Skip to main content

Trojan.NSIS.StartPage_d4c85e243a


Trojan.Win32.Badur.hcxs (Kaspersky), Trojan.Downloader.Hicrazyk.A (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: d4c85e243aa8e2e57d393ba15a563481

SHA1: 1422085e1189e08eb7ea73566053a8c13984f982

SHA256: b6589cad3df6ff889cfb484abf344063bd81576888a9edc7b18fbf53ef786071

SSDeep: 3072:hY3dFNJPmDamJF2ib9PAc65hyHRg36B4TJxCGqYr4w:h npSbecUD36BGxgw

Size: 143720 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company:

Created at: 2009-02-05 03:59:54

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

vcredist_x86.exe:3636
netsh.exe:3420
netsh.exe:2944
netsh.exe:3044
BDKVWsc.exe:2824
BDKVWsc.exe:3172
RegSvr32.exe:2928
RegSvr32.exe:3192
bddownloader.exe:3268
bddownloader.exe:1236
BaiduSd.exe:3428
sc.exe:3016
sc.exe:2968
aukncq_70404.exe:628
baidusdTray.exe:2184
cacls.exe:3344
BDDownloader.exe:1212
BDDownloader.exe:2964
BDDownloader.exe:3692
BDDownloader.exe:3076
BaiduAnTray.exe:1928
regsvr32.exe:3444
regsvr32.exe:2948
regsvr32.exe:3468
BaiduAn.exe:2532
BaiduAn.exe:2476
BaiduSdBugRpt.exe:2368
BaiduSdUpdate.exe:2904
BaiduAnSvc.exe:3636
BaiduAnSvc.exe:3924
jko.exe:2456
kkvlnyk.exe:1636
BaiduSdSvc.exe:4012
BaiduSdSvc.exe:444
pczh_100_1.exe:2508
MsiExec.exe:3424
BDASWAcc.exe:3976

The Trojan injects its code into the following process(es):

bddownloader.exe:3760
Ainqngz3.9.exe:3024
%original file name%.exe:228
jistlo.exe:3032

File activity

The process vcredist_x86.exe:3636 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredis1.cab (6255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredist.msi (42423 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredis1.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredist.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\crt.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (0 bytes)

The process bddownloader.exe:3760 makes changes in the file system.


The Trojan deletes the following file(s):

%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (0 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106 (0 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (0 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (0 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (0 bytes)

The process aukncq_70404.exe:628 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNet.dll.bdl (46859 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe.bdl (707298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (1788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\tmppm4bkx.dll (24832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (5707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMReport.dll.bdl (37075 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\1942083177\Setting\host.dat (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\3f88398fc048137c047f9ddd92a215ed.bdt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7.tmp (128685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\2d519f2c31620e467cd7bbf4cdf9a59f.bdt (663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe (7422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\res\onlineWnd.zip (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\System.dll (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Program Files%\Baidu\sjk (0 bytes)
%Program Files%\sjk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso6.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Program Files%\Baidu\BaiduAn\sjk (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
C:\sjk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)

The process baidusdTray.exe:2184 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd (4 bytes)
%System%\wbem\Logs (4 bytes)
%WinDir%\repair (4 bytes)
%System%\CatRoot2 (96 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DF464A.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1460 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\000003.log (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\BaiduSdCache.rptc (68 bytes)
%Program Files%\Common Files (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN (4 bytes)
C:\$Directory (780 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData (4 bytes)
%System% (856 bytes)
%WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\LOG (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\000003.log (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%System%\config (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp (4 bytes)
%System%\drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255 (4 bytes)
%WinDir%\Prefetch (196 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (388 bytes)
%WinDir%\Temp\Perflib_Perfdata_ea0.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (520 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\LOG (4 bytes)
%Documents and Settings%\%current user%\Cookies (200 bytes)

The process Ainqngz3.9.exe:3024 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@mini.fengyunzhibo[1].txt (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mini[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\new_common[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[2].js (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fymini[1].htm (1798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAU3OLK5.gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\new_box[1].js (145 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fengyunzhibo[1].txt (188 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (800 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\mini.fengyunzhibo[1].xml (266 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fymini[2].htm (1853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[1].js (5 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[2].js (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mini[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tv.aiqingzhihui[1].txt (332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fyminiloader-min[1].js (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zhibo2[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mini[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAPSSJDX.gif (35 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAU3OLK5.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAPSSJDX.gif (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\www.aaa[1].xml (0 bytes)

The process BDDownloader.exe:1212 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg22.tmp (86466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw23.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\7z.dll (12536 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\dl.dll (65930 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw23.tmp\System.dll (0 bytes)

The process BDDownloader.exe:2964 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\7z.dll (12536 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuF.tmp (90616 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nszE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (0 bytes)

The process BDDownloader.exe:3692 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Baidu\BDDownload\107\bddownloader.exe (9605 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\dl.dll (14988 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\bdcomproxy.dll (601 bytes)

The process BDDownloader.exe:3076 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (9605 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (14988 bytes)

The process BaiduAnTray.exe:1928 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\SWManager\ultcache.dat (196 bytes)

The process %original file name%.exe:228 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (236484 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pczh_100_1.exe (45392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aukncq_70404.exe (187984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkvlnyk.exe (232737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\z.ini (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\xID.dll (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\z.ini.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (0 bytes)

The process BaiduSdUpdate.exe:2904 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\baidusd\BaiduSdCache.rptc (68 bytes)

The process BaiduAnSvc.exe:3636 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\config\SYSTEM.LOG (5097 bytes)
%System%\config\software (10282 bytes)
%System%\config\SOFTWARE.LOG (13344 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db (145 bytes)
%WinDir%\Temp\Tar25.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db-journal (512 bytes)
%System%\config (200 bytes)
%System%\config\system (3608 bytes)
%WinDir%\Temp\Cab24.tmp (54 bytes)

The Trojan deletes the following file(s):

%WinDir%\Temp\Cab24.tmp (0 bytes)
%WinDir%\Temp\Tar25.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db-journal (0 bytes)

The process jko.exe:2456 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bduf.dll (29608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAn.exe (30464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDAVCache.dll (34186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOHomePageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSAccMgrDll.dll (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerPlugin.dll (67969 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Mainpage.rdb (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SWCatalogDataItem.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMWindowsLib.dll (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMMainFrame.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMNet.dll (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASWAcc.exe (1552 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_2_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\CompatibilityChecker.dll (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\PatcherContainer.xml (563 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnUpdate.exe (9605 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOTraceConfig.xml (9 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bd0002.dll (3073 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerLuaScript.dat (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\KVCommonRes.rdb (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.dll (16288 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerConfig.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMCoolyContainerConfig.xml (465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SusPluginContainerConfig.xml (605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnSvc.exe (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTray\TrayPlugin.rdb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginclean.db (48928 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\directui license.txt (593 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SysAccelerator.rdb (15536 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDKVLogs.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAcceleratorPlugin.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccMgr.dll (25776 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_property.dat (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMAVEng.dll (11518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixer.dll (9608 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDMNetMon.sys (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSCleaner.dll (57535 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMUpdate.rdb (12088 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMProcessRunningTime.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrustAndIso.dll (35784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\BDMSafePlugin.dll (7433 bytes)
%Documents and Settings%\All Users\Desktop\百度卫士.lnk (895 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\LocalPluginInfo.xml (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMAVEng.dll (51840 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\pluginclean.db (48928 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Patcher.rdb (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SysFixer.rdb (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\blacksign.dat (537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginUnit.dat (727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDArKit.sys (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDCooly.dll (38103 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_minute_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSysFixerPlugin.dll (53394 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\PluginSetup.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SYSAccMgrDll.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceConfig.xml (18 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\hips.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GCScriptBind.dll (42762 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\BDMConnect.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\hips.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPluginContainerConfig.xml (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcherPlugin.dll (49631 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SysAccLiveStrategy.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepMgr.dll (25776 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_9_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginSetup.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\TrustAndIso.dll (7971 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\vcredist_x86.exe (18934 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\GCScriptBind.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\DriverManager.dll (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKitUtils.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\res\InstallWnd.zip (54196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSOManagerPlugins\BDMSOAcceleratorPlugin.dll (7971 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMSetting.rdb (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\CommonRes.rdb (37368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMTrayTipsPlugin.dll (40702 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\PluginManager.dll (9605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\extends.rdb (2392 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDLogicUtils.dll (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginManager.dll (42222 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOGarbageCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDKV.rdb (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonSusPlugin.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnTray.exe (57535 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\app.ico (2105 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\bd0001.sys (601 bytes)
%System%\config\AppEvent.Evt (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerScript.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\WebSafe.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.dll (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMUpdate.dll (4545 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerXMLScript.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepBase.dll (38103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SYSCleaner.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMScriptVM.dll (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_class_filter.db (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\pluginUnit.dat (727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\System.dll (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\DriverManager.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\ad.dll (32784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDALeakfixer.exe (38904 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerScript.dat (53 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDASoftmgr.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1A.tmp (2190194 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSOCleanerTrayPlugin.dll (7345 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\RtpContainerConfig.xml (474 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\systemfile.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPlugin.dll (35001 bytes)
%WinDir% (96 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDCooly.dll (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SusPlugin.rdb (5520 bytes)
C:\$Directory (8 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmswmanagerplugins\BDMSWManagerView.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccTrayPlugin.dll (32784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\BDMSOAccServicePlugin.dll (6841 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\BDMSOAccSusPlugin.dll (7433 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_blank_speed.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_1_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\BDMPatcher.dll (12287 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SORegCleanerScript.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSkin.dll (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcher.dll (55014 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMDownload.dll (5873 bytes)
%Program Files% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\app.ico (12024 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\AppBooster.rdb (12088 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\TrayPluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDASWAcc.exe (38 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bd0001.dll (673 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\StartupDict.dat (3073 bytes)
%System%\config (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\NetService.ini (590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerPreScan.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatchAgent.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrayPluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMReport.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWParseDetect.dll (39329 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\BDMSkin.dll (37025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageConfig.xml (28 bytes)
%WinDir%\Prefetch (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSkin.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PatcherContainer.xml (563 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\PluginInstallHelper.dll (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\BDMNetMonSusPlugin.dll (7385 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度卫士\百度卫士.lnk (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMReport.dll (34773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOSilentCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_5_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMScriptVM.dll (8184 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\scan_mgr_config.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMPatchAgent.dll (3361 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SafePlugin.rdb (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysOptDict.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOGarbageConfig.xml (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerLuaScript.dat (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnBugRpt.exe (34023 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_4_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SafePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_6_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\804.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_property.dat (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDLogicUtils.dll (33295 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\SusPluginContainerConfig.xml (605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccEngine.dll (4185 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccMgr.dll (5441 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMNetMonMgrDll.dll (49 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixer.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerScript.dat (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonMgrDll.dll (1856 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerCheckItem.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerConfig.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\BDMSWManagerFrame.dll (6841 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\pluginclean.db (10815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDDownloader.exe (42222 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\uninst.exe (12287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnSvc.exe (38103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMProcessRunningTime.dll (22552 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMKVMainPlugin.dll (10815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HotPlugins.xml (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDNetMisc.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNet.dll (40228 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\SafePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMANTIVIRUS (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnUpdate.exe (42222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysAccLiveStrategy.dat (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOTraceCleanerConfig.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_acc.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSusPlugin.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerConfig.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmkvscanplugin\BDMKVScanPluginContainerConfig.xml (380 bytes)
%System% (1328 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_0_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\MainframePluginContainerConfig.xml (1 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerConfig.dat (5 bytes)
%System%\drivers\BDMNetMon.sys (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSWParseDetect.dll (8657 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Patch\publish.db (32763 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\SWCatalogDataItem.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_class_filter.db (33248 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerCheckItem.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\MainframePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMTrayTipsPlugin.dll (9098 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BDMSOCleaner\SOTraceConfig.xml (9 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSWNestCore.dll (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWindowsLib.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVMainPlugin.dll (46916 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMUpdate.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\kav_compatible.dat (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\vcredist_x86.exe (82435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\homepage.ini (361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HIPS.dll (59286 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_7_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_3_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\GlobalPluginInfo.xml (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMCoolyPlugins\BDMCoolyContainerConfig.xml (465 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Softmgr.rdb (690 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\KVMain.rdb (1856 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDNetMisc.dll (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnBugRpt.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\StartupDict.dat (16944 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDAVCache.dll (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccServicePlugin.dll (30344 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\HotPlugins.xml (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\RtpContainerConfig.xml (474 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SOManager.rdb (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_acc.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKVLogs.dll (35001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\uninst.exe (54196 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDKitUtils.dll (40 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SWManager.rdb (18424 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\SysRepLib.dat (22 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSOManagerPlugins\BDMSOCleanerPlugin.dll (15506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDArKit.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccStrategyMgr.dll (23296 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\kav_compatible.dat (25 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDBrowserProtecter.rdb (4992 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMRepMgr.dll (5441 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\CompatibilityChecker.dll (673 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTray.rdb (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\publish.db (140983 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_8_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMConnect.dll (43318 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASoftmgr.exe (38904 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerPreScan.dat (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度卫士\卸载百度卫士.lnk (880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[2].js (24 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSOAccTrayPlugin.dll (7345 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fengyunzhibo[1].txt (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\HIPS.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTips.rdb (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysRepLib.dat (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAn.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.sys (7192 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOHomePageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMMainFrame.dll (59286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWrench.sys (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerFrame.dll (30464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerView.dll (43318 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BDMSOCleaner\SOGarbageConfig.xml (14 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SOTurbo.rdb (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSusPlugin.dll (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\ad.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccEngine.dll (22192 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_second_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GlobalPluginInfo.xml (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDALeakfixer.exe (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmkvscanplugin\BDMKVScanPlugin.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerTrayPlugin.dll (32784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerConfig.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\scan_mgr_config.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMSysFixerPlugin.dll (12287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccSusPlugin.dll (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceCleanerConfig.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\nsExec.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\LocalPluginInfo.xml (14 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\bd0002.sys (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\homepage.ini (361 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMCoolyPlugins\BDMSOAccCoolyPlugin.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWNestCore.dll (33877 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\websafe\WebSafe.dll (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\bduf.dll (6841 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMPatcherPlugin.dll (11518 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SORegCleanerConfig.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccCoolyPlugin.dll (28288 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDDownloader.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\blacksign.dat (537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.sys (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerXMLScript.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccStrategyMgr.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\InstallHelper.dll (34186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMDownload.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\804.dat (3 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOSilentCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMRepBase.dll (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\ns1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSafePlugin.dll (33391 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SysOptDict.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\NetService.ini (590 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bduf.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOHomePageCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSAccMgrDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SWCatalogDataItem.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\DriverManager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\CompatibilityChecker.dll (0 bytes)
C:\s2co (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMCoolyContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginclean.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAcceleratorPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixer.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\NetService.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrustAndIso.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMAVEng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginUnit.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDArKit.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSysFixerPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SusPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\hips.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcherPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\duilib license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginSetup.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKitUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcher.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMTrayTipsPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDNetMisc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonSusPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnTray.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\WebSafe.dll (0 bytes)
%Program Files%\Baidu\BaiduAn\s2co (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMScriptVM.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\ad.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDALeakfixer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\systemfile.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSCleaner.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccTrayPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSkin.dll (0 bytes)
%Program Files%\s2co (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\app.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDLogicUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerPreScan.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatchAgent.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrayPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWParseDetect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_class_filter.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysOptDict.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PatcherContainer.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDAVCache.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\804.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAn.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerLuaScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnBugRpt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SafePluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_property.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginManager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonMgrDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMProcessRunningTime.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOSilentCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HotPlugins.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GCScriptBind.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDDownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysAccLiveStrategy.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSusPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerCheckItem.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\MainframePluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVMainPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDCooly.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\kav_compatible.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\vcredist_x86.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\homepage.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HIPS.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\virus_type.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\StartupDict.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccServicePlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\RtpContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_acc.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKVLogs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\directui license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\dnw.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccStrategyMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HotPlugin.bnr (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\publish.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMConnect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMReport.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASoftmgr.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASWAcc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysRepLib.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMMainFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWrench.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerView.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccEngine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GlobalPluginInfo.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerTrayPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\scan_mgr_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWindowsLib.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccSusPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\LocalPluginInfo.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWNestCore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccCoolyPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\blacksign.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerXMLScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\ns1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSafePlugin.dll (0 bytes)
%Program Files%\Baidu\s2co (0 bytes)

The process kkvlnyk.exe:1636 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVUpdate.rdb (1676 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\810.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\806.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayDldProtect.rdb (168 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll (2470 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\806.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\901.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdvs.dat (5 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (40 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVMainFrame.dll (6404 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\directui license.txt (593 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\bduf.dll (308 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0002.sys (215 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\901.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNet.dll.bdl (29881 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll.bdl (308228 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64 (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMAVE.dll (185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\SearchProtection.rdb (132 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\res\onlineWnd.zip (16424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVEng.dll (3716 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll (258 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\changelog.txt (215 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\900.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\KavUpdate.dll (246 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BSRLib.dat (141 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe (9606 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray.rdb (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVCached.dll (303 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcp80.dll (1835 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\217122359\Setting\host.dat (306 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\fm.dat (597 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\blacksign.dat (852 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0002.sys (203 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Repair_PluginConfig.xml (411 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\BDArKit.pdb (3723 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\Pizmdb.7z (83795 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\BDMWrench.sys (703 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll (1707 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0002.pdb (1849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMReport.dll.bdl (36352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\810.dat (3 bytes)
%System%\drivers\bd0002.sys (1281 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (1987 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\All Users\Desktop\百度杀毒.lnk (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\04cffb82cb0ad0358680d869bf3dc3ad.bdt (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (166194 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMUpdate.dll (160 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0001.pdb (273 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\hu.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb (28502 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\809.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll (44 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\卸载百度杀毒.lnk (796 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\804.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVLogs.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect.dll (152 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (32 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\CompatibilityChecker.dll (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico (1623 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe (3791 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (5039 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll (136 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdRepair.exe (1679 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\811.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe (1658 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\900.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.map (33 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0002.sys (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (1654 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe (1671 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\updlog.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVTray_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMReport.dll (1609 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\百度杀毒.lnk (823 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll (33 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\baidusdRepair.dll (123 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.pdb (1783 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastImage.png (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.map (39 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTips.rdb (69 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcr80.dll (3705 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ad.dll (1707 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMEvents.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\BDArKit.sys (80 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DriverManager.dll (119 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tuopan.png (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect_x64.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tips.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMNet.dll (3909 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\NetService.ini (615 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll (283 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKV.rdb (89 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVRtp_PluginConfig.xml (2 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDUDiskGuard.dll (238 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMDownload.dll (324 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMPerfMon.dll (140 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0001.sys (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMSkin.dll (38495 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\TrustAndIso.dll (226 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll (49 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (945 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe (3924 bytes)
%System%\drivers\BDArKit.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepMgr.dll (279 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Cooly_PluginConfig.xml (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0001.dll (131 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVConfig.rdb (120 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\BDAVCScan.dll (115 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\monitor_config.dat (559 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.pdb (1865 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\wverify.dat (12289 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll (1699 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDKitUtils.dll (54 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDLogicUtils.dll (30968 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86 (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb (3682 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe (1724 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\cache_config.dat (469 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\scan_mgr_config.dat (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\tmp_wmvut.dll (80376 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll (6400 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSREng.dll (275 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdmp.dat (25 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMPatchAgent.dll (26 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.pdb (3665 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\HIPS.dll (6359 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\FileMon.dll (1818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\hips.xml (17 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\804.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0002.dll (1749 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\atl80.dll (97 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDPerflog.dll (140 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\BDArKit.pdb (1832 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastLogo.ico (1623 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll (115 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMLog.dll (32 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\809.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMDownload.dll (5520 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll (99 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.map (38 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\PrivacyProtect.dll (164 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepBase.dll (3901 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\BDKVVirusPlugins.dll (1609 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (156 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0001.pdb (1775 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (189 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSDWrench.dll (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\BDArKit.sys (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDConfig.dll (1838 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DesktopToast.exe (103 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand64.dll (125 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\BDArKit.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\811.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVQuarantine.rdb (10 bytes)
%System%\drivers\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0001.sys (70 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0002.pdb (3854 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.sys (64 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSRCore.dll (287 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray\TrayPlugin.rdb (1812 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcm80.dll (1760 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0001.sys (601 bytes)

The Trojan deletes the following file(s):

%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\810.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\bd0002.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\806.dat (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\win7\bd0003.pdb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\04cffb82cb0ad0358680d869bf3dc3ad.bdt (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\BDArKit.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\900.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\bd0002.pdb (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86 (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\win7\bd0003.map (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\winxp\bd0003.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\winxp\bd0003.pdb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\winxp (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\901.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\win7\bd0003.pdb (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\804.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0002.dll (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64 (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\bd0001.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\bd0001.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\809.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\win7 (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\bd0001.pdb (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\winxp\bd0003.map (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\win7\bd0003.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\bd0001.pdb (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\BDArKit.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\win7\bd0003.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\BDArKit.pdb (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\bd0002.pdb (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\811.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\BDMWrench.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\win7\bd0003.map (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\Pizmdb.7z (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\win7 (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\BDArKit.pdb (0 bytes)

The process jistlo.exe:3032 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\zn120146\set.ini (7 bytes)
%Documents and Settings%\%current user%\Application Data\zn120146\set120146\Setzh120146.ini (23 bytes)
%Documents and Settings%\%current user%\Application Data\zn120146\min.ini (14 bytes)

The process BaiduSdSvc.exe:444 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%System%\config\system (8366 bytes)
%WinDir%\Temp\Tar18.tmp (2712 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (816 bytes)
%WinDir%\Temp\Cab13.tmp (54 bytes)
%WinDir%\Temp\Cab15.tmp (54 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (36 bytes)
%WinDir%\Temp\Cab11.tmp (54 bytes)
%System%\config\SOFTWARE.LOG (22598 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db (149 bytes)
%WinDir%\Temp\Tar17.tmp (2712 bytes)
%WinDir%\Temp\Cab16.tmp (54 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\MANIFEST-000002 (4 bytes)
%System%\config\SYSTEM.LOG (11338 bytes)
%System%\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\privacy.db-journal (532 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db (145 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\privacy.db (149 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db-journal (512 bytes)
%System%\config\software (20585 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db-journal (532 bytes)
%WinDir%\Temp\Tar14.tmp (2712 bytes)
%WinDir%\Temp\Tar12.tmp (2712 bytes)
C:\$Directory (576 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\MANIFEST-000002 (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\MANIFEST-000001 (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\CURRENT (0 bytes)
%WinDir%\Temp\Cab15.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\BaiduSdCache.rptc (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db-journal (0 bytes)
%WinDir%\Temp\Tar14.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\privacy.db-journal (0 bytes)
%WinDir%\Temp\Tar17.tmp (0 bytes)
%WinDir%\Temp\Tar18.tmp (0 bytes)
%WinDir%\Temp\Cab13.tmp (0 bytes)
%WinDir%\Temp\Tar12.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\CURRENT (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\MANIFEST-000001 (0 bytes)
%WinDir%\Temp\Cab11.tmp (0 bytes)
%WinDir%\Temp\Cab16.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db-journal (0 bytes)

The process pczh_100_1.exe:2508 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Templates\120146115937419\YYM_955WD30.gif (750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsD.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp (23772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\tj.html (91 bytes)
%Program Files%\ainqngz3.9\jistlo.exe (5520 bytes)
%Documents and Settings%\%current user%\Desktop\°®Çé.ÖÇ»Û.3.9.lnk (708 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û.3.9\жÔØ.lnk (715 bytes)
%Program Files%\ainqngz3.9\Ainqngz3.9.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].htm (91 bytes)
%Program Files%\ainqngz3.9\uninstall.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\md5dll.dll (8 bytes)
%Program Files%\ainqngz3.9\Hzsvr.exe (1552 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û.3.9\°®Çé.ÖÇ»Û.3.9.lnk (720 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Templates\120146115937419\YYM_955WD30.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\tj.html (0 bytes)
%Documents and Settings%\%current user%\Templates\120146115937419 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Base64.dll (0 bytes)
%Program Files%\ainqngz3.9\0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\md5dll.dll (0 bytes)

The process BDASWAcc.exe:3976 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378090598[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378091496[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[2].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378089971[1].png (4301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388481627[1].png (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091009[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1374205283[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\json_get_selected_page_by_rand[1] (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\statics_img[1].gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378090169[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378090575[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378118373[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388481662[1].png (2651 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[2].js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (4553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091038[1].png (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388481693[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378087540[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378090027[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378091529[1].png (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378091571[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1390463888[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1374205294[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\selected_page[1].html (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378088733[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[2].js (3974 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\selected_page[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091654[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\json_get_selected_page_by_rand[1] (1426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[2].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091642[1].png (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[1].js (0 bytes)

Registry activity

The process vcredist_x86.exe:3636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 9E ED 17 01 4D 2E 47 2C 5C EF 9C 0A D7 30 9B"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The Trojan deletes the following value(s) in system registry:


The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"

The process netsh.exe:3420 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 4A 7F 60 99 CB 01 6E 14 11 8D 62 45 2A DE 5F"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\106]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe:*:Enabled:百度高速下载器"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\106]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe:*:Enabled:百度高速下载器"

The process netsh.exe:2944 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 0B F8 71 35 DC E6 48 18 18 3C 4F D0 A1 6C 9C"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\106]
"bddownloader.exe"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\106]
"bddownloader.exe"

The process netsh.exe:3044 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 DC 1F 44 27 E0 B1 A9 D0 37 D8 96 25 C8 75 F5"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\107]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\107\bddownloader.exe:*:Enabled:百度高速下载器"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\107]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\107\bddownloader.exe:*:Enabled:百度高速下载器"

The process BDKVWsc.exe:2824 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 8C BF DD 96 99 82 32 D3 92 B6 C3 C3 91 78 90"

The process BDKVWsc.exe:3172 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF CB F0 A5 31 44 E7 E0 B9 D7 C0 DA FF 8B 7C EE"

The process RegSvr32.exe:2928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\AppID\ieCommonPlugin.DLL]
"AppID" = "{6B4447CA-C33E-4E65-914D-C7B346D73F80}"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\TypeLib]
"Version" = "1.0"
"(Default)" = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\VersionIndependentProgID]
"(Default)" = "ieCommonPlugin.Implement"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\ieCommonPlugin.Implement]
"(Default)" = "Implement Class"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\ieCommonPlugin.Implement\CurVer]
"(Default)" = "ieCommonPlugin.Implement.1"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\ProgID]
"(Default)" = "ieCommonPlugin.Implement.1"

[HKCR\ieCommonPlugin.Implement\CLSID]
"(Default)" = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}]
"(Default)" = "Implement Class"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}]
"(Default)" = "IImplement"

[HKCR\AppID\{6B4447CA-C33E-4E65-914D-C7B346D73F80}]
"(Default)" = "ieCommonPlugin"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 86 78 2B D3 E7 18 DD 07 BA FA 6F 34 13 3E E7"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll"

[HKCR\ieCommonPlugin.Implement.1\CLSID]
"(Default)" = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"

[HKCR\ieCommonPlugin.Implement.1]
"(Default)" = "Implement Class"

[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\TypeLib]
"(Default)" = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"

[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0]
"(Default)" = "ieCommonPlugin 1.0 Type Library"

[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32]
"ThreadingModel" = "Apartment"

The process RegSvr32.exe:3192 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0]
"(Default)" = "BDShellExt 1.0 Type Library"

[HKCR\BDShellExt.BDShellExtMenu\CurVer]
"(Default)" = "BDShellExt.BDShellExtMenu.1"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\NumMethods]
"(Default)" = "3"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}]
"(Default)" = "IBDShellExtMenu"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\BDShellExt.BDShellExtMenu.1]
"(Default)" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu]
"(Default)" = "BDShellExtMenu Class"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\BDShellExt.BDShellExtMenu.1\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\lnkfile\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\AppID\BDShellExt.DLL]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00890530-6A9F-4be2-B1BB-73F01E2BB986}" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\TypeLib]
"(Default)" = "{45D1EEF3-7713-48fa-B7A5-B77229C7D330}"

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib]
"(Default)" = "{45D1EEF3-7713-48FA-B7A5-B77229C7D330}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\VersionIndependentProgID]
"(Default)" = "BDShellExt.BDShellExtMenu"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\ProgID]
"(Default)" = "BDShellExt.BDShellExtMenu.1"

[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}]
"(Default)" = "PSFactoryBuffer"

[HKCR\AppID\{FBE0E29B-01DB-4876-B147-46F5AABA6823}]
"(Default)" = "BDShellExt"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"

[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 0C 34 98 AC B2 4A 99 8F CC FB F4 6F 8C 78 30"

[HKCR\Folder\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]
"(Default)" = "BDShellExtMenu Class"

[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\HELPDIR]
"(Default)" = ""

[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32]
"ThreadingModel" = "Apartment"

The process bddownloader.exe:3760 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 61 B9 C4 34 72 F7 A7 F4 B9 B8 ED 94 26 25 46"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process bddownloader.exe:3268 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bddownloader.exe"

[HKCR\BDDownloadProxy.Downloader\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bddownloader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\BDDownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\BDDownloadProxy.Downloader.1\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\BDDownloadProxy.Downloader]
"(Default)" = "Downloader Class"

[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD FC 73 E6 FA 4B A6 8A 7C 14 13 35 A3 1A 04 37"

[HKCR\BDDownloadProxy.Downloader\CurVer]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
"(Default)" = "BDDownloadProxy.Downloader"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process bddownloader.exe:1236 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\baidu\bddownload\107\bddownloader.exe"

[HKCR\BDDownloadProxy.Downloader\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\107\bddownloader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\BDDownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\BDDownloadProxy.Downloader.1\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"(Default)" = "Downloader Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\BDDownloadProxy.Downloader]
"(Default)" = "Downloader Class"

[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 19 01 26 EA 1C 44 EB DD 00 D2 39 AC F3 E5 E3"

[HKCR\BDDownloadProxy.Downloader\CurVer]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
"(Default)" = "BDDownloadProxy.Downloader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\Programmable]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]

The process BaiduSd.exe:3428 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 59 90 17 2C 42 C5 6E 28 A6 8D 17 92 21 9E 0C"

The process sc.exe:3016 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 22 00 1D 28 C2 B1 DA A4 24 8A 63 04 68 B1 E9"

The process sc.exe:2968 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 83 3F 4B EE AA 55 38 08 D2 AD B2 4E D0 EE FB"

The process aukncq_70404.exe:628 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 73 78 E2 78 61 B1 2E A7 1F 40 68 92 48 B4 EE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst8.tmp]
"jko.exe" = "jko"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"aukncq_70404.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\aukncq_70404.exe:*:Enabled:百度卫士在线安装程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp]
"jko.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe:*:Enabled:百度卫士安装程序"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp]
"jko.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe:*:Enabled:百度卫士安装程序"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"aukncq_70404.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\aukncq_70404.exe:*:Enabled:百度卫士在线安装程序"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"aukncq_70404.exe"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"aukncq_70404.exe"

The process baidusdTray.exe:2184 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 FD A8 3C 8C 3B A2 AB 41 39 A4 12 5E F9 8C 2B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdUpdate.exe" = "百度杀毒升级程序"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdBugRpt.exe" = "百度异常报告程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Ainqngz3.9.exe:3024 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Ainqngz3.9.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1397550614"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 F5 02 4B 27 0B 12 01 8F 76 93 89 BA AC CB 9A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process cacls.exe:3344 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 A7 C1 D9 8F F0 2E F3 12 62 C0 83 33 F1 93 46"

The process BDDownloader.exe:1212 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F B9 E8 D7 C4 25 C9 EC 15 57 08 D0 63 42 F8 0C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process BDDownloader.exe:2964 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 1E B4 6E 2D 83 74 B0 67 98 27 91 8F 67 0B D8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process BDDownloader.exe:3692 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 4F 30 8C 68 60 AC 6C 8E DA 06 8A D7 B8 7F D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\baidu\bddownload\107]
"bddownloader.exe" = "百度高速下载引擎"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process BDDownloader.exe:3076 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 06 17 34 C2 A8 33 6F 68 1B BF 2E 72 FD 54 BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\baidu\bddownload\106]
"bddownloader.exe" = "百度高速下载引擎"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process BaiduAnTray.exe:1928 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 CE 80 A6 43 87 E3 FC 2B 7C DE 87 9A AA 62 8C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"PAUTime" = "1800000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

The process %original file name%.exe:228 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 91 32 10 26 E3 FE D0 00 85 6F E6 0E 17 75 3B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\29040_24295396777743]
"DisplayName" = "29040_24295396777743 1.0.2.4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\29040_24295396777743]
"Publisher" = "29040_24295396777743"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.pz100.pw"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.pz100.pw"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\29040_24295396777743]
"DisplayVersion" = "1.0.2.4"

The process regsvr32.exe:3444 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 88 F8 76 98 B3 D7 31 EF 95 CE CF 9D 95 93 2E"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\107\bdcomproxy.dll"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

The process regsvr32.exe:2948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 85 57 13 C8 BF 14 4B 9A EB CF 6C 9F 5E 4E 8F"

[HKCR\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}]
"(Default)" = "U盘防护"

The process regsvr32.exe:3468 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 A3 6D CF 7C 98 B7 3D EB AD 57 00 8A FB 64 59"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bdcomproxy.dll"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

The process BaiduAn.exe:2532 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 35 35 BE EC 71 DA D5 F6 EE 73 8D 61 43 04 92"

The process BaiduAn.exe:2476 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 26 61 2E B8 92 89 E2 4E 36 1C 19 33 A7 5D 8F"

The process BaiduSdBugRpt.exe:2368 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 3C 86 EA C5 5B 8F A5 FC 3A ED C8 5D 34 18 E9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process BaiduSdUpdate.exe:2904 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 50 E4 D8 63 FA 1E 6A 43 65 96 F1 08 27 AB 23"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process BaiduAnSvc.exe:3636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C CD DC 8A 51 65 3A 78 8D 8B CE 15 0C AE 75 8A"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BaiduAnTray" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe -stmd=3"

The process BaiduAnSvc.exe:3924 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 16 57 67 6C 05 63 EB 53 09 DE 36 A0 07 1B D1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process jko.exe:2456 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"
"Description" = "BDArKit"

"Type" = "1"
"Group" = "bddriver"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"SupplyID" = "55555"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"InstallDir" = "%Program Files%\Baidu\BaiduAn"
"VirusTime" = "2013.04.05 1216"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"DisplayVersion" = "2.1.0.1214"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"DisplayName" = "BDMNetMon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_gj" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"DisplayName" = "百度卫士2.1"

[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"Tag" = "3"
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"DisplayIcon" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\app.ico"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"INSTLANG" = "2052"
"InstallDate" = "2014-6-1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"

"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"Version" = "2.1.0.1214"

[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"ErrorControl" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"RtpFlag" = "273"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"Publisher" = "百度在线网络技术(北京)有限公司"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 68 46 8A 11 62 77 AB 2B 4F E6 D5 69 8F 46 F8"

[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"ImagePath" = "system32\DRIVERS\BDMNetMon.sys"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"UninstallString" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\uninst.exe"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"Description" = "BDMNetMon"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnTray.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe:*:Enabled:百度卫士托盘程序"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnSvc.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnSvc.exe:*:Enabled:百度卫士服务程序"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnSvc.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnSvc.exe:*:Enabled:百度卫士服务程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnBugRpt.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnBugRpt.exe:*:Enabled:百度卫士BUG上报程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnUpdate.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnUpdate.exe:*:Enabled:百度卫士更新程序"

"BaiduAnBugRpt.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnBugRpt.exe:*:Enabled:百度卫士BUG上报程序"

"BaiduAnTray.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe:*:Enabled:百度卫士托盘程序"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"Start" = "2"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAn.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAn.exe:*:Enabled:百度卫士主程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnUpdate.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnUpdate.exe:*:Enabled:百度卫士更新程序"

"BaiduAn.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAn.exe:*:Enabled:百度卫士主程序"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Baidu\BaiduAn]
"RtpFlag"

[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

The process kkvlnyk.exe:1636 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDate" = "2014-6-1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"UninstallString" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"Version" = "1.8.0.1255"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayVersion" = "1.8.0.1255"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\iexplore\AllowedDomains\*]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"vendor" = "Beijing baidu Netcom science and technology co.ltd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Description" = "百度杀毒功能组件"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"Publisher" = "百度在线网络技术(北京)有限公司"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Altitude" = "326912"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_sd" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Group" = "FSFilter Anti-Virus"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"

[HKCR\metnsd\clsid]
"SequenceID" = "3C B7 C5 0D 26 85 FC 49 A3 76 24 6E 52 EB 66 9F"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin\MimeTypes\application/np-BaiduSDDetect]
"Description" = "BaidusdDetectNPPlugin"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances]
"DefaultInstance" = "bd0003 Instance"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDir" = "%Program Files%\Baidu\BaiduSd"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 9A D6 14 B5 BF 33 3F 8C 5F EA 40 A5 46 63 1A"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSd.exe" = "百度杀毒主程序"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DependOnService" = "FltMgr"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdSvc.exe" = "百度杀毒服务程序"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ImagePath" = "system32\DRIVERS\bd0003.sys"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Type" = "2"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag" = "273"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayIcon" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Tag" = "3"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"bddownloader.exe" = "百度高速下载引擎"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Path" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayName" = "百度杀毒1.8"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"VirusTime" = "2013.11.28 0110"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BDKVWsc.exe" = "百度杀毒安全中心接口"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ErrorControl" = "1"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"INSTLANG" = "2052"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"ProductName" = "BaiduSd"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Description" = "Baidusd detect NPAPI plugin"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, bddriver, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Version" = "1.0.0.1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Flags" = "0"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DisplayName" = "bd0003"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"SupplyID" = "11111"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdSvc.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe:*:Enabled:百度杀毒服务程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdBugRpt.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe:*:Enabled:百度杀毒BUG上报程序"

"BaiduSdUProxy64.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe:*:Enabled:百度杀毒代理程序"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0003]
"Start" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"kkvlnyk.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\kkvlnyk.exe:*:Enabled:百度杀毒在线安装程序"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdTray.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe:*:Enabled:百度杀毒托盘程序"

"BaiduSdUProxy64.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe:*:Enabled:百度杀毒代理程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdSvc.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe:*:Enabled:百度杀毒服务程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdUpdate.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe:*:Enabled:百度杀毒更新程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdTray.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe:*:Enabled:百度杀毒托盘程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdBugRpt.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe:*:Enabled:百度杀毒BUG上报程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdUpdate.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe:*:Enabled:百度杀毒更新程序"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp]
"ynz.dll" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll:*:Enabled:百度杀毒安装程序"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp]
"ynz.dll" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll:*:Enabled:百度杀毒安装程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"kkvlnyk.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\kkvlnyk.exe:*:Enabled:百度杀毒在线安装程序"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp]
"ynz.dll"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp]
"ynz.dll"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"kkvlnyk.exe"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"kkvlnyk.exe"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

The process jistlo.exe:3032 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 0D 63 87 87 C1 37 BD FE 00 FB D1 59 58 1C 4B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process BaiduSdSvc.exe:4012 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 01 C3 98 E0 52 76 5E 69 00 09 58 E7 D0 A7 03"

The process BaiduSdSvc.exe:444 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Group" = "FSFilter Anti-Virus"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"DisplayName" = "BDMWrench"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"ImagePath" = "system32\DRIVERS\BDMWrench.sys"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ErrorControl" = "1"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Description" = "BDMWrench"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ImagePath" = "system32\DRIVERS\bd0003.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Description" = "百度杀毒功能组件"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Tag" = "5"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances]
"DefaultInstance" = "bd0003 Instance"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Type" = "2"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\BDKVRTP]
"ImagePath" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe -r"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Tag" = "3"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Altitude" = "326912"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"
"Type" = "1"
"Tag" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 23 26 87 65 56 3A 22 BA 2D 3C 6F C1 98 6E E8"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 A8 23 B4 A2"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DependOnService" = "FltMgr"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Flags" = "0"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DisplayName" = "bd0003"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 6F 7E 74 A3"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"baidusdTray" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe -stmd=3"

"baidusdTray" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe -stmd=3"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Start" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"B1BC968BD4F49D622AA89A81F2150152A41D829C"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

The process pczh_100_1.exe:2508 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®Çé.ÖÇ»Û.3.9]
"UninstallString" = "%Program Files%\ainqngz3.9\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®Çé.ÖÇ»Û.3.9]
"DisplayVersion" = ""

[HKLM\SOFTWARE\esfg]
"Install" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ainqngz3.9.exe]
"(Default)" = "%Program Files%\ainqngz3.9\Ainqngz3.9.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®Çé.ÖÇ»Û.3.9]
"DisplayIcon" = "%Program Files%\ainqngz3.9\uninstall.exe"

[HKLM\SOFTWARE\tyoh]
"EN" = "pczh_100_1.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\tyoh]
"ED" = "100"

"EX" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\tyoh]
"et" = "120146"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®Çé.ÖÇ»Û.3.9]
"DisplayName" = "°®Çé.ÖÇ»Û3.9"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 B2 81 40 FD 34 36 23 3F 0A 6D FB 0E 0A 3D 9C"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MsiExec.exe:3424 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA D2 AA BC B3 88 5B BA FF D7 38 3E 14 5D 65 E9"

The process BDASWAcc.exe:3976 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "BDASWAcc.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1394463599"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 6F 8A 6C F5 C8 27 70 1F 2F 7E 12 A4 A0 73 12"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
a5b49ca5186d2eac47ae7095a07659cac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\aukncq_70404.exe
7ef27e038f3c449fd3c763192ff931c4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\kkvlnyk.exe
a7d710e78711d5ab90e4792763241754c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\Md5dll.dll
f0419089787f4bd9d422c9d1933e0932c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\NSISdl.dll
f55b41485cbaf292389a52f8e4f0594bc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\System.dll
76d2faad042161f24b6c9c78de3bd265c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\xID.dll
0e54f1daa2d9c248ba16507c08ee9881c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDLogicUtils.dll
b62367fe2d02b8f47914b088a006d50cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMDownload.dll
06597a9f16b163c97b8f95d457bce8b2c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMNet.dll
928208161b61b8c36fa1a6095c1ccfabc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMNetGetInfo.dll
30cbc602ada7cdfb0346038c05996d84c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMReport.dll
39257175ac9c90199c69aea1a7bcbda0c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMSkin.dll
1c951bbcbc780046d6be1079a04870a4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\System.dll
763b532d651f0ad5e135d9b57bf4fba4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\dl.dll
ebfe7c9594e300bb0c16e7bb99a7e66dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\hu.dll
79118048fcbaef526f802925eabcaf32c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\tmp_wmvut.dll
9fd685edcd84e63eafe96f72891c8738c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDLogicUtils.dll
d184763cb4e62d531193978de7b82db2c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDMDownload.dll
928208161b61b8c36fa1a6095c1ccfabc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDMNetGetInfo.dll
30cbc602ada7cdfb0346038c05996d84c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDMReport.dll
b540a866191f7fd20f5e6355bc2b094ec:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDMSkin.dll
f52eb281e29da8065e18805617ac2cbcc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\System.dll
763b532d651f0ad5e135d9b57bf4fba4c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\dl.dll
ebfe7c9594e300bb0c16e7bb99a7e66dc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\hu.dll
4e283c503ef12d27b09deb52525fb1d1c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\tmppm4bkx.dll
79ddb8027714f30a93d354cee26ac802c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\pczh_100_1.exe
218c9c36d131a6574baea88b8c48a9e3c:\Program Files\ainqngz3.9\Ainqngz3.9.exe
cc8aa6c44a058317738b6f24af0d19fbc:\Program Files\ainqngz3.9\Hzsvr.exe
becf376b6bf708e841d3ad11f87b105ac:\Program Files\ainqngz3.9\jistlo.exe
919842788c075bc2d18dc6afcc0ada13c:\Program Files\ainqngz3.9\uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of processes by installing the process notifier.


Using the driver "%System%\DRIVERS\BDMNetMon.sys" the Trojan controls creation and closing of processes by installing the process notifier.


Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of threads by installing the thread notifier.


Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.


The Trojan installs the following kernel-mode hooks:

ZwUnloadKey

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    vcredist_x86.exe:3636
    netsh.exe:3420
    netsh.exe:2944
    netsh.exe:3044
    BDKVWsc.exe:2824
    BDKVWsc.exe:3172
    RegSvr32.exe:2928
    RegSvr32.exe:3192
    bddownloader.exe:3268
    bddownloader.exe:1236
    BaiduSd.exe:3428
    sc.exe:3016
    sc.exe:2968
    aukncq_70404.exe:628
    baidusdTray.exe:2184
    cacls.exe:3344
    BDDownloader.exe:1212
    BDDownloader.exe:2964
    BDDownloader.exe:3692
    BDDownloader.exe:3076
    BaiduAnTray.exe:1928
    regsvr32.exe:3444
    regsvr32.exe:2948
    regsvr32.exe:3468
    BaiduAn.exe:2532
    BaiduAn.exe:2476
    BaiduSdBugRpt.exe:2368
    BaiduSdUpdate.exe:2904
    BaiduAnSvc.exe:3636
    BaiduAnSvc.exe:3924
    jko.exe:2456
    kkvlnyk.exe:1636
    BaiduSdSvc.exe:4012
    BaiduSdSvc.exe:444
    pczh_100_1.exe:2508
    MsiExec.exe:3424
    BDASWAcc.exe:3976

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredis1.cab (6255 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredist.msi (42423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNet.dll.bdl (46859 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe.bdl (707298 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMDownload.dll (5520 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (1788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMSkin.dll (36698 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\tmppm4bkx.dll (24832 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDLogicUtils.dll (31856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMReport.dll.bdl (37075 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\dl.dll (65930 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\1942083177\Setting\host.dat (306 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bdt\3f88398fc048137c047f9ddd92a215ed.bdt (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse7.tmp (128685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bdt\2d519f2c31620e467cd7bbf4cdf9a59f.bdt (663 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\res\onlineWnd.zip (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\hu.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd (4 bytes)
    %System%\wbem\Logs (4 bytes)
    %WinDir%\repair (4 bytes)
    %System%\CatRoot2 (96 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB (4 bytes)
    C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DF464A.tmp (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1460 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\000003.log (4 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\BaiduSdCache.rptc (68 bytes)
    %Program Files%\Common Files (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN (4 bytes)
    C:\$Directory (780 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData (4 bytes)
    %WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\LOG (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\000003.log (4 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
    %System%\drivers (4 bytes)
    %WinDir%\Prefetch (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (388 bytes)
    %WinDir%\Temp\Perflib_Perfdata_ea0.dat (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\LOG (4 bytes)
    %Documents and Settings%\%current user%\Cookies (200 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mini.fengyunzhibo[1].txt (200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mini[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (943 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\new_common[1].css (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[2].js (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fymini[1].htm (1798 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAU3OLK5.gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\new_box[1].js (145 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@fengyunzhibo[1].txt (188 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (800 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\mini.fengyunzhibo[1].xml (266 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (1121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fymini[2].htm (1853 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[1].js (5 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[2].js (174 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mini[1].js (73 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@tv.aiqingzhihui[1].txt (332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fyminiloader-min[1].js (660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zhibo2[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mini[1].css (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAPSSJDX.gif (35 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\bdcomproxy.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg22.tmp (86466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw23.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\bddownloader.exe (41699 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\dl.dll (65930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\7z.dll (12536 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\dl.dll (65930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\dl.dll (65930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\7z.dll (12536 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\dl.dll (65930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\bddownloader.exe (41699 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\bdcomproxy.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsuF.tmp (90616 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\107\bddownloader.exe (9605 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\107\7z.dll (2105 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\107\dl.dll (14988 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\107\bdcomproxy.dll (601 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (9605 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (601 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (2105 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (14988 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\SWManager\ultcache.dat (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pczh_100_1.exe (45392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aukncq_70404.exe (187984 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kkvlnyk.exe (232737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\z.ini (660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\xID.dll (3 bytes)
    %System%\config\SYSTEM.LOG (5097 bytes)
    %System%\config\software (10282 bytes)
    %System%\config\SOFTWARE.LOG (13344 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db (145 bytes)
    %WinDir%\Temp\Tar25.tmp (2712 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db-journal (512 bytes)
    %WinDir%\Temp\Cab24.tmp (54 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bduf.dll (29608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAn.exe (30464 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDAVCache.dll (34186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOHomePageCleanerConfig.dat (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSAccMgrDll.dll (29256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerPlugin.dll (67969 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Mainpage.rdb (25776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SWCatalogDataItem.xml (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMWindowsLib.dll (601 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe (13122 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMMainFrame.dll (13122 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMNet.dll (9098 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASWAcc.exe (1552 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_2_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\CompatibilityChecker.dll (5064 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\PatcherContainer.xml (563 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnUpdate.exe (9605 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOTraceConfig.xml (9 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bd0002.dll (3073 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerLuaScript.dat (601 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\KVCommonRes.rdb (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.dll (16288 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerConfig.dat (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMCoolyContainerConfig.xml (465 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SusPluginContainerConfig.xml (605 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnSvc.exe (8657 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTray\TrayPlugin.rdb (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginclean.db (48928 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\directui license.txt (593 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SysAccelerator.rdb (15536 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDKVLogs.dll (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAcceleratorPlugin.dll (35507 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccMgr.dll (25776 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_property.dat (1281 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMAVEng.dll (11518 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixer.dll (9608 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDMNetMon.sys (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSCleaner.dll (57535 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMUpdate.rdb (12088 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMProcessRunningTime.dll (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrustAndIso.dll (35784 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\BDMSafePlugin.dll (7433 bytes)
    %Documents and Settings%\All Users\Desktop\百度卫士.lnk (895 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\LocalPluginInfo.xml (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMAVEng.dll (51840 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\pluginclean.db (48928 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Patcher.rdb (5064 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SysFixer.rdb (3312 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\blacksign.dat (537 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginUnit.dat (727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDArKit.sys (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDCooly.dll (38103 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_minute_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSysFixerPlugin.dll (53394 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\PluginSetup.xml (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SYSAccMgrDll.dll (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceConfig.xml (18 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\hips.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GCScriptBind.dll (42762 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\systemfile.dat (3 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\BDMConnect.dll (9605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\hips.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPluginContainerConfig.xml (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcherPlugin.dll (49631 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SysAccLiveStrategy.dat (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepMgr.dll (25776 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_9_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginSetup.xml (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\TrustAndIso.dll (7971 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\vcredist_x86.exe (18934 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\GCScriptBind.dll (9605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\DriverManager.dll (22192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKitUtils.dll (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\res\InstallWnd.zip (54196 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSOManagerPlugins\BDMSOAcceleratorPlugin.dll (7971 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMSetting.rdb (3312 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\CommonRes.rdb (37368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMTrayTipsPlugin.dll (40702 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\PluginManager.dll (9605 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\extends.rdb (2392 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDLogicUtils.dll (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginManager.dll (42222 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOGarbageCleanerConfig.dat (11 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDKV.rdb (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonSusPlugin.dll (32824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnTray.exe (57535 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\app.ico (2105 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\bd0001.sys (601 bytes)
    %System%\config\AppEvent.Evt (1744 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerScript.dat (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\WebSafe.dll (32824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.dll (5064 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMUpdate.dll (4545 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerXMLScript.dat (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepBase.dll (38103 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SYSCleaner.dll (13122 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMScriptVM.dll (1281 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_class_filter.db (7385 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\pluginUnit.dat (727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\System.dll (784 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\DriverManager.dll (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\ad.dll (32784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDALeakfixer.exe (38904 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerScript.dat (53 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDASoftmgr.exe (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageCleanerConfig.dat (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsq1A.tmp (2190194 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSOCleanerTrayPlugin.dll (7345 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\RtpContainerConfig.xml (474 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\systemfile.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPlugin.dll (35001 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDCooly.dll (8657 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SusPlugin.rdb (5520 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmswmanagerplugins\BDMSWManagerView.dll (9605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccTrayPlugin.dll (32784 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\BDMSOAccServicePlugin.dll (6841 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\BDMSOAccSusPlugin.dll (7433 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_blank_speed.png (14 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_1_speed.png (15 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\BDMPatcher.dll (12287 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SORegCleanerScript.dat (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSkin.dll (33536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcher.dll (55014 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMDownload.dll (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\app.ico (12024 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\AppBooster.rdb (12088 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\TrayPluginContainerConfig.xml (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDASWAcc.exe (38 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bd0001.dll (673 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\StartupDict.dat (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\NetService.ini (590 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerPreScan.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatchAgent.dll (19096 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrayPluginContainerConfig.xml (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMReport.dll (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWParseDetect.dll (39329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\BDMSkin.dll (37025 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageConfig.xml (28 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSkin.dll (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PatcherContainer.xml (563 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\PluginInstallHelper.dll (784 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\BDMNetMonSusPlugin.dll (7385 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度卫士\百度卫士.lnk (907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMReport.dll (34773 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOSilentCleanerConfig.dat (11 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_5_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMScriptVM.dll (8184 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\duilib license.txt (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\scan_mgr_config.dat (2 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMPatchAgent.dll (3361 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SafePlugin.rdb (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysOptDict.dat (4 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOGarbageConfig.xml (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerLuaScript.dat (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnBugRpt.exe (34023 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_4_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SafePluginContainerConfig.xml (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_6_speed.png (15 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\804.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_property.dat (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDLogicUtils.dll (33295 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\SusPluginContainerConfig.xml (605 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccEngine.dll (4185 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccMgr.dll (5441 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMNetMonMgrDll.dll (49 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixer.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerScript.dat (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonMgrDll.dll (1856 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerCheckItem.dat (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerConfig.dat (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\BDMSWManagerFrame.dll (6841 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\pluginclean.db (10815 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDDownloader.exe (42222 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\uninst.exe (12287 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnSvc.exe (38103 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMProcessRunningTime.dll (22552 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\dnw.xml (149 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMKVMainPlugin.dll (10815 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HotPlugins.xml (386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDNetMisc.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNet.dll (40228 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\SafePluginContainerConfig.xml (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMANTIVIRUS (96 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnUpdate.exe (42222 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysAccLiveStrategy.dat (3312 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOTraceCleanerConfig.dat (4 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_acc.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSusPlugin.dll (32824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerConfig.dat (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmkvscanplugin\BDMKVScanPluginContainerConfig.xml (380 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_0_speed.png (15 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\MainframePluginContainerConfig.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerConfig.dat (5 bytes)
    %System%\drivers\BDMNetMon.sys (601 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSWParseDetect.dll (8657 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Patch\publish.db (32763 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\SWCatalogDataItem.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_class_filter.db (33248 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerCheckItem.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\MainframePluginContainerConfig.xml (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMTrayTipsPlugin.dll (9098 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BDMSOCleaner\SOTraceConfig.xml (9 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSWNestCore.dll (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWindowsLib.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVMainPlugin.dll (46916 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDMWrench.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMUpdate.dll (23936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\kav_compatible.dat (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\vcredist_x86.exe (82435 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\homepage.ini (361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HIPS.dll (59286 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_7_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\duilib license.txt (1 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_3_speed.png (15 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\GlobalPluginInfo.xml (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\virus_type.dat (485 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMCoolyPlugins\BDMCoolyContainerConfig.xml (465 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Softmgr.rdb (690 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\KVMain.rdb (1856 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDNetMisc.dll (601 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnBugRpt.exe (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\StartupDict.dat (16944 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDAVCache.dll (7547 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccServicePlugin.dll (30344 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\HotPlugins.xml (386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\RtpContainerConfig.xml (474 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SOManager.rdb (12536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_acc.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKVLogs.dll (35001 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\uninst.exe (54196 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDKitUtils.dll (40 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SWManager.rdb (18424 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\SysRepLib.dat (22 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSOManagerPlugins\BDMSOCleanerPlugin.dll (15506 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\directui license.txt (593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\dnw.xml (149 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDArKit.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccStrategyMgr.dll (23296 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\kav_compatible.dat (25 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDBrowserProtecter.rdb (4992 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMRepMgr.dll (5441 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\CompatibilityChecker.dll (673 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTray.rdb (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\publish.db (140983 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_8_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMConnect.dll (43318 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASoftmgr.exe (38904 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\virus_type.dat (485 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerPreScan.dat (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度卫士\卸载百度卫士.lnk (880 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSOAccTrayPlugin.dll (7345 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\HIPS.dll (13122 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTips.rdb (6584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysRepLib.dat (784 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAn.exe (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.sys (7192 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOHomePageCleanerConfig.dat (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMMainFrame.dll (59286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWrench.sys (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerFrame.dll (30464 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerView.dll (43318 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BDMSOCleaner\SOGarbageConfig.xml (14 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SOTurbo.rdb (784 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSusPlugin.dll (7385 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\ad.dll (7345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccEngine.dll (22192 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_second_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GlobalPluginInfo.xml (784 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDALeakfixer.exe (8657 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmkvscanplugin\BDMKVScanPlugin.dll (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerTrayPlugin.dll (32784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerConfig.dat (900 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\scan_mgr_config.dat (2 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMSysFixerPlugin.dll (12287 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccSusPlugin.dll (33391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceCleanerConfig.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\nsExec.dll (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\LocalPluginInfo.xml (14 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\bd0002.sys (1281 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\homepage.ini (361 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMCoolyPlugins\BDMSOAccCoolyPlugin.dll (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWNestCore.dll (33877 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\websafe\WebSafe.dll (7385 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\bduf.dll (6841 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMPatcherPlugin.dll (11518 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SORegCleanerConfig.dat (900 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccCoolyPlugin.dll (28288 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\BDDownloader.exe (9605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\blacksign.dat (537 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.sys (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerXMLScript.dat (2 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccStrategyMgr.dll (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\InstallHelper.dll (34186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMDownload.dll (28288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\804.dat (3 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOSilentCleanerConfig.dat (11 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMRepBase.dll (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\ns1C.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSafePlugin.dll (33391 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SysOptDict.dat (4 bytes)
    %Program Files%\Baidu\BaiduAn\2.1.0.1214\NetService.ini (590 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVUpdate.rdb (1676 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe (1843 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\810.dat (3 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\806.dat (3 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayDldProtect.rdb (168 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll (2470 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\806.dat (3 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\901.dat (8 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdvs.dat (5 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVMainFrame.dll (6404 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\directui license.txt (593 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\bduf.dll (308 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0002.sys (215 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\901.dat (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNet.dll.bdl (29881 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\iexplore.exe.xml (528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll.bdl (308228 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64 (4 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMAVE.dll (185 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\SearchProtection.rdb (132 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\res\onlineWnd.zip (16424 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVEng.dll (3716 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll (258 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\changelog.txt (215 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\900.dat (8 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\KavUpdate.dll (246 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BSRLib.dat (141 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe (9606 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray.rdb (1843 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll (181 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVCached.dll (303 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcp80.dll (1835 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\217122359\Setting\host.dat (306 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\fm.dat (597 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\blacksign.dat (852 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0002.sys (203 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Repair_PluginConfig.xml (411 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\BDArKit.pdb (3723 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.sys (55 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\kav_verify.dat (677 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\Pizmdb.7z (83795 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\BDMWrench.sys (703 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll (1707 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0002.pdb (1849 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMReport.dll.bdl (36352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\dl.dll (65930 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\810.dat (3 bytes)
    %System%\drivers\bd0002.sys (1281 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\GameNoDisturb.ini (215 bytes)
    %Documents and Settings%\All Users\Desktop\百度杀毒.lnk (811 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bdt\04cffb82cb0ad0358680d869bf3dc3ad.bdt (4 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (166194 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\systemfile.dat (3 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMUpdate.dll (160 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0001.pdb (273 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\duilib license.txt (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\hu.dll (3312 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb (28502 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\809.dat (3 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll (44 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\卸载百度杀毒.lnk (796 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\804.dat (3 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVLogs.dll (181 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect.dll (152 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\CompatibilityChecker.dll (90 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\virus_type.dat (485 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico (1623 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe (3791 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll (136 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdRepair.exe (1679 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\811.dat (8 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe (1658 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\900.dat (8 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.map (33 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0002.sys (1281 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (1654 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVMainframe_PluginConfig.xml (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe (1671 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.sys (55 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\updlog.dll (15 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVTray_PluginConfig.xml (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMReport.dll (1609 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\百度杀毒.lnk (823 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll (33 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\baidusdRepair.dll (123 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.pdb (1783 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastImage.png (5 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.map (39 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTips.rdb (69 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcr80.dll (3705 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\ad.dll (1707 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMEvents.dll (15 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\BDArKit.sys (80 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\DriverManager.dll (119 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\tuopan.png (3 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect_x64.dll (181 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\tips.xml (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMNet.dll (3909 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\NetService.ini (615 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll (283 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKV.rdb (89 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\dnw.xml (149 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVRtp_PluginConfig.xml (2 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe (1843 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDUDiskGuard.dll (238 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMDownload.dll (324 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMPerfMon.dll (140 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0001.sys (160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMSkin.dll (38495 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\TrustAndIso.dll (226 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll (49 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (945 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe (3924 bytes)
    %System%\drivers\BDArKit.sys (601 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepMgr.dll (279 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Cooly_PluginConfig.xml (720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (784 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0001.dll (131 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVConfig.rdb (120 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\BDAVCScan.dll (115 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\monitor_config.dat (559 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.pdb (1865 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\wverify.dat (12289 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll (1699 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDKitUtils.dll (54 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDLogicUtils.dll (30968 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86 (4 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb (3682 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0003.sys (55 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe (1724 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\cache_config.dat (469 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\scan_mgr_config.dat (5 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\tmp_wmvut.dll (80376 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll (6400 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSREng.dll (275 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdmp.dat (25 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMPatchAgent.dll (26 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.pdb (3665 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\HIPS.dll (6359 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\FileMon.dll (1818 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\hips.xml (17 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\804.dat (3 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0002.dll (1749 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\atl80.dll (97 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDPerflog.dll (140 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\BDArKit.pdb (1832 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastLogo.ico (1623 bytes)
    %System%\drivers\bd0001.sys (601 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll (115 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMLog.dll (32 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\809.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMDownload.dll (5520 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll (99 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.map (38 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\PrivacyProtect.dll (164 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepBase.dll (3901 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\BDKVVirusPlugins.dll (1609 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (156 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0001.pdb (1775 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (189 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSDWrench.dll (90 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\BDArKit.sys (90 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDConfig.dll (1838 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\DesktopToast.exe (103 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand64.dll (125 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\BDArKit.sys (601 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\811.dat (8 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVQuarantine.rdb (10 bytes)
    %System%\drivers\bd0003.sys (55 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0001.sys (70 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0002.pdb (3854 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.sys (64 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSRCore.dll (287 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray\TrayPlugin.rdb (1812 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcm80.dll (1760 bytes)
    %Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0001.sys (601 bytes)
    %Documents and Settings%\%current user%\Application Data\zn120146\set.ini (7 bytes)
    %Documents and Settings%\%current user%\Application Data\zn120146\set120146\Setzh120146.ini (23 bytes)
    %Documents and Settings%\%current user%\Application Data\zn120146\min.ini (14 bytes)
    %WinDir%\Temp\Tar18.tmp (2712 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (816 bytes)
    %WinDir%\Temp\Cab13.tmp (54 bytes)
    %WinDir%\Temp\Cab15.tmp (54 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (36 bytes)
    %WinDir%\Temp\Cab11.tmp (54 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db (149 bytes)
    %WinDir%\Temp\Tar17.tmp (2712 bytes)
    %WinDir%\Temp\Cab16.tmp (54 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\MANIFEST-000002 (4 bytes)
    %System%\drivers\BDMWrench.sys (601 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\privacy.db-journal (532 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db (145 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db-journal (512 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db-journal (532 bytes)
    %WinDir%\Temp\Tar14.tmp (2712 bytes)
    %WinDir%\Temp\Tar12.tmp (2712 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\MANIFEST-000002 (4 bytes)
    %Documents and Settings%\%current user%\Templates\120146115937419\YYM_955WD30.gif (750 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsC.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Math.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Base64.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsD.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp (23772 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\tj.html (91 bytes)
    %Program Files%\ainqngz3.9\jistlo.exe (5520 bytes)
    %Documents and Settings%\%current user%\Desktop\°®Çé.ÖÇ»Û.3.9.lnk (708 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û.3.9\жÔØ.lnk (715 bytes)
    %Program Files%\ainqngz3.9\Ainqngz3.9.exe (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].htm (91 bytes)
    %Program Files%\ainqngz3.9\uninstall.exe (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\md5dll.dll (8 bytes)
    %Program Files%\ainqngz3.9\Hzsvr.exe (1552 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û.3.9\°®Çé.ÖÇ»Û.3.9.lnk (720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378090598[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378091496[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[2].js (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378089971[1].png (4301 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388481627[1].png (267 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091009[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1374205283[1].png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\json_get_selected_page_by_rand[1] (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\statics_img[1].gif (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378090169[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378090575[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378118373[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388481662[1].png (2651 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[2].js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (4553 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091038[1].png (555 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388481693[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378087540[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378090027[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378091529[1].png (555 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378091571[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1390463888[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1374205294[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\selected_page[1].html (726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378088733[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[1].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[2].js (3974 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\selected_page[1].htm (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091654[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\json_get_selected_page_by_rand[1] (1426 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[2].js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091642[1].png (3 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BaiduAnTray" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe -stmd=3"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "baidusdTray" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe -stmd=3"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623624240644.46284dab38f512d56590c009f506a9c20a2f0
.rdata28672476451203.49973165e3e874dc59c8a96748c6f4d0f4207
.data3686415471210243.3307a5573ac89d4a106e6174f74a97e83c42
.ndata1925128192000d41d8cd98f00b204e9800998ecf8427e
.rsrc27443282688829445.2429342dadbfa0548236155209e6f107bc6bd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://hi.petj.org/setup/?name=%original file name%.exe&mac=00-0C-29-02-CD-FB&md5=34bc6520b971e02a7d0a01c533a9df9b&ini=z.ini&v=1.0.2.461.147.92.105
hxxp://shadu.n.shifen.com/index/minidownload/30656
hxxp://baidubrs.dlmix.glb0.lxdns.com/tpymn/hqphc_30656.exe
hxxp://209.170.78.71/dl1sw.baidu.com/tpymn/hqphc_30656.exe?wsiphost=ipdb
hxxp://shadu.n.shifen.com/index/minidownload/70404
hxxp://baidubrs.dlmix.glb0.lxdns.com/new_wsmn/tjjrfx_70404.exe
hxxp://209.170.78.71/dl1sw.baidu.com/new_wsmn/tjjrfx_70404.exe?wsiphost=ipdb
hxxp://pxsw.n.shifen.com/
hxxp://c01.i07.arnic.hadns.net/new/pczh_100_1.txt
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/patch/16101830722/BDMNet.dll
hxxp://209.170.78.71/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=ipdb
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/install/21290079118/BDMZip.dll
hxxp://209.170.78.71/dl1sw.baidu.com/client1/common/install/21290079118/BDMZip.dll?wsiphost=ipdb
hxxp://bcs.jomodns.com/sw-search-sp/client/dlljg1/BDMNet.dll
hxxp://c01.i07.arnic.hadns.net/0403/help1.html
hxxp://c01.i07.arnic.hadns.net/up_17.html?06011159
hxxp://dx5.3525.com/tj.php?mac=000C2902CDFB&st=1&exez=pczh_100_1.exe&exef=%original file name%.exe&pass=44683dff641394194c05e3f3ca584214&url1=hxxp://ya.ru/&url2=ya
hxxp://dx5.3525.com/xin/?ver=137
hxxp://sxsw.n.shifen.com/
hxxp://c01.i07.arnic.hadns.net/zhibo2.html?id=pczh_100_1.exe&en=120146&go=
hxxp://sxcdn.kukuplay.com/support/mini/fyminiloader-min.js
hxxp://c.split.cnzz.com/stat.php?id=2701879&web_id=2701879
hxxp://z10.cnzz.com/stat.htm?id=2701879&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1706435429-1401613207-&showp=1276x846&st=0&sin=&t=&rnd=1502861487
hxxp://dlsw.baidu.com/sw-search-sp/client/dlljg1/BDMNet.dll61.155.165.27
hxxp://dlsw.baidu.com/sw-search-shadu/client/dllv4/BDMReport.dll61.155.165.27
hxxp://tj.aiqingzhihui.com/xin/?ver=137222.186.130.92
hxxp://p.x.baidu.com/180.149.131.24
hxxp://tj.aiqingzhihui.com/tj.php?mac=000C2902CDFB&st=1&exez=pczh_100_1.exe&exef=%original file name%.exe&pass=44683dff641394194c05e3f3ca584214&url1=hxxp://ya.ru/&url2=ya222.186.130.92
hxxp://dl1sw.baidu.com/new_wsmn/tjjrfx_70404.exe8.37.235.12
hxxp://s.x.baidu.com/180.76.2.46
hxxp://dl1sw.baidu.com/client1/common/install/21290079118/BDMZip.dll8.37.235.12
hxxp://s6.cnzz.com/stat.php?id=2701879&web_id=27018791.99.192.15
hxxp://dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll8.37.235.12
hxxp://tv.aiqingzhihui.com/zhibo2.html?id=pczh_100_1.exe&en=120146&go=125.39.21.33
hxxp://static.m0dlcdn.kukuplay.com/support/mini/fyminiloader-min.js211.142.30.27
hxxp://xz.fuzhicheng.com/new/pczh_100_1.txt125.39.21.33
hxxp://dl1sw.baidu.com/tpymn/hqphc_30656.exe8.37.235.12
hxxp://weishi.baidu.com/index/minidownload/70404180.149.131.112
hxxp://shadu.baidu.com/index/minidownload/30656180.149.131.112
hxxp://update.aiqingzhihui.com/up_17.html?06011159125.39.21.36
hxxp://update.aiqingzhihui.com/0403/help1.html125.39.21.36
dtrp.download.iyuntian.com123.125.65.150
cfg.download.iyuntian.com123.125.65.132
jp.download.iyuntian.com123.125.65.154
c.cnzz.com42.120.219.6
down.begrp.org222.186.60.12
res.download.iyuntian.com123.125.65.129
tk.download.iyuntian.com123.125.69.209
rc.download.iyuntian.com123.125.65.153
hzs17.cnzz.com42.156.140.23
my.zolly.org113.107.42.55
utk.download.iyuntian.com123.125.65.147
mini.fengyunzhibo.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps