Skip to main content

Trojan.Win32.Farfli_1299cdab2f


Trojan.Win32.Jorik.Nbdd.pfu (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Win32.Jorik!IK (Emsisoft), Trojan.Win32.Farfli.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 1299cdab2fe3894ffe774d23bb0d3a01

SHA1: 501a1fd063ea40012ba80a186bf34c27f8b6fcdf

SHA256: 9b8227c178d65935b7996d226dd17a45da5f047a9d26694c446e34fa54c836cf

SSDeep: 384:c85ujj jr85eEVPBytTlN1M YCus FRsPMFRsPVk:ctjyjw5eEVPstTlzM Yns IPMIPVk

Size: 28672 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6, Armadillov171

Company: no certificate found

Created at: 2012-11-26 09:21:45

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ping.exe:2088
FrorqfnXwk.EXE:1604
FrorqfnXwk.EXE:956
TXSSOSetup[1].exe:3628
IinhxiwXhl.EXE:1772
1299cdab2fe3894ffe774d23bb0d3a01.exe:224
npygteto.src:1276
schovt.exe:1204
rundll32.exe:972
setup_2951-4090.exe:1328
skyzxkb.exe:524
taskkill.exe:1980
uuu.exe:1708
verclsid.exe:4020
verclsid.exe:3960
verclsid.exe:3864
InstTXSSO.exe:3804
9026.exe:1608
9902.exe:1008
GbgthwdZhs.EXE:1976
regsvr32.exe:2172
regsvr32.exe:1204
regsvr32.exe:4064
KhtcbheVeb.EXE:540
HrtcwrmPge.EXE:496

File activity

The process FrorqfnXwk.EXE:1604 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Help\windowsz32.txt (80 bytes)
%WinDir%\zoues\svchost.exe (897 bytes)

The process TXSSOSetup[1].exe:3628 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\TXSSO\TXSSO\I18N\SSOConfig.xml (394 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\SSOStringBundle.xml (3 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin (4 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOCommon.dll (42222 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOPlatform.dll (36698 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\npSSOAxCtrlForPTLogin.dll (7192 bytes)
%WinDir%\Temp\nsg8.tmp (81053 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\PGFStringBundle.xml (6 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOLUIControl.dll (16944 bytes)
%WinDir%\Temp\TXSSO\InstTXSSO.exe (3312 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\TXSSO\TXSSO (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\SSOConfig.xml (0 bytes)
%WinDir%\Temp\TXSSO (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOCommon.dll (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052 (0 bytes)
%WinDir%\Temp\nsq7.tmp (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOPlatform.dll (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\npSSOAxCtrlForPTLogin.dll (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\SSOStringBundle.xml (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\I18N\2052\PGFStringBundle.xml (0 bytes)
%WinDir%\Temp\TXSSO\TXSSO\bin\SSOLUIControl.dll (0 bytes)
%WinDir%\Temp\TXSSO\InstTXSSO.exe (0 bytes)

The process 1299cdab2fe3894ffe774d23bb0d3a01.exe:224 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bc.ini (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BindPlugIn[1].ini (90 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\uuu[1].exe (13570 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bc\uuu.exe (7772 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bc (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bc\uuu.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BindPlugIn[1].ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bc.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\uuu[1].exe (0 bytes)

The process npygteto.src:1276 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%System%\534607C4.tmp (99 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\stinst.log (928 bytes)

The process schovt.exe:1204 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\o.ini (45 bytes)
%System%\dllone.txt (98 bytes)
\Device\Harddisk0\DR0 (4559 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\tp_6.tmp (0 bytes)

The process skyzxkb.exe:524 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\DownloadSave\FrorqfnXwk.EXE (5500 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\IinhxiwXhl.EXE (79612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\1[1].exe (443649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\4[1].exe (79068 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\GbgthwdZhs.EXE (18796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\HrtcwrmPge.EXE (444304 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\5[1].exe (7772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\list2[1].txt (158 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\2[1].exe (18340 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\KhtcbheVeb.EXE (8284 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\t[1].exe (4708 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\count[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\baidu[1].htm (0 bytes)

The process uuu.exe:1708 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\DownloadSave\skyzxkb.exe (62 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RecordPath (260 bytes)
%Documents and Settings%\All Users\Application Data\DownloadSave\RCX1.tmp (106862 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\DownloadSave\skyzxkb.exe (0 bytes)

The process InstTXSSO.exe:3804 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Tencent\TXSSO\I18N\2052\PGFStringBundle.xml (6 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOLUIControl.dll (3073 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll (9605 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\SSOConfig.xml (394 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\2052\SSOStringBundle.xml (3 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOCommon.dll (9605 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\npSSOAxCtrlForPTLogin.dll (1281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\2052\PGFStringBundle.xml (6 bytes)
%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOPlatform.dll (8281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll (3073 bytes)
%Program Files%\Common Files\Tencent\TXSSO\I18N\2052\SSOStringBundle.xml (3 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll (8281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll (1281 bytes)
%Program Files%\Common Files\Tencent\TXSSO\I18N\SSOConfig.xml (394 bytes)
%Documents and Settings%\%current user%\Application Data\Tencent\TXSSO\SetupLogs\setuplog.log (2026 bytes)

The process 9026.exe:1608 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\TXSSOSetup[1].exe (139392 bytes)

The process 9902.exe:1008 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\man4.bat (171 bytes)
%WinDir%\Fonts\com15.ttf (28 bytes)
%System%\services.exe.rzxcp (601 bytes)
%System%\dllcache\services.exe (1137 bytes)

The Trojan deletes the following file(s):

%System%\services.exe.bzxck (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\man4.tmp (0 bytes)

The process GbgthwdZhs.EXE:1976 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (198 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gWzXbSlJTZ[1].css (2112 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@vip.jjlzc[1].txt (145 bytes)
%System%\system.ini (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\hao123[1].htm (7139 bytes)

The process regsvr32.exe:1204 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\Logs\regsvr32.tlg (0 bytes)

The process regsvr32.exe:4064 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Tencent\Logs\regsvr32.tlg (0 bytes)

The process KhtcbheVeb.EXE:540 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%System%\al.ini (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\count[1].htm (434 bytes)
%System%\PulgFile.log (50 bytes)
%System%\PulgConfig.log (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\count1[1].htm (195 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explorer ä¯ÀÀÆ÷.lnk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\count[1].htm (0 bytes)
%System%\PulgConfig.log (0 bytes)

The process HrtcwrmPge.EXE:496 makes changes in a file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\setup_2951-4090.exe (23407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\9902.exe (47 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ope2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ope3.tmp (0 bytes)

Registry activity

The process ping.exe:2088 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B B7 D1 35 92 74 EE AA 12 68 C1 26 98 8C 35 82"

The process FrorqfnXwk.EXE:1604 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 10 B2 DB 2A 14 44 0C E8 E8 69 8A 1A 33 55 79"

The process FrorqfnXwk.EXE:956 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 51 69 5A 2B 5C DF 8C 69 78 8D 8A 68 34 C2 4D"

The process TXSSOSetup[1].exe:3628 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 13 09 F9 91 D2 3C D0 A7 DF 03 4E D9 2D 91 BA"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The process IinhxiwXhl.EXE:1772 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 3D FD 05 B4 DC A2 00 18 49 48 26 4D 5B 2C 02"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDPI]
"FontSize" = "20121222"

The process 1299cdab2fe3894ffe774d23bb0d3a01.exe:224 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E CB 31 FE 38 8D 9C C0 13 DC 32 5D 61 E4 D0 CC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process npygteto.src:1276 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0010409]
"Layout Text" = "52D0637C"

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0010409]
"Layout File" = "KBDUS.DLL"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0010409]

The process schovt.exe:1204 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 09 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 84 BE 3F E5 7D 59 63 7B 7F E8 BE CA 59 4B 3C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

The process rundll32.exe:972 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 34 9C E5 7A 8A E9 DE 49 6F 54 B2 39 BC 31 BB"

The process setup_2951-4090.exe:1328 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 82 9B A4 93 3A 21 99 5D 02 20 E4 C6 C1 49 B1"

The process skyzxkb.exe:524 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Application Data\DownloadSave\skyzxkb.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 95 A9 B8 E6 E1 19 7C 00 48 09 BB A8 04 10 07"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process taskkill.exe:1980 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 54 10 7E 25 4F FB AD D1 AB BC 84 70 4C 57 75"

The process uuu.exe:1708 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 14 FF 4B 9B D5 54 5E 44 0E 4A 60 F5 A6 7A EB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process verclsid.exe:4020 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 0D D4 D4 13 47 3B 0D DC EE 1C 55 D2 CE 10 9B"

The process verclsid.exe:3960 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 1A DA 4E 71 9E 81 1A D2 94 AB D5 C4 6A D8 56"

The process verclsid.exe:3864 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 D3 8B 7E 1B 23 0C 7A 35 F9 87 5E F0 F1 8B D6"

The process InstTXSSO.exe:3804 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 38 0A FC 4D 42 AB 76 5E 97 C1 86 48 94 D2 E4"

[HKLM\SOFTWARE\Tencent\TXSSO]
"Version" = "1.2.1.77"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{67EA19A0-CCEF-11D0-8024-00C04FD75D13} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 7C 6C 9C 7C 04 C1 4C 8B F7 A9 CE 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{ECF03A33-103D-11D2-854D-006008059367} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 E6 6F DD 77 FC 3E 4E 8C F7 A9 CE 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {00000000-0000-0000-C000-000000000046} 0x401" = "01 00 00 00 E6 6F DD 77 6C 77 87 8C F7 A9 CE 01"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The process 9026.exe:1608 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 A3 8F 8A F1 1D 99 8D 42 AE 56 EC 81 79 E5 2F"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

The process 9902.exe:1008 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 A7 AB E0 91 E4 28 F4 98 72 C3 10 0E 45 08 23"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%System%\services.exe.bzxck,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

The process GbgthwdZhs.EXE:1976 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\userinit.exe,%Documents and Settings%\All Users\Application Data\DownloadSave\GbgthwdZhs.EXE,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "%Documents and Settings%\All Users\Application Data\DownloadSave\GbgthwdZhs.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 3E E9 92 F7 F6 7F 23 54 B0 E8 7C DD 88 E9 C1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

The process regsvr32.exe:2172 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}]
"(Default)" = "ISSOForPTLogin3"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin2\CurVer]
"(Default)" = "SSOAxCtrlForPTLogin.SSOForPTLogin.2"

[HKCR\AppID\SSOAxCtrlForPTLogin.DLL]
"AppID" = "{A956F47E-83F6-4F72-92EE-679C8687CD19}"

[HKCR\AppID\{A956F47E-83F6-4F72-92EE-679C8687CD19}]
"(Default)" = "SSOAxCtrlForPTLogin"

[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin.2\CLSID]
"(Default)" = "{EAAED308-7322-4b9b-965E-171933ADD473}"

[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\VersionIndependentProgID]
"(Default)" = "SSOAxCtrlForPTLogin.SSOForPTLogin2"

[HKCR\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\npSSOAxCtrlForPTLogin.dll"

[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin.2]
"(Default)" = "SSOForPTLogin2 Class"

[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"Version" = "1.0.0.1"

[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"Version" = "2.0"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"Version" = "2.0"

[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}]
"(Default)" = "_ISSOForPTLoginEvents"

[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\ProgID]
"(Default)" = "SSOAxCtrlForPTLogin.SSOForPTLogin.2"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"Path" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\npSSOAxCtrlForPTLogin.dll"

[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}]
"AppID" = "{A956F47E-83F6-4F72-92EE-679C8687CD19}"

[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}]
"(Default)" = "ISSOForPTLogin2"

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKCR\Interface\{6E78160D-6983-44A7-9F21-21C7F1C104F5}\TypeLib]
"Version" = "2.0"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKCR\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 68 B6 71 D0 B9 74 7C 84 47 19 09 04 5E 6A A5"

[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin2]
"(Default)" = "SSOForPTLogin2 Class"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"Version" = "2.0"

[HKCR\SSOAxCtrlForPTLogin.SSOForPTLogin2\CLSID]
"(Default)" = "{EAAED308-7322-4b9b-965E-171933ADD473}"

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"Version" = "2.0"

[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\TypeLib]
"Version" = "2.0"

[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}\TypeLib]
"Version" = "2.0"

[HKCR\Interface\{B855B42B-1121-4354-9483-86B614838220}\TypeLib]
"(Default)" = "{29A32150-EA24-42C2-882E-879152560C1E}"

[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\TypeLib]
"(Default)" = "{29A32150-EA24-42c2-882E-879152560C1E}"

[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"ProductName" = "Tencent SSO Platform"

[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"Vendor" = "Tencent"

[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\npSSOAxCtrlForPTLogin.dll"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"Version" = "2.0"

[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\MozillaPlugins\@qq.com/TXSSO]
"Description" = "QQ QuickLogin Helper"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"Version" = "2.0"

[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{29A32150-EA24-42C2-882E-879152560C1E}\2.0]
"(Default)" = "SSOAxCtrlForPTLogin 2.0 Type Library"

[HKCR\CLSID\{EAAED308-7322-4b9b-965E-171933ADD473}]
"(Default)" = "SSOForPTLogin2 Class"

[HKCR\Interface\{0D57D439-62AF-4EB4-A58F-9F0963A3364C}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The process regsvr32.exe:1204 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}]
"(Default)" = "ITXSSOConfig"

[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ProgID]
"(Default)" = "SSOLUIControl.SSOLUICtrl.1"

[HKCR\SSOLUIControl.SSOLUICtrl.1\CLSID]
"(Default)" = "{83335675-FCF0-45CE-A9E6-38C150EFBE63}"

[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\SSOLUIControl.dll"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}]
"(Default)" = "_ISSOLUICtrlEvents"

[HKCR\SSOLUIControl.SSOLUICtrl.1]
"(Default)" = "SSOLUICtrl Class"

[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\VersionIndependentProgID]
"(Default)" = "SSOLUIControl.SSOLUICtrl"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\Version]
"(Default)" = "1.0"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\SSOLUIControl.dll"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\SSOLUIControl.SSOLUICtrl\CLSID]
"(Default)" = "{83335675-FCF0-45CE-A9E6-38C150EFBE63}"

[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0]
"(Default)" = "SSOLUIControl 1.0 Type Library"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{2D72499C-48D9-4574-911C-85CDD7C08C94}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\SSOLUIControl.SSOLUICtrl\CurVer]
"(Default)" = "SSOLUIControl.SSOLUICtrl.1"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}]
"(Default)" = "ISSOLUICtrl"

[HKCR\SSOLUIControl.SSOLUICtrl]
"(Default)" = "SSOLUICtrl Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 4E E6 C6 C7 14 11 50 50 6E 65 0E 33 0C 4B BD"

[HKCR\AppID\{611AC3D9-E60C-4138-83AE-9B1C8D4082BF}]
"(Default)" = "SSOLUIControl"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}]
"(Default)" = "SSOLUICtrl Class"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{0A6C2A84-5EFB-4DA0-9E79-3CD6709CE692}\TypeLib]
"(Default)" = "{9EE3E2DD-D4A6-4024-8AFD-C467485A0BC4}"

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus]
"(Default)" = "0"

[HKCR\AppID\SSOLUIControl.DLL]
"AppID" = "{611AC3D9-E60C-4138-83AE-9B1C8D4082BF}"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{B3F1E3D0-0A3B-4808-9EE1-061508686CF9}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}]
"AppID" = "{611AC3D9-E60C-4138-83AE-9B1C8D4082BF}"

[HKCR\CLSID\{83335675-FCF0-45CE-A9E6-38C150EFBE63}\ToolboxBitmap32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\SSOLUIControl.dll, 102"

The process regsvr32.exe:4064 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}]
"(Default)" = "ITXSSOEnumData"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}]
"(Default)" = "ITXSSOBuffer"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}]
"(Default)" = "ITXSSOArray"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\AppID\{4C2BAEAE-B4D1-4b29-8BB5-9455F06BB871}]
"(Default)" = "SSOCommonDllBuild"

[HKCR\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0]
"(Default)" = "TXSSO Common 1.0 Type Library"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\SSOCommonDllBuild.DLL]
"AppID" = "{4C2BAEAE-B4D1-4b29-8BB5-9455F06BB871}"

[HKCR\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"

[HKCR\Interface\{8182B8C8-3BFC-472B-8409-FE6BBFC889A4}]
"(Default)" = "ITXSSOArrayRead"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}]
"(Default)" = "ITXSSODataRead"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{251DA1A7-5700-41FC-8129-9099B4B7E4D3}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\Bin\SSOCommon.dll"

[HKCR\Interface\{40DBB647-8BFF-49E1-9F4A-F597C24ADA73}\TypeLib]
"(Default)" = "{251DA1A7-5700-41FC-8129-9099B4B7E4D3}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 D1 3F 3C 17 88 70 40 88 FF 62 68 F7 ED A7 56"

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{9CFE8D35-D272-4979-9E36-EA55D898D340}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}]
"(Default)" = "ITXSSOData"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{F2A89253-E5E7-426E-8D54-22360114ACA3}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{C4814377-19D4-48FE-B913-28E24A96AE08}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{DCE82D4D-D85A-473B-8E9A-A93D89EDAD72}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

The process KhtcbheVeb.EXE:540 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}]
"(Default)" = "Search Results Folder"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\IE]
"(Default)" = "¿ì½Ý·½Ê½"

[HKCR\JE]
"(Default)" = "¿ì½Ý·½Ê½"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"

[HKCR\JE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\360se_PC_]
"D" = "487"

[HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE http://hao.meixie8.com/?id=31324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\.IE]
"(Default)" = "IE"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E}]
"(Default)" = "Recycle Bin"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\IE\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE http://hao.meixie8.com/?id=31324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden" = "2"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://hao.meixie8.com/?id=31324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{450D8FBA-AD25-11D0-98A8-0800361B1103}]
"Removal Message" = "@mydocs.dll,-900"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}.default" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 02 16 87 D0 45 73 3D C8 8B B2 A7 EB C9 00 9D"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://hao.meixie8.com/?id=31324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}.default" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell\OpenHomePage]
"(Default)" = "´ò¿ªÖ÷Ò³(&O)"

[HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell\OpenHomePage\Command]
"(Default)" = "%Program Files%\Internet Explorer\IEXPLORE.EXE http://hao.meixie8.com/?id=31324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\360se_PC_]
"Y" = "4163"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "2"

[HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command]
"(Default)" = "Explorer.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\.JE]
"(Default)" = "JE"

[HKCU\Software\360se_PC_]
"M" = "421"

[HKCR\IE\DefaultIcon]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\\tbhdz.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"360safeman" = "%System%\Vanlid.exe"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\ShellFolder]
[HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{1f4de370-d627-11d1-ba4f-00a0c91eedba}]
[HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\open\command]
[HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\DefaultIcon]
[HKCR\CLSID\{1f4de370-d627-11d1-ba4f-00a0c91eedba}\InProcServer32]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCR\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag]
"InitString"

The process HrtcwrmPge.EXE:496 makes changes in a system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 78 7B E8 51 AD DC 91 D9 DB 8D E7 6E 73 48 05"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"9902.exe" = "2345"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"setup_2951-4090.exe" = "音乐FM安装程序"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Network activity (URLs)

URL IP
hxxp://222.187.222.227/down/2.exe
hxxp://222.187.222.227/down/4.exe
hxxp://222.187.222.227/down/5.exe
hxxp://222.187.222.227/down/t.exe
hxxp://222.187.222.227/count.asp?mac=00-0C-29-EC-7F-C5&ver=6-27&makedate=53C766C3DC8BE56DECD3D692BE45DB18&userID=uuu&ComPut=XP1&Key=FA3FCB570D0598BCEADAA1CEC224114B
hxxp://o.lijnl.com/tj/tongji/Count.asp?ver=9902&Mac=00-0c-29-ec-7f-c5&ProcessNum=30199.188.111.145
hxxp://vip.jjlzc.com/vip/count.asp?mac=00-0C-29-EC-7F-C5&ver=13.1&TG=10001&CP=1&Key=38575&JC=0&YP=a8a67a25222.186.63.176
hxxp://member.tiancity.com/Handler/NewCommonRegChkHandler.ashx?userid=kumsr&randcode=114.80.72.209
hxxp://pay.9you.com/funpay/index.php101.226.5.32
hxxp://member.tiancity.com/Handler/NewCommonRegChkHandler.ashx?userid=236260440&randcode=
hxxp://dl_dir3.tcdn.qq.com/minigamefile/TXSSOSetup.exe (Malicious)
hxxp://member.tiancity.com/Handler/NewCommonRegChkHandler.ashx?userid=804336776&randcode=
hxxp://member.tiancity.com/Handler/NewCommonRegChkHandler.ashx?userid=ai33answer&randcode=
pu.5pug.com124.237.78.108
myxd.coupeso.com174.139.114.148
dl_dir3.qq.com61.158.251.61
kz.kz5n.com124.237.78.108
tj.coupeso.com174.139.114.148
login.passport.9you.com60.206.13.24
www.jlnle.com142.0.141.90
www.asp0202.com183.61.171.73
it.safe7788.com59.188.73.7
passport.tiancity.com114.80.72.208
www.intlj.com142.0.133.29


Rootkit activity

The Trojan installs the following kernel-mode hooks:

ZwLoadDriver
ZwReadFile
ZwSetSystemInformation
ZwSetValueKey

The Trojan intercepts DriverStartIO in a miniport driver of a hard drive controller (ATAPI) to handle request to its own files:

DriverStartIo

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ping.exe:2088
    FrorqfnXwk.EXE:1604
    FrorqfnXwk.EXE:956
    TXSSOSetup[1].exe:3628
    IinhxiwXhl.EXE:1772
    1299cdab2fe3894ffe774d23bb0d3a01.exe:224
    npygteto.src:1276
    schovt.exe:1204
    rundll32.exe:972
    setup_2951-4090.exe:1328
    skyzxkb.exe:524
    taskkill.exe:1980
    uuu.exe:1708
    verclsid.exe:4020
    verclsid.exe:3960
    verclsid.exe:3864
    InstTXSSO.exe:3804
    9026.exe:1608
    9902.exe:1008
    GbgthwdZhs.EXE:1976
    regsvr32.exe:2172
    regsvr32.exe:1204
    regsvr32.exe:4064
    KhtcbheVeb.EXE:540
    HrtcwrmPge.EXE:496

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Help\windowsz32.txt (80 bytes)
    %WinDir%\zoues\svchost.exe (897 bytes)
    %WinDir%\Temp\TXSSO\TXSSO\I18N\SSOConfig.xml (394 bytes)
    %WinDir%\Temp\TXSSO\TXSSO\I18N\2052\SSOStringBundle.xml (3 bytes)
    %WinDir%\Temp\TXSSO\TXSSO\bin (4 bytes)
    %WinDir%\Temp\TXSSO\TXSSO\bin\SSOCommon.dll (42222 bytes)
    %WinDir%\Temp\TXSSO\TXSSO\bin\SSOPlatform.dll (36698 bytes)
    %WinDir%\Temp\TXSSO\TXSSO\bin\npSSOAxCtrlForPTLogin.dll (7192 bytes)
    %WinDir%\Temp\nsg8.tmp (81053 bytes)
    %WinDir%\Temp\TXSSO\TXSSO\I18N\2052\PGFStringBundle.xml (6 bytes)
    %WinDir%\Temp\TXSSO\TXSSO\bin\SSOLUIControl.dll (16944 bytes)
    %WinDir%\Temp\TXSSO\InstTXSSO.exe (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bc.ini (90 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\BindPlugIn[1].ini (90 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\uuu[1].exe (13570 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bc\uuu.exe (7772 bytes)
    %System%\534607C4.tmp (99 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\stinst.log (928 bytes)
    %WinDir%\o.ini (45 bytes)
    %System%\dllone.txt (98 bytes)
    \Device\Harddisk0\DR0 (4559 bytes)
    %Documents and Settings%\All Users\Application Data\DownloadSave\FrorqfnXwk.EXE (5500 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Application Data\DownloadSave\IinhxiwXhl.EXE (79612 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\1[1].exe (443649 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\4[1].exe (79068 bytes)
    %Documents and Settings%\All Users\Application Data\DownloadSave\GbgthwdZhs.EXE (18796 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\desktop.ini (67 bytes)
    %Documents and Settings%\All Users\Application Data\DownloadSave\HrtcwrmPge.EXE (444304 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\5[1].exe (7772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\list2[1].txt (158 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\2[1].exe (18340 bytes)
    %Documents and Settings%\All Users\Application Data\DownloadSave\KhtcbheVeb.EXE (8284 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\t[1].exe (4708 bytes)
    %Documents and Settings%\All Users\Application Data\DownloadSave\skyzxkb.exe (62 bytes)
    %Documents and Settings%\All Users\Application Data\DownloadSave\RecordPath (260 bytes)
    %Documents and Settings%\All Users\Application Data\DownloadSave\RCX1.tmp (106862 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\I18N\2052\PGFStringBundle.xml (6 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOLUIControl.dll (3073 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\Bin\SSOCommon.dll (9605 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\SSOConfig.xml (394 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\2052\SSOStringBundle.xml (3 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOCommon.dll (9605 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\npSSOAxCtrlForPTLogin.dll (1281 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\I18N\2052\PGFStringBundle.xml (6 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\1.2.1.77\bin\SSOPlatform.dll (8281 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\Bin\SSOLUIControl.dll (3073 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\I18N\2052\SSOStringBundle.xml (3 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\Bin\SSOPlatform.dll (8281 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\Bin\npSSOAxCtrlForPTLogin.dll (1281 bytes)
    %Program Files%\Common Files\Tencent\TXSSO\I18N\SSOConfig.xml (394 bytes)
    %Documents and Settings%\%current user%\Application Data\Tencent\TXSSO\SetupLogs\setuplog.log (2026 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S96BCDQ7\TXSSOSetup[1].exe (139392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\man4.bat (171 bytes)
    %WinDir%\Fonts\com15.ttf (28 bytes)
    %System%\services.exe.rzxcp (601 bytes)
    %System%\dllcache\services.exe (1137 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (198 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (2120 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\gWzXbSlJTZ[1].css (2112 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@vip.jjlzc[1].txt (145 bytes)
    %System%\system.ini (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KP27CLYF\hao123[1].htm (7139 bytes)
    %Documents and Settings%\%current user%\Application Data\Tencent\Logs\regsvr32.tlg (0 bytes)
    %System%\al.ini (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\CHEZ8TER\count[1].htm (434 bytes)
    %System%\PulgFile.log (50 bytes)
    %System%\PulgConfig.log (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O167C5I7\count1[1].htm (195 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_2951-4090.exe (23407 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\9902.exe (47 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "360safeman" = "%System%\Vanlid.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps