HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b26c3785c0e5607c439cef04c1b08af9
SHA1: d3ea8142a4220f36e0818768ff662ff85a444d18
SHA256: 989b7aa9a4c0f10fa65b3dc51ffe499c0f1f44c70361f508c0a695b7713cd6f9
SSDeep: 12288:SATIGgSdGOw rIoAL4IVC6LTlaqs7ZjsmZ k5EqNU/psOHP9OU30t7vtjXtHqQDt:Sw7sX soADVCP7lsmZ pAUBVPB3AR5
Size: 954368 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-26 07:58:37
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:960
File activity
The process %original file name%.exe:960 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1] (4319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\bgs14[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\myfav_1212[1].png (7 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\ttx123[1].htm (136 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.ttx123[1].txt (164 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\data-userdata[1].xml (274 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\christmas[1].xml (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[3].txt (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\mystyle_wait[1].gif (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1].htm (3930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\time[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\baidu_20140110_01[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\body0_2[1].png (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\index_20140127_03[1].css (2967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\baidu_web[1].gif (1 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\wc[1].xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (100 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (2274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\entertainChannel_20140103[1].js (7 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (162 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\__TOOLSBOX__[1].xml (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@union2.50bang[1].txt (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\ico_taobao[1].png (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\skin0_17[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\w_night40[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\2345[1].htm (2973 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (2460 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\siteClicks[1].xml (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\icos23[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\mz_toggle[1].png (986 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\ico_vipshop[1].png (439 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\tmall_GIF_0126[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\logo_0128[1].gif (778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\blank[1].png (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\2345[1] (229 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\lc[1].xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\func_20140121_01[1].js (2454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\20140129[1].js (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\20140127160354[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ajax[2].txt (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xq.swf (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\w_day40[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ajax[1].txt (152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\act_0127_png8[1].png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\newsChannel_20140103[1].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\jsVersion[1].js (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\20140127160524[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\ico_amazon[1].png (536 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\__siteClicksTip__[1].xml (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\tipSet_ie6[1].png (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\banner_0127[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\common_20140110_01[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\lazyloading[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (196 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\input_20140110_01[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\stopie6[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\mz_0116[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\google_web[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\ico_tuniu_2[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\2345_0120[1].eot (2067 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\toptip_ie6[1].xml (162 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ajax[1].txt (0 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (0 bytes)
Registry activity
The process %original file name%.exe:960 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page bak" = "about:blank"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL bak" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.2345.com/?k36500594"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1388037517"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 43 27 94 EE 85 58 82 66 C4 B9 D5 AA 20 66 F2"
[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?k36500594"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Network activity (URLs)
URL | IP |
---|---|
hxxp://42.62.4.52/time.txt?time=1390947210532 | |
hxxp://42.62.4.52/css/index_20140127_03.css?v=5.28.1 | |
hxxp://42.62.4.52/fonts/2345_0120.eot? | |
hxxp://42.62.4.52/i/blank.png | |
hxxp://42.62.4.52/images/icos23.png | |
hxxp://42.62.4.52/images/lazyloading.gif | |
hxxp://42.62.4.52/images/body0_2.png | |
hxxp://42.62.4.52/i/logo_0128.gif | |
hxxp://42.62.4.52/images/bgs14.png | |
hxxp://42.62.4.52/i/search0320/baidu_web.gif | |
hxxp://42.62.4.52/images/tipSet_ie6.png | |
hxxp://42.62.4.52/images/skin0_17.png | |
hxxp://42.62.4.52/i/search0320/google_web.gif | |
hxxp://42.62.4.52/right/homepage/jsVersion.js?t=1390947213157 | |
hxxp://42.62.4.52/css/func_20140121_01.js?ver=1.0 | |
hxxp://42.62.4.52/css/input_20140110_01.js?ver=1.0 | |
hxxp://42.62.4.52/images/tmall_GIF_0126.gif | |
hxxp://42.62.4.52/i/banner_0127.jpg | |
hxxp://42.62.4.52/images/ico_taobao.png | |
hxxp://union2.50bang.org/js/2345 | 42.62.4.61 |
hxxp://42.62.4.52/images/mz_0116.png | |
hxxp://42.62.4.52/images/mz_toggle.png | |
hxxp://union2.50bang.org/web/2345?uId2=SRVNXRTMOV&r=&fBL=1024*768 | |
hxxp://tianqi.2345.com/t/detect2009v2.php?ver=1.0 | 42.62.4.53 |
hxxp://42.62.4.52/images/ico_tuniu_2.png | |
hxxp://42.62.4.52/images/ico_amazon.png | |
hxxp://42.62.4.52/images/ico_vipshop.png | |
hxxp://union2.50bang.org/web/ajax?uId2=SPTNPQRLSX&r=http://www.2345.com/?k36500594&fBL=1024*768&lO=detected | |
hxxp://42.62.4.52/right/homepage/newsChannel_20140103.js?t=1390286064&ver=0.29.0.0 | |
hxxp://42.62.4.52/right/homepage/entertainChannel_20140103.js?t=1390876544&ver=1.0 | |
hxxp://42.62.4.52/i/banner_0127/act_0127_png8.png | |
hxxp://42.62.4.52/css/baidu_20140110_01.js?ver=1.0 | |
hxxp://42.62.4.52/day_data/20140129.js?ver=1.0 | |
hxxp://42.62.4.52/images/stopie6.png | |
hxxp://42.62.4.52/images/myfav_1212.png | |
hxxp://42.62.4.52/images/w_night40.png | |
hxxp://42.62.4.52/images/w_day40.png | |
hxxp://42.62.4.52/right/homepage/img/block1/tab1/20140127160354.jpg | |
hxxp://42.62.4.52/images/mystyle_wait.gif | |
hxxp://42.62.4.52/right/homepage/img/block1/tab1/20140127160524.jpg | |
hxxp://union2.50bang.org/web/ajax90?uId2=SPTNPQRLSX&r=http://www.2345.com/?k36500594&fBL=1024*768&lO=k36500594 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1] (4319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\bgs14[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\myfav_1212[1].png (7 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\ttx123[1].htm (136 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.ttx123[1].txt (164 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\data-userdata[1].xml (274 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\christmas[1].xml (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[3].txt (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\mystyle_wait[1].gif (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1].htm (3930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\time[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\baidu_20140110_01[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\body0_2[1].png (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\index_20140127_03[1].css (2967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\baidu_web[1].gif (1 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\wc[1].xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (100 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (2274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\entertainChannel_20140103[1].js (7 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (162 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\__TOOLSBOX__[1].xml (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@union2.50bang[1].txt (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\ico_taobao[1].png (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\skin0_17[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\w_night40[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\2345[1].htm (2973 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (2460 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\siteClicks[1].xml (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\icos23[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\mz_toggle[1].png (986 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\ico_vipshop[1].png (439 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\tmall_GIF_0126[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\logo_0128[1].gif (778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\blank[1].png (953 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\lc[1].xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\func_20140121_01[1].js (2454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\20140129[1].js (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\20140127160354[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ajax[2].txt (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xq.swf (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\w_day40[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ajax[1].txt (152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\act_0127_png8[1].png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\newsChannel_20140103[1].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\jsVersion[1].js (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\20140127160524[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\ico_amazon[1].png (536 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\__siteClicksTip__[1].xml (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\tipSet_ie6[1].png (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\banner_0127[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\common_20140110_01[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\lazyloading[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (196 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\input_20140110_01[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\stopie6[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\mz_0116[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\google_web[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\ico_tuniu_2[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\2345_0120[1].eot (2067 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\toptip_ie6[1].xml (162 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.