program Files%\YYMusic\2014124\picture\baidu_c2cec3fdfc03924517c1df928694a4c27d1e2532.jpg (784 bytes)
%Program Files%\YYMusic\2014124\Skin\list_scroll_bar.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\font_forecolor.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\playingrandoma.jpg (2 bytes)
%Program Files%\YYMusic\2014124\Skin\125x125.jpg (784 bytes)
%Program Files%\YYMusic\2014124\Skin\frmWindowLrcParent.xml (157 bytes)
%Program Files%\YYMusic\2014124\Skin\color_005.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\next.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionmin.png (1 bytes)
%Program Files%\YYMusic\2014124\avformat-54.dll (12536 bytes)
%Program Files%\YYMusic\2014124\Skin\SetTipFrame.xml (1 bytes)
%Program Files%\YYMusic\2014124\Skin\random01.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\scrollbar.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_005highlight.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_res.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\icon.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensionlogin.png (2 bytes)
%Program Files%\YYMusic\2014124\channels.xml (784 bytes)
%Program Files%\YYMusic\2014124\Skin\bkcolor_7.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\exit.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\max.png (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic\¹Ù·½Ö÷Ò³.lnk (334 bytes)
%Program Files%\YYMusic\2014124\Skin\color_002.bmp (564 bytes)
%Program Files%\YYMusic\2014124\picture\baidu_e1fe9925bc315c60bbe955728cb1cb134954772a.jpg (784 bytes)
%Program Files%\YYMusic\2014124\Skin\color_015.bmp (1 bytes)
%Program Files%\YYMusic\2014124\Skin\sound.jpg (1 bytes)
%Program Files%\YYMusic\2014124\Skin\system_menu_btnexit - ¸±±¾.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\random02hover.jpg (2 bytes)
%Program Files%\YYMusic\2014124\Skin\btn-fav.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\channel.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\FrmHotKeyTip.xml (482 bytes)
%Program Files%\YYMusic\2014124\Skin\color_003highlight.bmp (564 bytes)
%Program Files%\YYMusic\2014124\Skin\color_010.bmp (1 bytes)
%Program Files%\YYMusic\2014124\Skin\suspensioncloseahover.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\color_009.bmp (1 bytes)
%Program Files%\YYMusic\2014124\Skin\prev.png (2 bytes)
%Program Files%\YYMusic\2014124\Skin\color_014.bmp (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_split.png (1 bytes)
%Program Files%\YYMusic\2014124\DuiLib.dll (16288 bytes)
%Program Files%\YYMusic\2014124\Skin\bkcolor_5.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\bkcolor_4.png (5 bytes)
%Program Files%\YYMusic\2014124\Skin\BtnHidePlayList.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\list_item.xml (1 bytes)
%Program Files%\YYMusic\2014124\Skin\frmWebBrowser.xml (308 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_next.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\lyriclikea2.png (3 bytes)
%Program Files%\YYMusic\2014124\Skin\bk.png (3616 bytes)
%Program Files%\YYMusic\2014124\Skin\list_scroll_bar2.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_vol.png (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\YYMusic\YYMusic.lnk (794 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_back.png (1 bytes)
%Program Files%\YYMusic\2014124\Skin\pl_small.png (1 bytes)

The process WeatherRadarUpdate.3001.exe:2720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\WeatherRadar\PM10Context\PM10Context.db.!mv (604 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherRadarCfg.ini (1192 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\PM25Context\PM25Context.db.!mv (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\WeatherContext[1].xml (571 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\AQIContext[1].xml (332 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\AQIContext\AQIContext.db.!mv (332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\PM10Context[1].xml (604 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarCfg.ini (200 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db.!mv (571 bytes)
%Documents and Settings%\%current user%\Cookies\KRXX68QO.txt (103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\369[1].ico (32738 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\369.ico.!mv (32738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\PM25Context[1].xml (615 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\369[1].ico (0 bytes)
%Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db (0 bytes)
%Program Files%\WeatherRadar\3.0.0.3001\skins\common\369.ico (0 bytes)

The process mscorsvw.exe:424 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (1834 bytes)

The process YYJia.exe:2140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\YYXMDT\DMSet.Xml (673 bytes)
%Program Files%\YYMusic\2014124\SysConfig.ini (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\YYXMDT\OLDSet.Xml (3 bytes)

Registry activity

The process WeatherRadar.exe:3544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\WeatherRadar\3.0.0.3001]
"AQIRadar.exe" = "空气质量(AQI)信息资讯"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\WeatherRadar\3.0.0.3001]
"WeatherRadarUpdate.3001.exe" = "天气通升级模块"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 42 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA B7 33 B1 31 B5 00 9A 27 64 02 9D 44 94 C3 73"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"AQIRadar" = "%Program Files%\WeatherRadar\3.0.0.3001\AQIRadar.exe /autorun"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process AQIRadar.exe:2900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 07 36 15 A6 04 5F 65 89 7F A0 72 71 28 E8 B8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\WeatherRadar]
"winPm25Tips.exe" = "winPm25Tips"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 49 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:2452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"Publisher" = "haha83"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayVersion" = "1.0.0.2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayName" = "Â̶¹ 1.0.0.2"

The process 365weatherIns_61.exe:2904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"URLInfoAbout" = "http://114tq.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"DisplayVersion" = "3.0.0.3001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"desk" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"DisplayIcon" = "%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"DisplayName" = "ÃÔÄãÌìÆøͨ 3.0.0.3001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"jieguo" = "mac=00-0C-29-3B-DF-2F&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=f72e066ddb1d94ae63e1d32390e05757"

"appdata" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"Publisher" = "ÌìÆøͨ¹¤×÷ÊÒ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"Mac" = "00-0C-29-3B-DF-2F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E AB 9D AE B8 35 98 30 0D CC 17 C4 AC A3 19 9F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\WeatherRadar.exe]
"(Default)" = "%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\WeatherRadar]
"3.0.0.3001/WeatherRadarSVR.exe" = "气象雷达"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WeatherRadar]
"UninstallString" = "%Program Files%\WeatherRadar\3.0.0.3001\uninst.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"WeatherRadar" = "%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe /autorun"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process YYMusic.exe:2072 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 50 AA 84 C6 04 DC 0F AC B9 70 6D A3 7D B8 A2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 47 00 00 00 01 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YYMusic_News_2014124" = "%Program Files%\YYMusic\2014124\YYJia.exe -mini"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YYMusic_2014124" = "%Program Files%\YYMusic\2014124\YYMusic.exe -mini"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup_qd334.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 32 8A B8 0B C9 B8 6B D9 04 23 EA 6D E6 E2 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

The process PM10Radar.exe:1132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 EC 0C 11 CA 53 04 AC B1 9D 55 D5 ED BD 2C C4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process setup_3128.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\YYMusic]
"Rd" = "_2014124"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayName" = "YYMusic"
"Publisher" = "YYMusic"

[HKLM\SOFTWARE\YyfmPlay]
"Rd" = "_2014124"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayVersion" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 68 01 7C 2E BE 17 3C 82 37 D3 CD 68 84 B4 F6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"UninstallString" = "%Program Files%\YYMusic\2014124\Unins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayIcon" = "%Program Files%\YYMusic\2014124\Unins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YyfmPlay"

"BoxNews"

"YYMusic_News"

"YYMusic"

The process WeatherRadarUpdate.3001.exe:2720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKCU\Software\Microsoft\Internet Explorer\International]
"W2KLpk" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\WeatherRadar\3.0.0.3001]
"PM10Radar.exe" = "PM10Radar"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 44 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 57 FF 9C 23 F3 99 1D C9 F8 B4 35 28 9E 78 B8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process WeatherRadarSVR.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 21 86 26 AA 12 C7 CB A3 FD 47 AC A0 82 A4 02"

[HKCR\AppID\{C4D6FCA7-2C8D-4091-A4A1-F91D267C4AC8}]
"LocalService" = "WeatherRadarSVR"
"(Default)" = "WeatherRadarSVR"

[HKCR\AppID\WeatherRadarSVR.EXE]
"AppID" = "{C4D6FCA7-2C8D-4091-A4A1-F91D267C4AC8}"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{C4D6FCA7-2C8D-4091-A4A1-F91D267C4AC8}]
"LocalService"

The process YYJia.exe:2140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 F1 9C BE E7 55 AA 99 70 77 F0 DF 62 E5 EC D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 46 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process winPm25Tips.exe:848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 62 6B 26 6B EA E7 7C BB 33 B5 41 F9 16 DE BF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process ctfmon.exe:252 makes changes in the system registry.
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"

Network activity (URLs)

URL IP
hxxp://www.xzsky.com/post/ 122.225.104.211
hxxp://www.xzsky.com/cnzz/weather/weatherPng/cnzz.html
hxxp://tongji.uujzy.com/tongji.html?3.0.3001_id61_md1_os1 60.190.171.236
hxxp://sj88.www.web.glb0.ldcache.net/hezi/jm/setup_a7158.rar
hxxp://js.users.51.la/15909623.js 113.107.42.34
hxxp://www.xzsky.com/cnzz/weather/3.0.0.3001/weatherdata/_61/cnzz.html
hxxp://icon.ajiang.net/icon_9.gif 125.46.49.200
weather51la.cnzz.beilequ.com 122.225.104.211
web2.51.la 183.60.107.16
www.sj88.com 202.97.174.68
weather.uujzy.com 122.225.203.94
weather51la.cnzz.uujzy.com 122.225.104.211


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WeatherRadar.exe:3544
    AQIRadar.exe:2900
    365weatherIns_61.exe:2904
    YYMusic.exe:2072
    PM10Radar.exe:1132
    setup_3128.exe:668
    WeatherRadarUpdate.3001.exe:2720
    mscorsvw.exe:424
    WeatherRadarSVR.exe:240
    winPm25Tips.exe:848

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\WeatherRadar\3.0.0.3001\weatherData.tmp (377 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherRadarCfg.ini (390 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\15909623[1].js (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\tongji[1].htm (657 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarCfg.ini (8 bytes)
    %Documents and Settings%\%current user%\Cookies\BLMHV577.txt (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\5QGDQ5FW.txt (82 bytes)
    %Documents and Settings%\%current user%\Cookies\VELQD1OT.txt (244 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\httpErrorPagesScripts[1] (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\navcancl[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\info_48[1] (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\background_gradient[1] (453 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\bullet[1] (3 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\winPm25Tips.exe (1425 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\RadarMfc.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\errorPageStrings[1] (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\ErrorPageTemplate[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (104466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\ok.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xzrpdf_70502.exe (147238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (341995 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_a7158.exe (1518 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_qd334.exe (19364 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\Inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss2.tmp\xID.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\cnzzonline.html (2 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_min.jpg (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\sqliteApi.dll (784 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\un_update.html (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\future\tips.ico (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_complete.bmp (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather2.jpg (1856 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\sqlite3.dll (20416 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather1.jpg (1856 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\bg_large.png (784 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_close.jpg (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\skin.xml (6 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\areacode.db (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\checkbox1.bmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\checkbox2.bmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_close.bmp (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherContext\WeatherContext.db (423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\btn_next.bmp (2392 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\AQIRadar.exe (8184 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\large\n99.png (784 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\min.png (440 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\uninst.exe (2691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\ToggleImages.html (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_setting.jpg (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\PM25Radar.exe (11344 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\weather.db (6584 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_max.jpg (3 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db (423 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\update.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\SkinBtn.dll (4 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\i.gif (170 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\loading.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\System.dll (11 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarSVR.exe (4992 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\PM10Radar.exe (9320 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\kz.png (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe (19096 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\bg_small.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\cnzz_61[1].htm (2 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\future\n99.png (6 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\RadarMfc.dll (5520 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WeatherRadar\ÃÔÄãÌìÆøͨ.lnk (943 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\loading1.bmp (456 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\err.png (784 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\topbar.png (3 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\loading.gif (8 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\WeatherRadarUpdate.3001.exe (11048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\loading2.bmp (456 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\WeatherRadar\ÃÔÄãÌìÆøͨжÔØ.lnk (911 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\bg.bmp (18424 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\updateContext\updateRecord.db (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\updateContext\updateRecord.db (1 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\default\btn_move.jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (85185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\newfeather3.jpg (1856 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\close.png (873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nso5.tmp\nsWindows.dll (10 bytes)
    %Program Files%\YYMusic\2014124\Data\server.ini (1 bytes)
    %Program Files%\YYMusic\2014124\Data\client.ini (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\tj[1].ashx (3 bytes)
    %Program Files%\YYMusic\2014124\SysConfig.ini (434 bytes)
    %Documents and Settings%\%current user%\Favorites\ÌìÒí¾üÊÂÍø.url (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\a[1].ashx (3 bytes)
    %Program Files%\YYMusic\2014124\Data\user2.ini (363 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\ver[1].txt (36 bytes)
    %Documents and Settings%\%current user%\Favorites\Ãâ·ÑÉÏÍøµ¼º½.url (71 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp8.tmp\metadl.dll (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse7.tmp (8533 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmSetWindowLrcFrame.xml (3 bytes)
    %Program Files%\YYMusic\2014124\lyrics\baidu_13766042.lrc (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\close.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playersidebg.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_comm.png (1 bytes)
    %Program Files%\YYMusic\2014124\pthreadGC2.dll (3616 bytes)
    %Program Files%\YYMusic\2014124\Skin\frmlogin.xml (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\prev0520.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playinging.jpg (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\downda.png (1 bytes)
    %Program Files%\YYMusic\2014124\audio.dll (3616 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_002highlight.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\320x225.png (784 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmSystemMenuFrame.xml (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\play0520.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_bd.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmColor.xml (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\search.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\system_menu_btnexit.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\random01hover.jpg (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\ÒôÁ¿Ìõ.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\border.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\progress_fore.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionset.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\forgettt.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playerbg02.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_db.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_itself.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmDropDownMenuFrame.xml (1 bytes)
    %Program Files%\YYMusic\2014124\lyrics\baidu_13881991.lrc (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\sys_check_btn_whiter.png (318 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_001highlight.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_012.bmp (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pop_bkimage.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\lrclist.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\voice0520.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionclose.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_006highlight.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\ÒôÁ¿µ÷½Úµã.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionfeedbackahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_004highlight.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\mini.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\lyricmute.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\frmWindowLrc.xml (174 bytes)
    %Program Files%\YYMusic\2014124\Skin\frmProgressToolTip.xml (393 bytes)
    %Program Files%\YYMusic\2014124\Skin\loading02.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\voice00528.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\voice1000528.png (2 bytes)
    %Program Files%\YYMusic\2014124\picture\baidu_c8ea15ce36d3d539f9c9305e3b87e950342ab0b2.jpg (784 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_color.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\random0520.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionfeedbacka.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\back.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\like.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\sys_check_btn_blue.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\headimg.png (784 bytes)
    %Program Files%\YYMusic\2014124\Skin\hotkeytipbk.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\font_bkcolor.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\steup.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\forecolor_3.png (5 bytes)
    %Program Files%\YYMusic\2014124\YYMusic.exe (32784 bytes)
    %Program Files%\YYMusic\2014124\Skin\forecolor_2.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionsetahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\reflash.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\mineahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playinginga.jpg (5 bytes)
    %Program Files%\YYMusic\2014124\Data\version.ini (32 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_004.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\bkcolor_6.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_btn_down.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmFeedBack.xml (411 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_btn_on.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensiontopahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playingprev.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn-delete.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\progresstooltip.png (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\YYMusic\ÅäÖù¤¾ß\жÔØYYMusic.lnk (796 bytes)
    %Program Files%\YYMusic\2014124\Skin\history.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\bg_2.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_big.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionbiga.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\mainframeshadow.png (4992 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_006.bmp (560 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_fh.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\playingvoice.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\SelectColor_SliderBar_Thumb.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmLrcChild.xml (263 bytes)
    %Program Files%\YYMusic\2014124\Skin\bkcolor_2.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\bkcolor_1.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\mine.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\list.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_011.bmp (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\loading01.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\next0520.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensiontopa.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playingrandom.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Unins.exe (9608 bytes)
    %Program Files%\YYMusic\2014124\Skin\input-user.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_008.bmp (556 bytes)
    %Program Files%\YYMusic\2014124\Skin\more.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\lyriclikea.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\home.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\system_menu_btnfeedback.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\progresstooltipbk.png (1552 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensiontop.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\voiceall0528.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\remembertt.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\bg2.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\bkcolor_3.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\sound (2).jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\random.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\list_item_bg.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn-pause.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_ok.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\playingpreva.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\libav.dll (6360 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_list_bk.png (1552 bytes)
    %Program Files%\YYMusic\2014124\Skin\list_title_bg.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmMenuFrame.xml (1 bytes)
    %Program Files%\YYMusic\2014124\Data\dh.ini (56 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_kw.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_xm.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\min.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playerbg01.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\astop.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\sound100.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\lyriclike.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\WindowLrcbkIamge.png (732 bytes)
    %Program Files%\YYMusic\2014124\Skin\collection.png (3 bytes)
    %Program Files%\YYMusic\2014124\swresample-0.dll (3312 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_set.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_bg.bmp (784 bytes)
    %Program Files%\YYMusic\2014124\Skin\lyricdelete.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn-next.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\random02a.jpg (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\lyrictoplay.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\sys_check_btn_red.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\update.xml (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_9k.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\loading04.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\system_menu_btnmin.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\forecolor_6.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\list_play.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\power.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\loading03.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\frmdownmenu.xml (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_close.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\system_menu_btnsteup.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_feedback.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn-play.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_play.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\DefaultUserImage.jpg (6 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_icon.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\LrcBk.png (7 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn-login.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\menu.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\random03a.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\fbcaptionbk.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_pause.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\forecolor_7.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\forecolor_5.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\DownLoadProgressForeImage.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmPopWnd.xml (354 bytes)
    %Program Files%\YYMusic\2014124\Skin\lyricdeletea.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_prev.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_008highlight.bmp (552 bytes)
    %Program Files%\YYMusic\2014124\Skin\mini´°.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_ok_blue.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\LyricFrameVoice.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\bg3.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\dash.png (955 bytes)
    %Program Files%\YYMusic\2014124\Skin\normalVolume.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\slider_bg.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pushedVolume.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\tab_comm.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_forward.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\play2.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\random03hover.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionclosea.png (1 bytes)
    %Program Files%\YYMusic\2014124\source.dll (6584 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmConfig.xml (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\playerlist.png (4 bytes)
    %Program Files%\YYMusic\2014124\PlayerUpdate.exe (5064 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_003.bmp (560 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_007.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\feedback.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionfeedback.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\AutoRunTipFrame.xml (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\BtnRightTop.png (1 bytes)
    %Program Files%\YYMusic\2014124\avcore.dll (2392 bytes)
    %Program Files%\YYMusic\2014124\Skin\sys_check_btn.png (1 bytes)
    %Program Files%\YYMusic\2014124\YYJia.exe (21216 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionmina.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn-login2.png (6 bytes)
    %Program Files%\YYMusic\2014124\Skin\voice0a0528.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\forecolor_4.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_ok_red.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\MessageBox.xml (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\random03.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\tooltipbk.png (319 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_007highlight.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\lista.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\PlayProgressForeImage.png (142 bytes)
    %Program Files%\YYMusic\2014124\Skin\random02.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\button.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_desktop.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmLrc.xml (7 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_unsel.bmp (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_bg.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\random01a.jpg (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\forecolor_1.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionseta.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\downdahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionbigahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\avcodec-54.dll (23936 bytes)
    %Program Files%\YYMusic\2014124\Skin\downd.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_013.bmp (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_001.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\frmplaylist.xml (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_016.bmp (1 bytes)
    %Program Files%\YYMusic\2014124\lyrics\baidu_262581.lrc (993 bytes)
    %Program Files%\YYMusic\2014124\Skin\musiclibrary.png (3 bytes)
    %Program Files%\YYMusic\2014124\favorfm.xml (66 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_mutevol.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\listahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn-anonymity.png (8 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionbig.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\list_pause.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_close.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\prevention.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\system_menu_btntop.png (3 bytes)
    %Program Files%\YYMusic\2014124\avutil-52.dll (5520 bytes)
    %Program Files%\YYMusic\2014124\Skin\LoginBk.png (3312 bytes)
    %Program Files%\YYMusic\2014124\Skin\input-password.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playingnext.png (4 bytes)
    %Program Files%\YYMusic\2014124\Skin\system_menu_btnmini.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playingplaying.jpg (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\frmplayer.xml (10 bytes)
    %Program Files%\YYMusic\2014124\Data\setup.ini (113 bytes)
    %Program Files%\YYMusic\2014124\Skin\minea.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\lyricdeletea2.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionminahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn_sc.png (3 bytes)
    %Program Files%\YYMusic\2014124\picture\baidu_c2cec3fdfc03924517c1df928694a4c27d1e2532.jpg (784 bytes)
    %Program Files%\YYMusic\2014124\Skin\list_scroll_bar.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\font_forecolor.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\playingrandoma.jpg (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\125x125.jpg (784 bytes)
    %Program Files%\YYMusic\2014124\Skin\frmWindowLrcParent.xml (157 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_005.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\next.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionmin.png (1 bytes)
    %Program Files%\YYMusic\2014124\avformat-54.dll (12536 bytes)
    %Program Files%\YYMusic\2014124\Skin\SetTipFrame.xml (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\random01.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\scrollbar.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_005highlight.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_res.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\icon.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensionlogin.png (2 bytes)
    %Program Files%\YYMusic\2014124\channels.xml (784 bytes)
    %Program Files%\YYMusic\2014124\Skin\bkcolor_7.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\exit.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\max.png (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\YYMusic\¹Ù·½Ö÷Ò³.lnk (334 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_002.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\picture\baidu_e1fe9925bc315c60bbe955728cb1cb134954772a.jpg (784 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_015.bmp (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\sound.jpg (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\system_menu_btnexit - ¸±±¾.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\random02hover.jpg (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\btn-fav.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\channel.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\FrmHotKeyTip.xml (482 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_003highlight.bmp (564 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_010.bmp (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\suspensioncloseahover.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_009.bmp (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\prev.png (2 bytes)
    %Program Files%\YYMusic\2014124\Skin\color_014.bmp (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_split.png (1 bytes)
    %Program Files%\YYMusic\2014124\DuiLib.dll (16288 bytes)
    %Program Files%\YYMusic\2014124\Skin\bkcolor_5.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\bkcolor_4.png (5 bytes)
    %Program Files%\YYMusic\2014124\Skin\BtnHidePlayList.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\list_item.xml (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\frmWebBrowser.xml (308 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_next.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\lyriclikea2.png (3 bytes)
    %Program Files%\YYMusic\2014124\Skin\bk.png (3616 bytes)
    %Program Files%\YYMusic\2014124\Skin\list_scroll_bar2.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_vol.png (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\YYMusic\YYMusic.lnk (794 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_back.png (1 bytes)
    %Program Files%\YYMusic\2014124\Skin\pl_small.png (1 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\PM10Context\PM10Context.db.!mv (604 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\PM25Context\PM25Context.db.!mv (615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\WeatherContext[1].xml (571 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1GGYBZUQ\AQIContext[1].xml (332 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\AQIContext\AQIContext.db.!mv (332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OVYHJBCC\PM10Context[1].xml (604 bytes)
    %Documents and Settings%\All Users\Application Data\WeatherRadar\WeatherContext\WeatherContext.db.!mv (571 bytes)
    %Documents and Settings%\%current user%\Cookies\KRXX68QO.txt (103 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SZIS9VJF\369[1].ico (32738 bytes)
    %Program Files%\WeatherRadar\3.0.0.3001\skins\common\369.ico.!mv (32738 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3F9KLW6F\PM25Context[1].xml (615 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319\ngen_service.log (1834 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\YYXMDT\DMSet.Xml (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\YYXMDT\OLDSet.Xml (3 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "AQIRadar" = "%Program Files%\WeatherRadar\3.0.0.3001\AQIRadar.exe /autorun"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "WeatherRadar" = "%Program Files%\WeatherRadar\3.0.0.3001\WeatherRadar.exe /autorun"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YYMusic_News_2014124" = "%Program Files%\YYMusic\2014124\YYJia.exe -mini"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YYMusic_2014124" = "%Program Files%\YYMusic\2014124\YYMusic.exe -mini"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now