Trojan.Win32.Badur.hcxs (Kaspersky), Trojan.Downloader.Hicrazyk.A (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: d4c85e243aa8e2e57d393ba15a563481
SHA1: 1422085e1189e08eb7ea73566053a8c13984f982
SHA256: b6589cad3df6ff889cfb484abf344063bd81576888a9edc7b18fbf53ef786071
SSDeep: 3072:hY3dFNJPmDamJF2ib9PAc65hyHRg36B4TJxCGqYr4w:h npSbecUD36BGxgw
Size: 143720 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-02-05 03:59:54
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
vcredist_x86.exe:3636
netsh.exe:3420
netsh.exe:2944
netsh.exe:3044
BDKVWsc.exe:2824
BDKVWsc.exe:3172
RegSvr32.exe:2928
RegSvr32.exe:3192
bddownloader.exe:3268
bddownloader.exe:1236
BaiduSd.exe:3428
sc.exe:3016
sc.exe:2968
aukncq_70404.exe:628
baidusdTray.exe:2184
cacls.exe:3344
BDDownloader.exe:1212
BDDownloader.exe:2964
BDDownloader.exe:3692
BDDownloader.exe:3076
BaiduAnTray.exe:1928
regsvr32.exe:3444
regsvr32.exe:2948
regsvr32.exe:3468
BaiduAn.exe:2532
BaiduAn.exe:2476
BaiduSdBugRpt.exe:2368
BaiduSdUpdate.exe:2904
BaiduAnSvc.exe:3636
BaiduAnSvc.exe:3924
jko.exe:2456
kkvlnyk.exe:1636
BaiduSdSvc.exe:4012
BaiduSdSvc.exe:444
pczh_100_1.exe:2508
MsiExec.exe:3424
BDASWAcc.exe:3976
The Trojan injects its code into the following process(es):
bddownloader.exe:3760
Ainqngz3.9.exe:3024
%original file name%.exe:228
jistlo.exe:3032
File activity
The process vcredist_x86.exe:3636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredis1.cab (6255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredist.msi (42423 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredis1.cab (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredist.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\crt.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP (0 bytes)
The process bddownloader.exe:3760 makes changes in the file system.
The Trojan deletes the following file(s):
%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (0 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106 (0 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (0 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (0 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (0 bytes)
The process aukncq_70404.exe:628 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNet.dll.bdl (46859 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe.bdl (707298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (1788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\tmppm4bkx.dll (24832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (5707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMReport.dll.bdl (37075 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\1942083177\Setting\host.dat (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\3f88398fc048137c047f9ddd92a215ed.bdt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7.tmp (128685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\2d519f2c31620e467cd7bbf4cdf9a59f.bdt (663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe (7422 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\res\onlineWnd.zip (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\System.dll (784 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Program Files%\Baidu\sjk (0 bytes)
%Program Files%\sjk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso6.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Program Files%\Baidu\BaiduAn\sjk (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
C:\sjk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
The process baidusdTray.exe:2184 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd (4 bytes)
%System%\wbem\Logs (4 bytes)
%WinDir%\repair (4 bytes)
%System%\CatRoot2 (96 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DF464A.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1460 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\000003.log (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\BaiduSdCache.rptc (68 bytes)
%Program Files%\Common Files (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN (4 bytes)
C:\$Directory (780 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData (4 bytes)
%System% (856 bytes)
%WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\LOG (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\000003.log (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%System%\config (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp (4 bytes)
%System%\drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255 (4 bytes)
%WinDir%\Prefetch (196 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (388 bytes)
%WinDir%\Temp\Perflib_Perfdata_ea0.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (520 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\LOG (4 bytes)
%Documents and Settings%\%current user%\Cookies (200 bytes)
The process Ainqngz3.9.exe:3024 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\Current_User@mini.fengyunzhibo[1].txt (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mini[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\new_common[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[2].js (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fymini[1].htm (1798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAU3OLK5.gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\new_box[1].js (145 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fengyunzhibo[1].txt (188 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (800 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\mini.fengyunzhibo[1].xml (266 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fymini[2].htm (1853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[1].js (5 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[2].js (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mini[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tv.aiqingzhihui[1].txt (332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fyminiloader-min[1].js (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zhibo2[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mini[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAPSSJDX.gif (35 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAU3OLK5.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAPSSJDX.gif (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\www.aaa[1].xml (0 bytes)
The process BDDownloader.exe:1212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg22.tmp (86466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw23.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\7z.dll (12536 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\dl.dll (65930 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw23.tmp\System.dll (0 bytes)
The process BDDownloader.exe:2964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\7z.dll (12536 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuF.tmp (90616 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nszE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (0 bytes)
The process BDDownloader.exe:3692 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\Baidu\BDDownload\107\bddownloader.exe (9605 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\dl.dll (14988 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\bdcomproxy.dll (601 bytes)
The process BDDownloader.exe:3076 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (9605 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (14988 bytes)
The process BaiduAnTray.exe:1928 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\SWManager\ultcache.dat (196 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (236484 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pczh_100_1.exe (45392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aukncq_70404.exe (187984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkvlnyk.exe (232737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\z.ini (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\xID.dll (3 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\z.ini.log (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (0 bytes)
The process BaiduSdUpdate.exe:2904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\BaiduSdCache.rptc (68 bytes)
The process BaiduAnSvc.exe:3636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\SYSTEM.LOG (5097 bytes)
%System%\config\software (10282 bytes)
%System%\config\SOFTWARE.LOG (13344 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db (145 bytes)
%WinDir%\Temp\Tar25.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db-journal (512 bytes)
%System%\config (200 bytes)
%System%\config\system (3608 bytes)
%WinDir%\Temp\Cab24.tmp (54 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\Cab24.tmp (0 bytes)
%WinDir%\Temp\Tar25.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db-journal (0 bytes)
The process jko.exe:2456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bduf.dll (29608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAn.exe (30464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDAVCache.dll (34186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOHomePageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSAccMgrDll.dll (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerPlugin.dll (67969 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Mainpage.rdb (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SWCatalogDataItem.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMWindowsLib.dll (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe (13122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMMainFrame.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMNet.dll (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASWAcc.exe (1552 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_2_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\CompatibilityChecker.dll (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\PatcherContainer.xml (563 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnUpdate.exe (9605 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOTraceConfig.xml (9 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bd0002.dll (3073 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerLuaScript.dat (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\KVCommonRes.rdb (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.dll (16288 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerConfig.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMCoolyContainerConfig.xml (465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SusPluginContainerConfig.xml (605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnSvc.exe (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTray\TrayPlugin.rdb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginclean.db (48928 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\directui license.txt (593 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SysAccelerator.rdb (15536 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDKVLogs.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAcceleratorPlugin.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccMgr.dll (25776 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_property.dat (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMAVEng.dll (11518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixer.dll (9608 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDMNetMon.sys (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSCleaner.dll (57535 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMUpdate.rdb (12088 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMProcessRunningTime.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrustAndIso.dll (35784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\BDMSafePlugin.dll (7433 bytes)
%Documents and Settings%\All Users\Desktop\百度å«士.lnk (895 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\LocalPluginInfo.xml (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMAVEng.dll (51840 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\pluginclean.db (48928 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Patcher.rdb (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SysFixer.rdb (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\blacksign.dat (537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginUnit.dat (727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDArKit.sys (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDCooly.dll (38103 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_minute_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSysFixerPlugin.dll (53394 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\PluginSetup.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SYSAccMgrDll.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceConfig.xml (18 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\hips.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GCScriptBind.dll (42762 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\BDMConnect.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\hips.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPluginContainerConfig.xml (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcherPlugin.dll (49631 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SysAccLiveStrategy.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepMgr.dll (25776 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_9_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginSetup.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\TrustAndIso.dll (7971 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\vcredist_x86.exe (18934 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\GCScriptBind.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\DriverManager.dll (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKitUtils.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\res\InstallWnd.zip (54196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSOManagerPlugins\BDMSOAcceleratorPlugin.dll (7971 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMSetting.rdb (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\CommonRes.rdb (37368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMTrayTipsPlugin.dll (40702 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\PluginManager.dll (9605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\extends.rdb (2392 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDLogicUtils.dll (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginManager.dll (42222 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOGarbageCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDKV.rdb (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonSusPlugin.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnTray.exe (57535 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\app.ico (2105 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\bd0001.sys (601 bytes)
%System%\config\AppEvent.Evt (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerScript.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\WebSafe.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.dll (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMUpdate.dll (4545 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerXMLScript.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepBase.dll (38103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SYSCleaner.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMScriptVM.dll (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_class_filter.db (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\pluginUnit.dat (727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\System.dll (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\DriverManager.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\ad.dll (32784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDALeakfixer.exe (38904 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerScript.dat (53 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDASoftmgr.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1A.tmp (2190194 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSOCleanerTrayPlugin.dll (7345 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\RtpContainerConfig.xml (474 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\systemfile.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPlugin.dll (35001 bytes)
%WinDir% (96 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDCooly.dll (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SusPlugin.rdb (5520 bytes)
C:\$Directory (8 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmswmanagerplugins\BDMSWManagerView.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccTrayPlugin.dll (32784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\BDMSOAccServicePlugin.dll (6841 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\BDMSOAccSusPlugin.dll (7433 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_blank_speed.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_1_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\BDMPatcher.dll (12287 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SORegCleanerScript.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSkin.dll (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcher.dll (55014 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMDownload.dll (5873 bytes)
%Program Files% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\app.ico (12024 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\AppBooster.rdb (12088 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\TrayPluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDASWAcc.exe (38 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bd0001.dll (673 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\StartupDict.dat (3073 bytes)
%System%\config (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\NetService.ini (590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerPreScan.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatchAgent.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrayPluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMReport.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWParseDetect.dll (39329 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\BDMSkin.dll (37025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageConfig.xml (28 bytes)
%WinDir%\Prefetch (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSkin.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PatcherContainer.xml (563 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\PluginInstallHelper.dll (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\BDMNetMonSusPlugin.dll (7385 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度å«士\百度å«士.lnk (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMReport.dll (34773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOSilentCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_5_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMScriptVM.dll (8184 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\scan_mgr_config.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMPatchAgent.dll (3361 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SafePlugin.rdb (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysOptDict.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOGarbageConfig.xml (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerLuaScript.dat (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnBugRpt.exe (34023 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_4_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SafePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_6_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\804.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_property.dat (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDLogicUtils.dll (33295 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\SusPluginContainerConfig.xml (605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccEngine.dll (4185 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccMgr.dll (5441 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMNetMonMgrDll.dll (49 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixer.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerScript.dat (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonMgrDll.dll (1856 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerCheckItem.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerConfig.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\BDMSWManagerFrame.dll (6841 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\pluginclean.db (10815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDDownloader.exe (42222 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\uninst.exe (12287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnSvc.exe (38103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMProcessRunningTime.dll (22552 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMKVMainPlugin.dll (10815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HotPlugins.xml (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDNetMisc.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNet.dll (40228 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\SafePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMANTIVIRUS (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnUpdate.exe (42222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysAccLiveStrategy.dat (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOTraceCleanerConfig.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_acc.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSusPlugin.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerConfig.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmkvscanplugin\BDMKVScanPluginContainerConfig.xml (380 bytes)
%System% (1328 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_0_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\MainframePluginContainerConfig.xml (1 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerConfig.dat (5 bytes)
%System%\drivers\BDMNetMon.sys (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSWParseDetect.dll (8657 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Patch\publish.db (32763 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\SWCatalogDataItem.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_class_filter.db (33248 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerCheckItem.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\MainframePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMTrayTipsPlugin.dll (9098 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BDMSOCleaner\SOTraceConfig.xml (9 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSWNestCore.dll (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWindowsLib.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVMainPlugin.dll (46916 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMUpdate.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\kav_compatible.dat (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\vcredist_x86.exe (82435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\homepage.ini (361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HIPS.dll (59286 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_7_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_3_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\GlobalPluginInfo.xml (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMCoolyPlugins\BDMCoolyContainerConfig.xml (465 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Softmgr.rdb (690 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\KVMain.rdb (1856 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDNetMisc.dll (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnBugRpt.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\StartupDict.dat (16944 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDAVCache.dll (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccServicePlugin.dll (30344 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\HotPlugins.xml (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\RtpContainerConfig.xml (474 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SOManager.rdb (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_acc.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKVLogs.dll (35001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\uninst.exe (54196 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDKitUtils.dll (40 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SWManager.rdb (18424 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\SysRepLib.dat (22 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSOManagerPlugins\BDMSOCleanerPlugin.dll (15506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDArKit.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccStrategyMgr.dll (23296 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\kav_compatible.dat (25 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDBrowserProtecter.rdb (4992 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMRepMgr.dll (5441 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\CompatibilityChecker.dll (673 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTray.rdb (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\publish.db (140983 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_8_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMConnect.dll (43318 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASoftmgr.exe (38904 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerPreScan.dat (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度å«士\å¸载百度å«士.lnk (880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[2].js (24 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSOAccTrayPlugin.dll (7345 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fengyunzhibo[1].txt (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\HIPS.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTips.rdb (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysRepLib.dat (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAn.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.sys (7192 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOHomePageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMMainFrame.dll (59286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWrench.sys (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerFrame.dll (30464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerView.dll (43318 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BDMSOCleaner\SOGarbageConfig.xml (14 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SOTurbo.rdb (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSusPlugin.dll (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\ad.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccEngine.dll (22192 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_second_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GlobalPluginInfo.xml (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDALeakfixer.exe (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmkvscanplugin\BDMKVScanPlugin.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerTrayPlugin.dll (32784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerConfig.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\scan_mgr_config.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMSysFixerPlugin.dll (12287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccSusPlugin.dll (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceCleanerConfig.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\nsExec.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\LocalPluginInfo.xml (14 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\bd0002.sys (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\homepage.ini (361 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMCoolyPlugins\BDMSOAccCoolyPlugin.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWNestCore.dll (33877 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\websafe\WebSafe.dll (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\bduf.dll (6841 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMPatcherPlugin.dll (11518 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SORegCleanerConfig.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccCoolyPlugin.dll (28288 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDDownloader.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\blacksign.dat (537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.sys (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerXMLScript.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccStrategyMgr.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\InstallHelper.dll (34186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMDownload.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\804.dat (3 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOSilentCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMRepBase.dll (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\ns1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSafePlugin.dll (33391 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SysOptDict.dat (4 bytes)
%Documents and Settings%\%current user%\Cookies (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\NetService.ini (590 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bduf.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOHomePageCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSAccMgrDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SWCatalogDataItem.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\DriverManager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\CompatibilityChecker.dll (0 bytes)
C:\s2co (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMCoolyContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginclean.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAcceleratorPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixer.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\NetService.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrustAndIso.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMAVEng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginUnit.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDArKit.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSysFixerPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SusPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\hips.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcherPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\duilib license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginSetup.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKitUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcher.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMTrayTipsPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDNetMisc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonSusPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnTray.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\WebSafe.dll (0 bytes)
%Program Files%\Baidu\BaiduAn\s2co (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMScriptVM.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\ad.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDALeakfixer.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\systemfile.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSCleaner.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccTrayPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSkin.dll (0 bytes)
%Program Files%\s2co (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\app.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDLogicUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerPreScan.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatchAgent.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrayPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWParseDetect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_class_filter.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysOptDict.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PatcherContainer.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDAVCache.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\804.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAn.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerLuaScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnBugRpt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SafePluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_property.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginManager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonMgrDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMProcessRunningTime.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOSilentCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HotPlugins.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GCScriptBind.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDDownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysAccLiveStrategy.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSusPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerCheckItem.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\MainframePluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVMainPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDCooly.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\kav_compatible.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\vcredist_x86.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\homepage.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HIPS.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\virus_type.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\StartupDict.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccServicePlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\RtpContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_acc.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKVLogs.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\directui license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\dnw.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccStrategyMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HotPlugin.bnr (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\publish.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMConnect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMReport.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASoftmgr.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASWAcc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysRepLib.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMMainFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWrench.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerView.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccEngine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GlobalPluginInfo.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerTrayPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\scan_mgr_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWindowsLib.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccSusPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceCleanerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\LocalPluginInfo.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWNestCore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccCoolyPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\blacksign.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerXMLScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\ns1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSafePlugin.dll (0 bytes)
%Program Files%\Baidu\s2co (0 bytes)
The process kkvlnyk.exe:1636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVUpdate.rdb (1676 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\810.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\806.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayDldProtect.rdb (168 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll (2470 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\806.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\901.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdvs.dat (5 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (40 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVMainFrame.dll (6404 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\directui license.txt (593 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\bduf.dll (308 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0002.sys (215 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\901.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNet.dll.bdl (29881 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll.bdl (308228 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64 (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMAVE.dll (185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\SearchProtection.rdb (132 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\res\onlineWnd.zip (16424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVEng.dll (3716 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll (258 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\changelog.txt (215 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\900.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\KavUpdate.dll (246 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BSRLib.dat (141 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe (9606 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray.rdb (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVCached.dll (303 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcp80.dll (1835 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\217122359\Setting\host.dat (306 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\fm.dat (597 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\blacksign.dat (852 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0002.sys (203 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Repair_PluginConfig.xml (411 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\BDArKit.pdb (3723 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\Pizmdb.7z (83795 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\BDMWrench.sys (703 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll (1707 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0002.pdb (1849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMReport.dll.bdl (36352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\810.dat (3 bytes)
%System%\drivers\bd0002.sys (1281 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (1987 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\All Users\Desktop\百度æÂ€毒.lnk (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\04cffb82cb0ad0358680d869bf3dc3ad.bdt (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (166194 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMUpdate.dll (160 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0001.pdb (273 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\hu.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb (28502 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\809.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll (44 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度æÂ€毒\å¸载百度æÂ€毒.lnk (796 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\804.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVLogs.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect.dll (152 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (32 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\CompatibilityChecker.dll (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico (1623 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe (3791 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (5039 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll (136 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdRepair.exe (1679 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\811.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe (1658 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\900.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.map (33 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0002.sys (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (1654 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe (1671 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\updlog.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVTray_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMReport.dll (1609 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度æÂ€毒\百度æÂ€毒.lnk (823 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll (33 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\baidusdRepair.dll (123 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.pdb (1783 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastImage.png (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.map (39 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTips.rdb (69 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcr80.dll (3705 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ad.dll (1707 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMEvents.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\BDArKit.sys (80 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DriverManager.dll (119 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tuopan.png (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect_x64.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tips.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMNet.dll (3909 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\NetService.ini (615 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll (283 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKV.rdb (89 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVRtp_PluginConfig.xml (2 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDUDiskGuard.dll (238 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMDownload.dll (324 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMPerfMon.dll (140 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0001.sys (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMSkin.dll (38495 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\TrustAndIso.dll (226 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll (49 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (945 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe (3924 bytes)
%System%\drivers\BDArKit.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepMgr.dll (279 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Cooly_PluginConfig.xml (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0001.dll (131 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVConfig.rdb (120 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\BDAVCScan.dll (115 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\monitor_config.dat (559 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.pdb (1865 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\wverify.dat (12289 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll (1699 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDKitUtils.dll (54 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDLogicUtils.dll (30968 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86 (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb (3682 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe (1724 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\cache_config.dat (469 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\scan_mgr_config.dat (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\tmp_wmvut.dll (80376 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll (6400 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSREng.dll (275 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdmp.dat (25 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMPatchAgent.dll (26 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.pdb (3665 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\HIPS.dll (6359 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\FileMon.dll (1818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\hips.xml (17 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\804.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0002.dll (1749 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\atl80.dll (97 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDPerflog.dll (140 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\BDArKit.pdb (1832 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastLogo.ico (1623 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll (115 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMLog.dll (32 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\809.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMDownload.dll (5520 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll (99 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.map (38 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\PrivacyProtect.dll (164 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepBase.dll (3901 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\BDKVVirusPlugins.dll (1609 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (156 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0001.pdb (1775 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (189 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSDWrench.dll (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\BDArKit.sys (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDConfig.dll (1838 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DesktopToast.exe (103 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand64.dll (125 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\BDArKit.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\811.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVQuarantine.rdb (10 bytes)
%System%\drivers\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0001.sys (70 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0002.pdb (3854 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.sys (64 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSRCore.dll (287 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray\TrayPlugin.rdb (1812 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcm80.dll (1760 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0001.sys (601 bytes)
The Trojan deletes the following file(s):
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\810.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\bd0002.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\806.dat (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\win7\bd0003.pdb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\04cffb82cb0ad0358680d869bf3dc3ad.bdt (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\BDArKit.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\900.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\bd0002.pdb (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86 (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\win7\bd0003.map (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\winxp\bd0003.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\winxp\bd0003.pdb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\winxp (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\901.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\win7\bd0003.pdb (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\804.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0002.dll (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64 (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\bd0001.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\bd0001.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\809.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\win7 (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\bd0001.pdb (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\winxp\bd0003.map (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\win7\bd0003.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\bd0001.pdb (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\BDArKit.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\win7\bd0003.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\BDArKit.pdb (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\bd0002.pdb (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\811.dat (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\BDMWrench.sys (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64\win7\bd0003.map (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\Pizmdb.7z (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\win7 (0 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86\BDArKit.pdb (0 bytes)
The process jistlo.exe:3032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\zn120146\set.ini (7 bytes)
%Documents and Settings%\%current user%\Application Data\zn120146\set120146\Setzh120146.ini (23 bytes)
%Documents and Settings%\%current user%\Application Data\zn120146\min.ini (14 bytes)
The process BaiduSdSvc.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\config\system (8366 bytes)
%WinDir%\Temp\Tar18.tmp (2712 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (816 bytes)
%WinDir%\Temp\Cab13.tmp (54 bytes)
%WinDir%\Temp\Cab15.tmp (54 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (36 bytes)
%WinDir%\Temp\Cab11.tmp (54 bytes)
%System%\config\SOFTWARE.LOG (22598 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db (149 bytes)
%WinDir%\Temp\Tar17.tmp (2712 bytes)
%WinDir%\Temp\Cab16.tmp (54 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\MANIFEST-000002 (4 bytes)
%System%\config\SYSTEM.LOG (11338 bytes)
%System%\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\privacy.db-journal (532 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db (145 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\privacy.db (149 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db-journal (512 bytes)
%System%\config\software (20585 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db-journal (532 bytes)
%WinDir%\Temp\Tar14.tmp (2712 bytes)
%WinDir%\Temp\Tar12.tmp (2712 bytes)
C:\$Directory (576 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\MANIFEST-000002 (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\MANIFEST-000001 (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\CURRENT (0 bytes)
%WinDir%\Temp\Cab15.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\BaiduSdCache.rptc (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db-journal (0 bytes)
%WinDir%\Temp\Tar14.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\privacy.db-journal (0 bytes)
%WinDir%\Temp\Tar17.tmp (0 bytes)
%WinDir%\Temp\Tar18.tmp (0 bytes)
%WinDir%\Temp\Cab13.tmp (0 bytes)
%WinDir%\Temp\Tar12.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\CURRENT (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\MANIFEST-000001 (0 bytes)
%WinDir%\Temp\Cab11.tmp (0 bytes)
%WinDir%\Temp\Cab16.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db-journal (0 bytes)
The process pczh_100_1.exe:2508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Templates\120146115937419\YYM_955WD30.gif (750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsD.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp (23772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\tj.html (91 bytes)
%Program Files%\ainqngz3.9\jistlo.exe (5520 bytes)
%Documents and Settings%\%current user%\Desktop\°®Çé.ÖÇ»Û.3.9.lnk (708 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û.3.9\öÃâ€ÂØ.lnk (715 bytes)
%Program Files%\ainqngz3.9\Ainqngz3.9.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].htm (91 bytes)
%Program Files%\ainqngz3.9\uninstall.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\md5dll.dll (8 bytes)
%Program Files%\ainqngz3.9\Hzsvr.exe (1552 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û.3.9\°®Çé.ÖÇ»Û.3.9.lnk (720 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Templates\120146115937419\YYM_955WD30.gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\tj.html (0 bytes)
%Documents and Settings%\%current user%\Templates\120146115937419 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Base64.dll (0 bytes)
%Program Files%\ainqngz3.9\0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\md5dll.dll (0 bytes)
The process BDASWAcc.exe:3976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378090598[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378091496[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[2].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378089971[1].png (4301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388481627[1].png (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091009[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1374205283[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\json_get_selected_page_by_rand[1] (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\statics_img[1].gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378090169[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378090575[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378118373[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388481662[1].png (2651 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[2].js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (4553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091038[1].png (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388481693[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378087540[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378090027[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378091529[1].png (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378091571[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1390463888[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1374205294[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\selected_page[1].html (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378088733[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[2].js (3974 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\selected_page[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091654[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\json_get_selected_page_by_rand[1] (1426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[2].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091642[1].png (3 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[1].js (0 bytes)
Registry activity
The process vcredist_x86.exe:3636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F 9E ED 17 01 4D 2E 47 2C 5C EF 9C 0A D7 30 9B"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"
The process netsh.exe:3420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 4A 7F 60 99 CB 01 6E 14 11 8D 62 45 2A DE 5F"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Tracing\FWCFG]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\106]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe:*:Enabled:百度高速下载器"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\106]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe:*:Enabled:百度高速下载器"
The process netsh.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 0B F8 71 35 DC E6 48 18 18 3C 4F D0 A1 6C 9C"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\106]
"bddownloader.exe"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\106]
"bddownloader.exe"
The process netsh.exe:3044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"BitNames" = " NAP_TRACE_BASE NAP_TRACE_NETSH"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
"Guid" = "710adbf0-ce88-40b4-a50d-231ada6593f0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
"Guid" = "b0278a28-76f1-4e15-b1df-14b209a12613"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 DC 1F 44 27 E0 B1 A9 D0 37 D8 96 25 C8 75 F5"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\107]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\107\bddownloader.exe:*:Enabled:百度高速下载器"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\107]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\107\bddownloader.exe:*:Enabled:百度高速下载器"
The process BDKVWsc.exe:2824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 8C BF DD 96 99 82 32 D3 92 B6 C3 C3 91 78 90"
The process BDKVWsc.exe:3172 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF CB F0 A5 31 44 E7 E0 B9 D7 C0 DA FF 8B 7C EE"
The process RegSvr32.exe:2928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\AppID\ieCommonPlugin.DLL]
"AppID" = "{6B4447CA-C33E-4E65-914D-C7B346D73F80}"
[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll"
[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\TypeLib]
"Version" = "1.0"
"(Default)" = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"
[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\VersionIndependentProgID]
"(Default)" = "ieCommonPlugin.Implement"
[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\ieCommonPlugin.Implement]
"(Default)" = "Implement Class"
[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\ieCommonPlugin.Implement\CurVer]
"(Default)" = "ieCommonPlugin.Implement.1"
[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\ProgID]
"(Default)" = "ieCommonPlugin.Implement.1"
[HKCR\ieCommonPlugin.Implement\CLSID]
"(Default)" = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"
[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}]
"(Default)" = "Implement Class"
[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}]
"(Default)" = "IImplement"
[HKCR\AppID\{6B4447CA-C33E-4E65-914D-C7B346D73F80}]
"(Default)" = "ieCommonPlugin"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A 86 78 2B D3 E7 18 DD 07 BA FA 6F 34 13 3E E7"
[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll"
[HKCR\ieCommonPlugin.Implement.1\CLSID]
"(Default)" = "{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}"
[HKCR\ieCommonPlugin.Implement.1]
"(Default)" = "Implement Class"
[HKCR\Interface\{C7777CD6-0F43-49E4-B988-F62E3BA5130A}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\TypeLib]
"(Default)" = "{9A93865B-4314-47AE-8C4A-850748CCC6BF}"
[HKCR\TypeLib\{9A93865B-4314-47AE-8C4A-850748CCC6BF}\1.0]
"(Default)" = "ieCommonPlugin 1.0 Type Library"
[HKCR\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32]
"ThreadingModel" = "Apartment"
The process RegSvr32.exe:3192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0]
"(Default)" = "BDShellExt 1.0 Type Library"
[HKCR\BDShellExt.BDShellExtMenu\CurVer]
"(Default)" = "BDShellExt.BDShellExtMenu.1"
[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\NumMethods]
"(Default)" = "3"
[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}]
"(Default)" = "IBDShellExtMenu"
[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"
[HKCR\BDShellExt.BDShellExtMenu.1]
"(Default)" = "BDShellExtMenu Class"
[HKCR\BDShellExt.BDShellExtMenu]
"(Default)" = "BDShellExtMenu Class"
[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"
[HKCR\BDShellExt.BDShellExtMenu.1\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"
[HKCR\lnkfile\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"
[HKCR\AppID\BDShellExt.DLL]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"
[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00890530-6A9F-4be2-B1BB-73F01E2BB986}" = "BDShellExtMenu Class"
[HKCR\BDShellExt.BDShellExtMenu\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"
[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\TypeLib]
"(Default)" = "{45D1EEF3-7713-48fa-B7A5-B77229C7D330}"
[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\TypeLib]
"(Default)" = "{45D1EEF3-7713-48FA-B7A5-B77229C7D330}"
[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\VersionIndependentProgID]
"(Default)" = "BDShellExt.BDShellExtMenu"
[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\ProgID]
"(Default)" = "BDShellExt.BDShellExtMenu.1"
[HKCR\AllFilesystemObjects\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"
[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}]
"(Default)" = "PSFactoryBuffer"
[HKCR\AppID\{FBE0E29B-01DB-4876-B147-46F5AABA6823}]
"(Default)" = "BDShellExt"
[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll"
[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"
[HKCR\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 0C 34 98 AC B2 4A 99 8F CC FB F4 6F 8C 78 30"
[HKCR\Folder\shellex\ContextMenuHandlers\BDShellExt]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"
[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]
"(Default)" = "BDShellExtMenu Class"
[HKCR\TypeLib\{45D1EEF3-7713-48FA-B7A5-B77229C7D330}\1.0\HELPDIR]
"(Default)" = ""
[HKCR\Interface\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32]
"ThreadingModel" = "Apartment"
The process bddownloader.exe:3760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 61 B9 C4 34 72 F7 A7 F4 B9 B8 ED 94 26 25 46"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process bddownloader.exe:3268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bddownloader.exe"
[HKCR\BDDownloadProxy.Downloader\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bddownloader.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\BDDownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"
[HKCR\BDDownloadProxy.Downloader.1\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\BDDownloadProxy.Downloader]
"(Default)" = "Downloader Class"
[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"(Default)" = "Downloader Class"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
"(Default)" = "BDDownloadProxy.Downloader.1"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"
[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD FC 73 E6 FA 4B A6 8A 7C 14 13 35 A3 1A 04 37"
[HKCR\BDDownloadProxy.Downloader\CurVer]
"(Default)" = "BDDownloadProxy.Downloader.1"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"
[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
"(Default)" = "BDDownloadProxy.Downloader"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process bddownloader.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "c:\program files\common files\baidu\bddownload\107\bddownloader.exe"
[HKCR\BDDownloadProxy.Downloader\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\107\bddownloader.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\BDDownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"
[HKCR\BDDownloadProxy.Downloader.1\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"(Default)" = "Downloader Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\BDDownloadProxy.Downloader]
"(Default)" = "Downloader Class"
[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
"(Default)" = "BDDownloadProxy.Downloader.1"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"
[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 19 01 26 EA 1C 44 EB DD 00 D2 39 AC F3 E5 E3"
[HKCR\BDDownloadProxy.Downloader\CurVer]
"(Default)" = "BDDownloadProxy.Downloader.1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
"(Default)" = "BDDownloadProxy.Downloader"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\Programmable]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
The process BaiduSd.exe:3428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C 59 90 17 2C 42 C5 6E 28 A6 8D 17 92 21 9E 0C"
The process sc.exe:3016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 22 00 1D 28 C2 B1 DA A4 24 8A 63 04 68 B1 E9"
The process sc.exe:2968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 83 3F 4B EE AA 55 38 08 D2 AD B2 4E D0 EE FB"
The process aukncq_70404.exe:628 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 73 78 E2 78 61 B1 2E A7 1F 40 68 92 48 B4 EE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst8.tmp]
"jko.exe" = "jko"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"aukncq_70404.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\aukncq_70404.exe:*:Enabled:百度å«士在线安装程åºÂÂ"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp]
"jko.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe:*:Enabled:百度å«士安装程åºÂÂ"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp]
"jko.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe:*:Enabled:百度å«士安装程åºÂÂ"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"aukncq_70404.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\aukncq_70404.exe:*:Enabled:百度å«士在线安装程åºÂÂ"
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"aukncq_70404.exe"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"aukncq_70404.exe"
The process baidusdTray.exe:2184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 FD A8 3C 8C 3B A2 AB 41 39 A4 12 5E F9 8C 2B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdUpdate.exe" = "百度æÂ€毒å‡级程åºÂÂ"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdBugRpt.exe" = "百度异常报告程åºÂÂ"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process Ainqngz3.9.exe:3024 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Ainqngz3.9.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1397550614"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 F5 02 4B 27 0B 12 01 8F 76 93 89 BA AC CB 9A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process cacls.exe:3344 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 A7 C1 D9 8F F0 2E F3 12 62 C0 83 33 F1 93 46"
The process BDDownloader.exe:1212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F B9 E8 D7 C4 25 C9 EC 15 57 08 D0 63 42 F8 0C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process BDDownloader.exe:2964 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 1E B4 6E 2D 83 74 B0 67 98 27 91 8F 67 0B D8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process BDDownloader.exe:3692 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 4F 30 8C 68 60 AC 6C 8E DA 06 8A D7 B8 7F D2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\baidu\bddownload\107]
"bddownloader.exe" = "百度高速下载引擎"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process BDDownloader.exe:3076 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 06 17 34 C2 A8 33 6F 68 1B BF 2E 72 FD 54 BC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\program files\common files\baidu\bddownload\106]
"bddownloader.exe" = "百度高速下载引擎"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process BaiduAnTray.exe:1928 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 CE 80 A6 43 87 E3 FC 2B 7C DE 87 9A AA 62 8C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Baidu\BaiduAn]
"PAUTime" = "1800000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 91 32 10 26 E3 FE D0 00 85 6F E6 0E 17 75 3B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\29040_24295396777743]
"DisplayName" = "29040_24295396777743 1.0.2.4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\29040_24295396777743]
"Publisher" = "29040_24295396777743"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.pz100.pw"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.pz100.pw"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\29040_24295396777743]
"DisplayVersion" = "1.0.2.4"
The process regsvr32.exe:3444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 88 F8 76 98 B3 D7 31 EF 95 CE CF 9D 95 93 2E"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\107\bdcomproxy.dll"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"
The process regsvr32.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 85 57 13 C8 BF 14 4B 9A EB CF 6C 9F 5E 4E 8F"
[HKCR\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll"
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}]
"(Default)" = "U盘防护"
The process regsvr32.exe:3468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 A3 6D CF 7C 98 B7 3D EB AD 57 00 8A FB 64 59"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"
[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "c:\program files\common files\baidu\bddownload\106\bdcomproxy.dll"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"
[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"
[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"
The process BaiduAn.exe:2532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 35 35 BE EC 71 DA D5 F6 EE 73 8D 61 43 04 92"
The process BaiduAn.exe:2476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 26 61 2E B8 92 89 E2 4E 36 1C 19 33 A7 5D 8F"
The process BaiduSdBugRpt.exe:2368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 3C 86 EA C5 5B 8F A5 FC 3A ED C8 5D 34 18 E9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process BaiduSdUpdate.exe:2904 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 50 E4 D8 63 FA 1E 6A 43 65 96 F1 08 27 AB 23"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process BaiduAnSvc.exe:3636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C CD DC 8A 51 65 3A 78 8D 8B CE 15 0C AE 75 8A"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BaiduAnTray" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe -stmd=3"
The process BaiduAnSvc.exe:3924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 16 57 67 6C 05 63 EB 53 09 DE 36 A0 07 1B D1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
The process jko.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"
"Description" = "BDArKit"
"Type" = "1"
"Group" = "bddriver"
[HKLM\SOFTWARE\Baidu\BaiduAn]
"SupplyID" = "55555"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"
[HKLM\SOFTWARE\Baidu\BaiduAn]
"InstallDir" = "%Program Files%\Baidu\BaiduAn"
"VirusTime" = "2013.04.05 1216"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度å«士]
"DisplayVersion" = "2.1.0.1214"
[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"Type" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"DisplayName" = "BDMNetMon"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_gj" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度å«士]
"DisplayName" = "百度å«士2.1"
[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"Tag" = "3"
"Group" = "bddriver"
[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度å«士]
"DisplayIcon" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\app.ico"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"
[HKLM\SOFTWARE\Baidu\BaiduAn]
"INSTLANG" = "2052"
"InstallDate" = "2014-6-1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"
"Tag" = "2"
[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"
[HKLM\SOFTWARE\Baidu\BaiduAn]
"Version" = "2.1.0.1214"
[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"ErrorControl" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Baidu\BaiduAn]
"RtpFlag" = "273"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度å«士]
"Publisher" = "百度在线网络技术(åŒâ€â€ÃƒÂ¤Ã‚ºÂ¬Ã¯Â¼â€°Ã¦Å“䎪ÂÂå…¬å¸"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 68 46 8A 11 62 77 AB 2B 4F E6 D5 69 8F 46 F8"
[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"ImagePath" = "system32\DRIVERS\BDMNetMon.sys"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度å«士]
"UninstallString" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\uninst.exe"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"
[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"Description" = "BDMNetMon"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnTray.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe:*:Enabled:百度å«士托盘程åºÂÂ"
The following driver will be automatically launched by the NT Native code (IoInitSystem method):
[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnSvc.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnSvc.exe:*:Enabled:百度å«士æœÂÂ务程åºÂÂ"
The following driver will be automatically launched by the NT Native code (IoInitSystem method):
[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnSvc.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnSvc.exe:*:Enabled:百度å«士æœÂÂ务程åºÂÂ"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnBugRpt.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnBugRpt.exe:*:Enabled:百度å«士BUG上报程åºÂÂ"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnUpdate.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnUpdate.exe:*:Enabled:百度å«士更新程åºÂÂ"
"BaiduAnBugRpt.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnBugRpt.exe:*:Enabled:百度å«士BUG上报程åºÂÂ"
"BaiduAnTray.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe:*:Enabled:百度å«士托盘程åºÂÂ"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"Start" = "2"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAn.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAn.exe:*:Enabled:百度å«士主程åºÂÂ"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduAn\2.1.0.1214]
"BaiduAnUpdate.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnUpdate.exe:*:Enabled:百度å«士更新程åºÂÂ"
"BaiduAn.exe" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAn.exe:*:Enabled:百度å«士主程åºÂÂ"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Baidu\BaiduAn]
"RtpFlag"
[HKLM\System\CurrentControlSet\Services\BDMNetMon]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"
The process kkvlnyk.exe:1636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDate" = "2014-6-1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度æÂ€毒]
"UninstallString" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Baidu\BaiduSd]
"Version" = "1.8.0.1255"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度æÂ€毒]
"DisplayVersion" = "1.8.0.1255"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\iexplore\AllowedDomains\*]
"(Default)" = ""
[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"vendor" = "Beijing baidu Netcom science and technology co.ltd"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Description" = "百度æÂ€毒功能组件"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度æÂ€毒]
"Publisher" = "百度在线网络技术(åŒâ€â€ÃƒÂ¤Ã‚ºÂ¬Ã¯Â¼â€°Ã¦Å“䎪ÂÂå…¬å¸"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Tag" = "2"
[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Altitude" = "326912"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"
[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_sd" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Group" = "FSFilter Anti-Virus"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"
[HKCR\metnsd\clsid]
"SequenceID" = "3C B7 C5 0D 26 85 FC 49 A3 76 24 6E 52 EB 66 9F"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin\MimeTypes\application/np-BaiduSDDetect]
"Description" = "BaidusdDetectNPPlugin"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKLM\System\CurrentControlSet\Services\bd0003\Instances]
"DefaultInstance" = "bd0003 Instance"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDir" = "%Program Files%\Baidu\BaiduSd"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 9A D6 14 B5 BF 33 3F 8C 5F EA 40 A5 46 63 1A"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSd.exe" = "百度æÂ€毒主程åºÂÂ"
[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\bd0003]
"DependOnService" = "FltMgr"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdSvc.exe" = "百度æÂ€毒æœÂÂ务程åºÂÂ"
[HKLM\System\CurrentControlSet\Services\bd0003]
"ImagePath" = "system32\DRIVERS\bd0003.sys"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"
[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Type" = "2"
[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"
[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag" = "273"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"
[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度æÂ€毒]
"DisplayIcon" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Tag" = "3"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"bddownloader.exe" = "百度高速下载引擎"
[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Path" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度æÂ€毒]
"DisplayName" = "百度æÂ€毒1.8"
[HKLM\SOFTWARE\Baidu\BaiduSd]
"VirusTime" = "2013.11.28 0110"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BDKVWsc.exe" = "百度æÂ€毒安全ä¸ÂÂ心接å£"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Type" = "1"
[HKLM\System\CurrentControlSet\Services\bd0003]
"ErrorControl" = "1"
[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Baidu\BaiduSd]
"INSTLANG" = "2052"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"ProductName" = "BaiduSd"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Description" = "Baidusd detect NPAPI plugin"
[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, bddriver, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"
[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Version" = "1.0.0.1"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"
[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Flags" = "0"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"
[HKLM\System\CurrentControlSet\Services\bd0003]
"DisplayName" = "bd0003"
[HKLM\SOFTWARE\Baidu\BaiduSd]
"SupplyID" = "11111"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdSvc.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe:*:Enabled:百度æÂ€毒æœÂÂ务程åºÂÂ"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdBugRpt.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe:*:Enabled:百度æÂ€毒BUG上报程åºÂÂ"
"BaiduSdUProxy64.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe:*:Enabled:百度æÂ€毒代ç†程åºÂÂ"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The following driver will be automatically launched by the NT Native code (IoInitSystem method):
[HKLM\System\CurrentControlSet\Services\bd0003]
"Start" = "1"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"kkvlnyk.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\kkvlnyk.exe:*:Enabled:百度æÂ€毒在线安装程åºÂÂ"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdTray.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe:*:Enabled:百度æÂ€毒托盘程åºÂÂ"
"BaiduSdUProxy64.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe:*:Enabled:百度æÂ€毒代ç†程åºÂÂ"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdSvc.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe:*:Enabled:百度æÂ€毒æœÂÂ务程åºÂÂ"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdUpdate.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe:*:Enabled:百度æÂ€毒更新程åºÂÂ"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdTray.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe:*:Enabled:百度æÂ€毒托盘程åºÂÂ"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdBugRpt.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe:*:Enabled:百度æÂ€毒BUG上报程åºÂÂ"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Baidu\BaiduSd\1.8.0.1255]
"BaiduSdUpdate.exe" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe:*:Enabled:百度æÂ€毒更新程åºÂÂ"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The following driver will be automatically launched by the NT Native code (IoInitSystem method):
[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp]
"ynz.dll" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll:*:Enabled:百度æÂ€毒安装程åºÂÂ"
The following driver will be automatically launched by the NT Native code (IoInitSystem method):
[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp]
"ynz.dll" = "%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll:*:Enabled:百度æÂ€毒安装程åºÂÂ"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"kkvlnyk.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\kkvlnyk.exe:*:Enabled:百度æÂ€毒在线安装程åºÂÂ"
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp]
"ynz.dll"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp]
"ynz.dll"
[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag"
[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"kkvlnyk.exe"
[HKLM\System\CurrentControlSet\Services\bd0003]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"kkvlnyk.exe"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"
The process jistlo.exe:3032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 0D 63 87 87 C1 37 BD FE 00 FB D1 59 58 1C 4B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process BaiduSdSvc.exe:4012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A 01 C3 98 E0 52 76 5E 69 00 09 58 E7 D0 A7 03"
The process BaiduSdSvc.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Group" = "FSFilter Anti-Virus"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"DisplayName" = "BDMWrench"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"ImagePath" = "system32\DRIVERS\BDMWrench.sys"
[HKLM\System\CurrentControlSet\Services\bd0003]
"ErrorControl" = "1"
[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Description" = "BDMWrench"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Services\bd0003]
"ImagePath" = "system32\DRIVERS\bd0003.sys"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Description" = "百度æÂ€毒功能组件"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Tag" = "5"
[HKLM\System\CurrentControlSet\Services\bd0003\Instances]
"DefaultInstance" = "bd0003 Instance"
[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Type" = "2"
[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Type" = "1"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"
[HKLM\System\CurrentControlSet\Services\BDKVRTP]
"ImagePath" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe -r"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Services\bd0002]
"Tag" = "2"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Group" = "bddriver"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Tag" = "3"
[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Altitude" = "326912"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"
"Type" = "1"
"Tag" = "4"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 23 26 87 65 56 3A 22 BA 2D 3C 6F C1 98 6E E8"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C]
"Blob" = "19 00 00 00 01 00 00 00 10 00 00 00 A8 23 B4 A2"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"
"ImagePath" = "system32\DRIVERS\bd0001.sys"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"
[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"
[HKLM\System\CurrentControlSet\Services\bd0003]
"DependOnService" = "FltMgr"
[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"ErrorControl" = "0"
[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Flags" = "0"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"
[HKLM\System\CurrentControlSet\Services\bd0003]
"DisplayName" = "bd0003"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C]
"Blob" = "04 00 00 00 01 00 00 00 10 00 00 00 6F 7E 74 A3"
The following service will be launched automatically at system boot up:
[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"baidusdTray" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe -stmd=3"
"baidusdTray" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe -stmd=3"
The following driver will be automatically launched by the NT Native code (IoInitSystem method):
[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"
[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"
[HKLM\System\CurrentControlSet\Services\bd0003]
"Start" = "1"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Start" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"B1BC968BD4F49D622AA89A81F2150152A41D829C"
[HKLM\System\CurrentControlSet\Services\bd0003]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates]
"E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C"
[HKLM\System\CurrentControlSet\Services\BDMWrench]
"DeleteFlag"
[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"
The process pczh_100_1.exe:2508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®Çé.ÖÇ»Û.3.9]
"UninstallString" = "%Program Files%\ainqngz3.9\uninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®Çé.ÖÇ»Û.3.9]
"DisplayVersion" = ""
[HKLM\SOFTWARE\esfg]
"Install" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Ainqngz3.9.exe]
"(Default)" = "%Program Files%\ainqngz3.9\Ainqngz3.9.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®Çé.ÖÇ»Û.3.9]
"DisplayIcon" = "%Program Files%\ainqngz3.9\uninstall.exe"
[HKLM\SOFTWARE\tyoh]
"EN" = "pczh_100_1.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\tyoh]
"ED" = "100"
"EX" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\tyoh]
"et" = "120146"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\°®Çé.ÖÇ»Û.3.9]
"DisplayName" = "°®Çé.ÖÇ»Û3.9"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 B2 81 40 FD 34 36 23 3F 0A 6D FB 0E 0A 3D 9C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process MsiExec.exe:3424 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA D2 AA BC B3 88 5B BA FF D7 38 3E 14 5D 65 E9"
The process BDASWAcc.exe:3976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "BDASWAcc.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1394463599"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 6F 8A 6C F5 C8 27 70 1F 2F 7E 12 A4 A0 73 12"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
a5b49ca5186d2eac47ae7095a07659ca | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\aukncq_70404.exe |
7ef27e038f3c449fd3c763192ff931c4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\kkvlnyk.exe |
a7d710e78711d5ab90e4792763241754 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\Md5dll.dll |
f0419089787f4bd9d422c9d1933e0932 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\NSISdl.dll |
f55b41485cbaf292389a52f8e4f0594b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\System.dll |
76d2faad042161f24b6c9c78de3bd265 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf2.tmp\xID.dll |
0e54f1daa2d9c248ba16507c08ee9881 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDLogicUtils.dll |
b62367fe2d02b8f47914b088a006d50c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMDownload.dll |
06597a9f16b163c97b8f95d457bce8b2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMNet.dll |
928208161b61b8c36fa1a6095c1ccfab | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMNetGetInfo.dll |
30cbc602ada7cdfb0346038c05996d84 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMReport.dll |
39257175ac9c90199c69aea1a7bcbda0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BDMSkin.dll |
1c951bbcbc780046d6be1079a04870a4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\System.dll |
763b532d651f0ad5e135d9b57bf4fba4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\dl.dll |
ebfe7c9594e300bb0c16e7bb99a7e66d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\hu.dll |
79118048fcbaef526f802925eabcaf32 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\tmp_wmvut.dll |
9fd685edcd84e63eafe96f72891c8738 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDLogicUtils.dll |
d184763cb4e62d531193978de7b82db2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDMDownload.dll |
928208161b61b8c36fa1a6095c1ccfab | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDMNetGetInfo.dll |
30cbc602ada7cdfb0346038c05996d84 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDMReport.dll |
b540a866191f7fd20f5e6355bc2b094e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\BDMSkin.dll |
f52eb281e29da8065e18805617ac2cbc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\System.dll |
763b532d651f0ad5e135d9b57bf4fba4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\dl.dll |
ebfe7c9594e300bb0c16e7bb99a7e66d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\hu.dll |
4e283c503ef12d27b09deb52525fb1d1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst8.tmp\tmppm4bkx.dll |
79ddb8027714f30a93d354cee26ac802 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\pczh_100_1.exe |
218c9c36d131a6574baea88b8c48a9e3 | c:\Program Files\ainqngz3.9\Ainqngz3.9.exe |
cc8aa6c44a058317738b6f24af0d19fb | c:\Program Files\ainqngz3.9\Hzsvr.exe |
becf376b6bf708e841d3ad11f87b105a | c:\Program Files\ainqngz3.9\jistlo.exe |
919842788c075bc2d18dc6afcc0ada13 | c:\Program Files\ainqngz3.9\uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\BDMNetMon.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:
ZwUnloadKey
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
vcredist_x86.exe:3636
netsh.exe:3420
netsh.exe:2944
netsh.exe:3044
BDKVWsc.exe:2824
BDKVWsc.exe:3172
RegSvr32.exe:2928
RegSvr32.exe:3192
bddownloader.exe:3268
bddownloader.exe:1236
BaiduSd.exe:3428
sc.exe:3016
sc.exe:2968
aukncq_70404.exe:628
baidusdTray.exe:2184
cacls.exe:3344
BDDownloader.exe:1212
BDDownloader.exe:2964
BDDownloader.exe:3692
BDDownloader.exe:3076
BaiduAnTray.exe:1928
regsvr32.exe:3444
regsvr32.exe:2948
regsvr32.exe:3468
BaiduAn.exe:2532
BaiduAn.exe:2476
BaiduSdBugRpt.exe:2368
BaiduSdUpdate.exe:2904
BaiduAnSvc.exe:3636
BaiduAnSvc.exe:3924
jko.exe:2456
kkvlnyk.exe:1636
BaiduSdSvc.exe:4012
BaiduSdSvc.exe:444
pczh_100_1.exe:2508
MsiExec.exe:3424
BDASWAcc.exe:3976 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredis1.cab (6255 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\vcredist.msi (42423 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNet.dll.bdl (46859 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\jko.exe.bdl (707298 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca.bak (1788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca.bak (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\tmppm4bkx.dll (24832 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMReport.dll.bdl (37075 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\1942083177\Setting\host.dat (306 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\3f88398fc048137c047f9ddd92a215ed.bdt (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse7.tmp (128685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\2d519f2c31620e467cd7bbf4cdf9a59f.bdt (663 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\res\onlineWnd.zip (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst8.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd (4 bytes)
%System%\wbem\Logs (4 bytes)
%WinDir%\repair (4 bytes)
%System%\CatRoot2 (96 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB (4 bytes)
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\~DF464A.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (1460 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\000003.log (4 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\BaiduSdCache.rptc (68 bytes)
%Program Files%\Common Files (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN (4 bytes)
C:\$Directory (780 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData (4 bytes)
%WinDir%\Temp\Perflib_Perfdata_638.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\LOG (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\000003.log (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%System%\drivers (4 bytes)
%WinDir%\Prefetch (196 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\index.dat (388 bytes)
%WinDir%\Temp\Perflib_Perfdata_ea0.dat (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\LOG (4 bytes)
%Documents and Settings%\%current user%\Cookies (200 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mini.fengyunzhibo[1].txt (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mini[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[1].js (943 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\new_common[1].css (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[2].js (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fymini[1].htm (1798 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAU3OLK5.gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\new_box[1].js (145 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@fengyunzhibo[1].txt (188 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\core[1].php (800 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\mini.fengyunzhibo[1].xml (266 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fymini[2].htm (1853 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\hm[1].js (5 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\analytics[2].js (174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\mini[1].js (73 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@tv.aiqingzhihui[1].txt (332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\fyminiloader-min[1].js (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\zhibo2[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\mini[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\CAPSSJDX.gif (35 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg22.tmp (86466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw23.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.107.0[2014-6-1-12-1-23]\7z.dll (12536 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\7z.dll (12536 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BDDownloader_Installer\1.0.106.1[2014-6-1-12-0-4]\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsuF.tmp (90616 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\bddownloader.exe (9605 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\dl.dll (14988 bytes)
%Program Files%\Common Files\Baidu\BDDownload\107\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\bddownloader.exe (9605 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BDDownload\106\dl.dll (14988 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\SWManager\ultcache.dat (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pczh_100_1.exe (45392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\Md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aukncq_70404.exe (187984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkvlnyk.exe (232737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\z.ini (660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp\xID.dll (3 bytes)
%System%\config\SYSTEM.LOG (5097 bytes)
%System%\config\software (10282 bytes)
%System%\config\SOFTWARE.LOG (13344 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db (145 bytes)
%WinDir%\Temp\Tar25.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\white_list.db-journal (512 bytes)
%WinDir%\Temp\Cab24.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bduf.dll (29608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAn.exe (30464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDAVCache.dll (34186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOHomePageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSAccMgrDll.dll (29256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerPlugin.dll (67969 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Mainpage.rdb (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SWCatalogDataItem.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMWindowsLib.dll (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMMainFrame.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMNet.dll (9098 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASWAcc.exe (1552 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_2_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\CompatibilityChecker.dll (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\PatcherContainer.xml (563 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnUpdate.exe (9605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOTraceConfig.xml (9 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bd0002.dll (3073 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerLuaScript.dat (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\KVCommonRes.rdb (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.dll (16288 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerConfig.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMCoolyContainerConfig.xml (465 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SusPluginContainerConfig.xml (605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnSvc.exe (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTray\TrayPlugin.rdb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginclean.db (48928 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\directui license.txt (593 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SysAccelerator.rdb (15536 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDKVLogs.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAcceleratorPlugin.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccMgr.dll (25776 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_property.dat (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMAVEng.dll (11518 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixer.dll (9608 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDMNetMon.sys (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SYSCleaner.dll (57535 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMUpdate.rdb (12088 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMProcessRunningTime.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrustAndIso.dll (35784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\BDMSafePlugin.dll (7433 bytes)
%Documents and Settings%\All Users\Desktop\百度å«士.lnk (895 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\LocalPluginInfo.xml (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMAVEng.dll (51840 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\pluginclean.db (48928 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Patcher.rdb (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SysFixer.rdb (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\blacksign.dat (537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\pluginUnit.dat (727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDArKit.sys (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDCooly.dll (38103 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_minute_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSysFixerPlugin.dll (53394 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\PluginSetup.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SYSAccMgrDll.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceConfig.xml (18 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\hips.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GCScriptBind.dll (42762 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\BDMConnect.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\hips.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPluginContainerConfig.xml (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcherPlugin.dll (49631 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SysAccLiveStrategy.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepMgr.dll (25776 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_9_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginSetup.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\TrustAndIso.dll (7971 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\vcredist_x86.exe (18934 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\GCScriptBind.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\DriverManager.dll (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKitUtils.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\res\InstallWnd.zip (54196 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSOManagerPlugins\BDMSOAcceleratorPlugin.dll (7971 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMSetting.rdb (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\CommonRes.rdb (37368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMTrayTipsPlugin.dll (40702 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\PluginManager.dll (9605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\extends.rdb (2392 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDLogicUtils.dll (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PluginManager.dll (42222 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOGarbageCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDKV.rdb (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonSusPlugin.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnTray.exe (57535 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\app.ico (2105 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\bd0001.sys (601 bytes)
%System%\config\AppEvent.Evt (1744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerScript.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\WebSafe.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.dll (5064 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMUpdate.dll (4545 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerXMLScript.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMRepBase.dll (38103 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SYSCleaner.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMScriptVM.dll (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_class_filter.db (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\pluginUnit.dat (727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\System.dll (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\DriverManager.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\ad.dll (32784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDALeakfixer.exe (38904 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerScript.dat (53 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDASoftmgr.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq1A.tmp (2190194 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSOCleanerTrayPlugin.dll (7345 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\RtpContainerConfig.xml (474 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\systemfile.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVScanPlugin.dll (35001 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDCooly.dll (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SusPlugin.rdb (5520 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmswmanagerplugins\BDMSWManagerView.dll (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccTrayPlugin.dll (32784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\BDMSOAccServicePlugin.dll (6841 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\BDMSOAccSusPlugin.dll (7433 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_blank_speed.png (14 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_1_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMPatcherPlugins\BDMPatcher.dll (12287 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SORegCleanerScript.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSkin.dll (33536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatcher.dll (55014 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMDownload.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\app.ico (12024 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\AppBooster.rdb (12088 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\TrayPluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDASWAcc.exe (38 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bd0001.dll (673 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\StartupDict.dat (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\NetService.ini (590 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerPreScan.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMPatchAgent.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\TrayPluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMReport.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWParseDetect.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\BDMSkin.dll (37025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOGarbageConfig.xml (28 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSkin.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\PatcherContainer.xml (563 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\PluginInstallHelper.dll (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\BDMNetMonSusPlugin.dll (7385 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度å«士\百度å«士.lnk (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMReport.dll (34773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOSilentCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_5_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMScriptVM.dll (8184 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\scan_mgr_config.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMPatchAgent.dll (3361 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SafePlugin.rdb (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysOptDict.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOGarbageConfig.xml (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerLuaScript.dat (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnBugRpt.exe (34023 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_4_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SafePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_6_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\804.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_property.dat (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDLogicUtils.dll (33295 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmsusplugins\SusPluginContainerConfig.xml (605 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccEngine.dll (4185 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccMgr.dll (5441 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMNetMonMgrDll.dll (49 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixer.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerScript.dat (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNetMonMgrDll.dll (1856 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerCheckItem.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSysFixer\SysFixerConfig.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\BDMSWManagerFrame.dll (6841 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\licenses\pluginclean.db (10815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDDownloader.exe (42222 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\uninst.exe (12287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnSvc.exe (38103 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMProcessRunningTime.dll (22552 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMKVMainPlugin.dll (10815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HotPlugins.xml (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDNetMisc.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMNet.dll (40228 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\SafePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMANTIVIRUS (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BaiduAnUpdate.exe (42222 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysAccLiveStrategy.dat (3312 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOTraceCleanerConfig.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\sw_acc.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSusPlugin.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerConfig.dat (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmkvscanplugin\BDMKVScanPluginContainerConfig.xml (380 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_0_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmmainframeplugins\MainframePluginContainerConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerConfig.dat (5 bytes)
%System%\drivers\BDMNetMon.sys (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSWParseDetect.dll (8657 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Patch\publish.db (32763 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\SWCatalogDataItem.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_class_filter.db (33248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOCleanerCheckItem.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\MainframePluginContainerConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMTrayTipsPlugin.dll (9098 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BDMSOCleaner\SOTraceConfig.xml (9 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDMSWNestCore.dll (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWindowsLib.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMKVMainPlugin.dll (46916 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMUpdate.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\kav_compatible.dat (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\vcredist_x86.exe (82435 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\homepage.ini (361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\HIPS.dll (59286 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_7_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_3_speed.png (15 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\GlobalPluginInfo.xml (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMCoolyPlugins\BDMCoolyContainerConfig.xml (465 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\Softmgr.rdb (690 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\KVMain.rdb (1856 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDNetMisc.dll (601 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnBugRpt.exe (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\StartupDict.dat (16944 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDAVCache.dll (7547 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccServicePlugin.dll (30344 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\HotPlugins.xml (386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\RtpContainerConfig.xml (474 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SOManager.rdb (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\sw_acc.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDKVLogs.dll (35001 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\uninst.exe (54196 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDKitUtils.dll (40 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SWManager.rdb (18424 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\SysRepLib.dat (22 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSOManagerPlugins\BDMSOCleanerPlugin.dll (15506 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\BDArKit.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccStrategyMgr.dll (23296 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\kav_compatible.dat (25 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDBrowserProtecter.rdb (4992 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMRepMgr.dll (5441 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\CompatibilityChecker.dll (673 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTray.rdb (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\publish.db (140983 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_num_8_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMConnect.dll (43318 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDASoftmgr.exe (38904 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOCleanerPreScan.dat (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度å«士\å¸载百度å«士.lnk (880 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSOAccTrayPlugin.dll (7345 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\RTPPlugins\HIPS.dll (13122 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\BDMTips.rdb (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysRepLib.dat (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAn.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0002.sys (7192 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOHomePageCleanerConfig.dat (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMMainFrame.dll (59286 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMWrench.sys (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerFrame.dll (30464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWManagerView.dll (43318 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BDMSOCleaner\SOGarbageConfig.xml (14 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Default\SOTurbo.rdb (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmtrayplugins\BDMSusPlugin.dll (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\ad.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOLiveAccEngine.dll (22192 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\Skins\Tips\win8_1_second_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\GlobalPluginInfo.xml (784 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDALeakfixer.exe (8657 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\bdmkvscanplugin\BDMKVScanPlugin.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOCleanerTrayPlugin.dll (32784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SORegCleanerConfig.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\scan_mgr_config.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMSysFixerPlugin.dll (12287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccSusPlugin.dll (33391 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SOTraceCleanerConfig.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\nsExec.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\LocalPluginInfo.xml (14 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\drivers\bd0002.sys (1281 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSWManager\homepage.ini (361 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMCoolyPlugins\BDMSOAccCoolyPlugin.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSWNestCore.dll (33877 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\websafe\WebSafe.dll (7385 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\bduf.dll (6841 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\plugins\BDMSafePlugins\BDMPatcherPlugin.dll (11518 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SORegCleanerConfig.dat (900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSOAccCoolyPlugin.dll (28288 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\BDDownloader.exe (9605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\blacksign.dat (537 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\bd0001.sys (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\SysFixerXMLScript.dat (2 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\BDMSOLiveAccStrategyMgr.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\InstallHelper.dll (34186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMDownload.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\804.dat (3 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SOSilentCleanerConfig.dat (11 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\bdmantivirus\BDMRepBase.dll (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\ns1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1B.tmp\file\BDMSafePlugin.dll (33391 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\FTSOManager\SysOptDict.dat (4 bytes)
%Program Files%\Baidu\BaiduAn\2.1.0.1214\NetService.ini (590 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVUpdate.rdb (1676 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdBugRpt.exe (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\810.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\806.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayDldProtect.rdb (168 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll (2470 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\806.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\901.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdvs.dat (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVMainFrame.dll (6404 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\directui license.txt (593 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\bduf.dll (308 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0002.sys (215 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\901.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNet.dll.bdl (29881 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\ynz.dll.bdl (308228 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x64 (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMAVE.dll (185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\SearchProtection.rdb (132 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\res\onlineWnd.zip (16424 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVEng.dll (3716 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDLogicUtils.dll (258 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\changelog.txt (215 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\900.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\KavUpdate.dll (246 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BSRLib.dat (141 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe (9606 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray.rdb (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMTinyXml.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMAVCached.dll (303 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcp80.dll (1835 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\217122359\Setting\host.dat (306 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\fm.dat (597 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\blacksign.dat (852 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0002.sys (203 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Repair_PluginConfig.xml (411 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\BDArKit.pdb (3723 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\Pizmdb.7z (83795 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\BDMWrench.sys (703 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt.dll (1707 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0002.pdb (1849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMReport.dll.bdl (36352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\dl.dll (65930 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\810.dat (3 bytes)
%System%\drivers\bd0002.sys (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\All Users\Desktop\百度æÂ€毒.lnk (811 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\04cffb82cb0ad0358680d869bf3dc3ad.bdt (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSkin.dll (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (166194 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\systemfile.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMUpdate.dll (160 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0001.pdb (273 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\licenses\duilib license.txt (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\hu.dll (3312 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\KVCommonRes.rdb (28502 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\809.dat (3 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDCooly.dll (44 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度æÂ€毒\å¸载百度æÂ€毒.lnk (796 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\804.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVLogs.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect.dll (152 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\CompatibilityChecker.dll (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\virus_type.dat (485 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\app.ico (1623 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUProxy64.exe (3791 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand.dll (136 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdRepair.exe (1679 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\811.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSd.exe (1658 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\Config\900.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.map (33 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0002.sys (1281 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (1654 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVWsc.exe (1671 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\updlog.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVTray_PluginConfig.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMReport.dll (1609 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度æÂ€毒\百度æÂ€毒.lnk (823 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMMsg.dll (33 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\baidusdRepair.dll (123 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.pdb (1783 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastImage.png (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.map (39 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTips.rdb (69 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcr80.dll (3705 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ad.dll (1707 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMEvents.dll (15 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\BDArKit.sys (80 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DriverManager.dll (119 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tuopan.png (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDownloadProtect_x64.dll (181 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\tips.xml (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMNet.dll (3909 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\NetService.ini (615 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMFrameWork.dll (283 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKV.rdb (89 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\dnw.xml (149 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\KVRtp_PluginConfig.xml (2 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdUpdate.exe (1843 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDUDiskGuard.dll (238 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMDownload.dll (324 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMPerfMon.dll (140 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0001.sys (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMSkin.dll (38495 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\TrustAndIso.dll (226 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMStringUtils.dll (49 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (945 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\uninst.exe (3924 bytes)
%System%\drivers\BDArKit.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepMgr.dll (279 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\Cooly_PluginConfig.xml (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (784 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0001.dll (131 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVConfig.rdb (120 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\BDAVCScan.dll (115 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\monitor_config.dat (559 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\win7\bd0003.pdb (1865 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\wverify.dat (12289 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDShellExt64.dll (1699 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDKitUtils.dll (54 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDLogicUtils.dll (30968 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers_back\x86 (4 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\TrayPlugin.rdb (3682 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdSvc.exe (1724 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\cache_config.dat (469 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\scan_mgr_config.dat (5 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDDownloader.exe (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\tmp_wmvut.dll (80376 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMBase.dll (6400 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSREng.dll (275 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BAV\bdmp.dat (25 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMPatchAgent.dll (26 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.pdb (3665 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\HIPS.dll (6359 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\FileMon.dll (1818 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\hips.xml (17 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\804.dat (3 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bd0002.dll (1749 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.ATL\atl80.dll (97 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDPerflog.dll (140 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\BDArKit.pdb (1832 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\ToastLogo.ico (1623 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\ieBaiduSDDetectPlug.dll (115 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMLog.dll (32 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\809.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BDMDownload.dll (5520 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\explugin\npBaiduSDDetectPlug.dll (99 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\winxp\bd0003.map (38 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\PrivacyProtect.dll (164 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmantivirus\BDMRepBase.dll (3901 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkv\BDKVVirusPlugins.dll (1609 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (156 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0001.pdb (1775 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (189 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\plugins\bdkvrtpplugins\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDMSDWrench.dll (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\BDArKit.sys (90 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDConfig.dll (1838 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\DesktopToast.exe (103 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\BDKVDeskBand64.dll (125 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\BDArKit.sys (601 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Config\811.dat (8 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVQuarantine.rdb (10 bytes)
%System%\drivers\bd0003.sys (55 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x86\bd0001.sys (70 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\bd0002.pdb (3854 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\x64\win7\bd0003.sys (64 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\BDMSRCore.dll (287 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Skins\Default\BDKVTray\TrayPlugin.rdb (1812 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\bdmsysrepair\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\Microsoft.VC80.CRT\msvcm80.dll (1760 bytes)
%Program Files%\Baidu\BaiduSd\1.8.0.1255\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Application Data\zn120146\set.ini (7 bytes)
%Documents and Settings%\%current user%\Application Data\zn120146\set120146\Setzh120146.ini (23 bytes)
%Documents and Settings%\%current user%\Application Data\zn120146\min.ini (14 bytes)
%WinDir%\Temp\Tar18.tmp (2712 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (816 bytes)
%WinDir%\Temp\Cab13.tmp (54 bytes)
%WinDir%\Temp\Cab15.tmp (54 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (36 bytes)
%WinDir%\Temp\Cab11.tmp (54 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db (149 bytes)
%WinDir%\Temp\Tar17.tmp (2712 bytes)
%WinDir%\Temp\Cab16.tmp (54 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\FileSignDB\MANIFEST-000002 (4 bytes)
%System%\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\privacy.db-journal (532 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db (145 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\white_list.db-journal (512 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\IsolationDB.db-journal (532 bytes)
%WinDir%\Temp\Tar14.tmp (2712 bytes)
%WinDir%\Temp\Tar12.tmp (2712 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\baidusd\CachedDB_1\MANIFEST-000002 (4 bytes)
%Documents and Settings%\%current user%\Templates\120146115937419\YYM_955WD30.gif (750 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsC.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\nsD.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxA.tmp (23772 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\tj.html (91 bytes)
%Program Files%\ainqngz3.9\jistlo.exe (5520 bytes)
%Documents and Settings%\%current user%\Desktop\°®Çé.ÖÇ»Û.3.9.lnk (708 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û.3.9\öÃâ€ÂØ.lnk (715 bytes)
%Program Files%\ainqngz3.9\Ainqngz3.9.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].htm (91 bytes)
%Program Files%\ainqngz3.9\uninstall.exe (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsnB.tmp\md5dll.dll (8 bytes)
%Program Files%\ainqngz3.9\Hzsvr.exe (1552 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\°®Çé.ÖÇ»Û.3.9\°®Çé.ÖÇ»Û.3.9.lnk (720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378090598[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378091496[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[2].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378089971[1].png (4301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388481627[1].png (267 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091009[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1374205283[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\json_get_selected_page_by_rand[1] (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\statics_img[1].gif (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378090169[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378090575[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1378118373[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1388481662[1].png (2651 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\selected_page[2].js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[1].js (4553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091038[1].png (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1388481693[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378087540[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\1378090027[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378091529[1].png (555 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378091571[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1390463888[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1374205294[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\selected_page[1].html (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\1378088733[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\iepngfix_tilebg[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\jquery.min[2].js (3974 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\selected_page[1].htm (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091654[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\json_get_selected_page_by_rand[1] (1426 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.tmpl.min[2].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1378091642[1].png (3 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BaiduAnTray" = "%Program Files%\Baidu\BaiduAn\2.1.0.1214\BaiduAnTray.exe -stmd=3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"baidusdTray" = "%Program Files%\Baidu\BaiduSd\1.8.0.1255\BaiduSdTray.exe -stmd=3" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23624 | 24064 | 4.46284 | dab38f512d56590c009f506a9c20a2f0 |
.rdata | 28672 | 4764 | 5120 | 3.49973 | 165e3e874dc59c8a96748c6f4d0f4207 |
.data | 36864 | 154712 | 1024 | 3.3307 | a5573ac89d4a106e6174f74a97e83c42 |
.ndata | 192512 | 81920 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 274432 | 82688 | 82944 | 5.24293 | 42dadbfa0548236155209e6f107bc6bd |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://hi.petj.org/setup/?name=%original file name%.exe&mac=00-0C-29-02-CD-FB&md5=34bc6520b971e02a7d0a01c533a9df9b&ini=z.ini&v=1.0.2.4 | 61.147.92.105 |
hxxp://shadu.n.shifen.com/index/minidownload/30656 | |
hxxp://baidubrs.dlmix.glb0.lxdns.com/tpymn/hqphc_30656.exe | |
hxxp://209.170.78.71/dl1sw.baidu.com/tpymn/hqphc_30656.exe?wsiphost=ipdb | |
hxxp://shadu.n.shifen.com/index/minidownload/70404 | |
hxxp://baidubrs.dlmix.glb0.lxdns.com/new_wsmn/tjjrfx_70404.exe | |
hxxp://209.170.78.71/dl1sw.baidu.com/new_wsmn/tjjrfx_70404.exe?wsiphost=ipdb | |
hxxp://pxsw.n.shifen.com/ | |
hxxp://c01.i07.arnic.hadns.net/new/pczh_100_1.txt | |
hxxp://bcs.jomodns.com/sw-search-shadu/client/dllv4/BDMReport.dll | |
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/patch/16101830722/BDMNet.dll | |
hxxp://209.170.78.71/dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll?wsiphost=ipdb | |
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/install/21290079118/BDMZip.dll | |
hxxp://209.170.78.71/dl1sw.baidu.com/client1/common/install/21290079118/BDMZip.dll?wsiphost=ipdb | |
hxxp://bcs.jomodns.com/sw-search-sp/client/dlljg1/BDMNet.dll | |
hxxp://c01.i07.arnic.hadns.net/0403/help1.html | |
hxxp://c01.i07.arnic.hadns.net/up_17.html?06011159 | |
hxxp://dx5.3525.com/tj.php?mac=000C2902CDFB&st=1&exez=pczh_100_1.exe&exef=%original file name%.exe&pass=44683dff641394194c05e3f3ca584214&url1=hxxp://ya.ru/&url2=ya | |
hxxp://dx5.3525.com/xin/?ver=137 | |
hxxp://sxsw.n.shifen.com/ | |
hxxp://c01.i07.arnic.hadns.net/zhibo2.html?id=pczh_100_1.exe&en=120146&go= | |
hxxp://sxcdn.kukuplay.com/support/mini/fyminiloader-min.js | |
hxxp://c.split.cnzz.com/stat.php?id=2701879&web_id=2701879 | |
hxxp://z10.cnzz.com/stat.htm?id=2701879&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=1706435429-1401613207-&showp=1276x846&st=0&sin=&t=&rnd=1502861487 | |
hxxp://dlsw.baidu.com/sw-search-sp/client/dlljg1/BDMNet.dll | 61.155.165.27 |
hxxp://dlsw.baidu.com/sw-search-shadu/client/dllv4/BDMReport.dll | 61.155.165.27 |
hxxp://tj.aiqingzhihui.com/xin/?ver=137 | 222.186.130.92 |
hxxp://p.x.baidu.com/ | 180.149.131.24 |
hxxp://tj.aiqingzhihui.com/tj.php?mac=000C2902CDFB&st=1&exez=pczh_100_1.exe&exef=%original file name%.exe&pass=44683dff641394194c05e3f3ca584214&url1=hxxp://ya.ru/&url2=ya | 222.186.130.92 |
hxxp://dl1sw.baidu.com/new_wsmn/tjjrfx_70404.exe | 8.37.235.12 |
hxxp://s.x.baidu.com/ | 180.76.2.46 |
hxxp://dl1sw.baidu.com/client1/common/install/21290079118/BDMZip.dll | 8.37.235.12 |
hxxp://s6.cnzz.com/stat.php?id=2701879&web_id=2701879 | 1.99.192.15 |
hxxp://dl1sw.baidu.com/client1/common/patch/16101830722/BDMNet.dll | 8.37.235.12 |
hxxp://tv.aiqingzhihui.com/zhibo2.html?id=pczh_100_1.exe&en=120146&go= | 125.39.21.33 |
hxxp://static.m0dlcdn.kukuplay.com/support/mini/fyminiloader-min.js | 211.142.30.27 |
hxxp://xz.fuzhicheng.com/new/pczh_100_1.txt | 125.39.21.33 |
hxxp://dl1sw.baidu.com/tpymn/hqphc_30656.exe | 8.37.235.12 |
hxxp://weishi.baidu.com/index/minidownload/70404 | 180.149.131.112 |
hxxp://shadu.baidu.com/index/minidownload/30656 | 180.149.131.112 |
hxxp://update.aiqingzhihui.com/up_17.html?06011159 | 125.39.21.36 |
hxxp://update.aiqingzhihui.com/0403/help1.html | 125.39.21.36 |
dtrp.download.iyuntian.com | 123.125.65.150 |
cfg.download.iyuntian.com | 123.125.65.132 |
jp.download.iyuntian.com | 123.125.65.154 |
c.cnzz.com | 42.120.219.6 |
down.begrp.org | 222.186.60.12 |
res.download.iyuntian.com | 123.125.65.129 |
tk.download.iyuntian.com | 123.125.69.209 |
rc.download.iyuntian.com | 123.125.65.153 |
hzs17.cnzz.com | 42.156.140.23 |
my.zolly.org | 113.107.42.55 |
utk.download.iyuntian.com | 123.125.65.147 |
mini.fengyunzhibo.com |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):