Skip to main content

Trojan.Win32.FlyStudio_b26c3785c0


HEUR:Trojan.Win32.Generic (Kaspersky), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: b26c3785c0e5607c439cef04c1b08af9

SHA1: d3ea8142a4220f36e0818768ff662ff85a444d18

SHA256: 989b7aa9a4c0f10fa65b3dc51ffe499c0f1f44c70361f508c0a695b7713cd6f9

SSDeep: 12288:SATIGgSdGOw rIoAL4IVC6LTlaqs7ZjsmZ k5EqNU/psOHP9OU30t7vtjXtHqQDt:Sw7sX soADVCP7lsmZ pAUBVPB3AR5

Size: 954368 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: Armadillov171, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, UPolyXv05_v6

Company: no certificate found

Created at: 2013-12-26 07:58:37

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

%original file name%.exe:960

File activity

The process %original file name%.exe:960 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1] (4319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\bgs14[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\myfav_1212[1].png (7 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\ttx123[1].htm (136 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@www.ttx123[1].txt (164 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\data-userdata[1].xml (274 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\christmas[1].xml (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[3].txt (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\mystyle_wait[1].gif (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1].htm (3930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\time[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\baidu_20140110_01[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\body0_2[1].png (183 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\index_20140127_03[1].css (2967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\baidu_web[1].gif (1 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\wc[1].xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (100 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (2274 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\entertainChannel_20140103[1].js (7 bytes)
%Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (162 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\__TOOLSBOX__[1].xml (54 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@union2.50bang[1].txt (190 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\ico_taobao[1].png (958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\skin0_17[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\w_night40[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\2345[1].htm (2973 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (2460 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\siteClicks[1].xml (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\icos23[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\mz_toggle[1].png (986 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\ico_vipshop[1].png (439 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\tmall_GIF_0126[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\logo_0128[1].gif (778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\blank[1].png (953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\2345[1] (229 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\lc[1].xml (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\func_20140121_01[1].js (2454 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\20140129[1].js (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\20140127160354[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ajax[2].txt (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xq.swf (169 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\w_day40[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ajax[1].txt (152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\act_0127_png8[1].png (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\newsChannel_20140103[1].js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\jsVersion[1].js (201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\20140127160524[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\ico_amazon[1].png (536 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\__siteClicksTip__[1].xml (142 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\tipSet_ie6[1].png (731 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\banner_0127[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\common_20140110_01[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\lazyloading[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (196 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\input_20140110_01[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\stopie6[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\mz_0116[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\google_web[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\ico_tuniu_2[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\2345_0120[1].eot (2067 bytes)
%Documents and Settings%\%current user%\UserData\YJM90VAL\toptip_ie6[1].xml (162 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@ajax[1].txt (0 bytes)
%Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1].htm (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (0 bytes)

Registry activity

The process %original file name%.exe:960 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page bak" = "about:blank"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL bak" = "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

[HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel]
"HomePage" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Default_Page_URL" = "http://www.2345.com/?k36500594"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1388037517"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 43 27 94 EE 85 58 82 66 C4 B9 D5 AA 20 66 F2"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.2345.com/?k36500594"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://42.62.4.52/time.txt?time=1390947210532
hxxp://42.62.4.52/css/index_20140127_03.css?v=5.28.1
hxxp://42.62.4.52/fonts/2345_0120.eot?
hxxp://42.62.4.52/i/blank.png
hxxp://42.62.4.52/images/icos23.png
hxxp://42.62.4.52/images/lazyloading.gif
hxxp://42.62.4.52/images/body0_2.png
hxxp://42.62.4.52/i/logo_0128.gif
hxxp://42.62.4.52/images/bgs14.png
hxxp://42.62.4.52/i/search0320/baidu_web.gif
hxxp://42.62.4.52/images/tipSet_ie6.png
hxxp://42.62.4.52/images/skin0_17.png
hxxp://42.62.4.52/i/search0320/google_web.gif
hxxp://42.62.4.52/right/homepage/jsVersion.js?t=1390947213157
hxxp://42.62.4.52/css/func_20140121_01.js?ver=1.0
hxxp://42.62.4.52/css/input_20140110_01.js?ver=1.0
hxxp://42.62.4.52/images/tmall_GIF_0126.gif
hxxp://42.62.4.52/i/banner_0127.jpg
hxxp://42.62.4.52/images/ico_taobao.png
hxxp://union2.50bang.org/js/234542.62.4.61
hxxp://42.62.4.52/images/mz_0116.png
hxxp://42.62.4.52/images/mz_toggle.png
hxxp://union2.50bang.org/web/2345?uId2=SRVNXRTMOV&r=&fBL=1024*768
hxxp://tianqi.2345.com/t/detect2009v2.php?ver=1.042.62.4.53
hxxp://42.62.4.52/images/ico_tuniu_2.png
hxxp://42.62.4.52/images/ico_amazon.png
hxxp://42.62.4.52/images/ico_vipshop.png
hxxp://union2.50bang.org/web/ajax?uId2=SPTNPQRLSX&r=http://www.2345.com/?k36500594&fBL=1024*768&lO=detected
hxxp://42.62.4.52/right/homepage/newsChannel_20140103.js?t=1390286064&ver=0.29.0.0
hxxp://42.62.4.52/right/homepage/entertainChannel_20140103.js?t=1390876544&ver=1.0
hxxp://42.62.4.52/i/banner_0127/act_0127_png8.png
hxxp://42.62.4.52/css/baidu_20140110_01.js?ver=1.0
hxxp://42.62.4.52/day_data/20140129.js?ver=1.0
hxxp://42.62.4.52/images/stopie6.png
hxxp://42.62.4.52/images/myfav_1212.png
hxxp://42.62.4.52/images/w_night40.png
hxxp://42.62.4.52/images/w_day40.png
hxxp://42.62.4.52/right/homepage/img/block1/tab1/20140127160354.jpg
hxxp://42.62.4.52/images/mystyle_wait.gif
hxxp://42.62.4.52/right/homepage/img/block1/tab1/20140127160524.jpg
hxxp://union2.50bang.org/web/ajax90?uId2=SPTNPQRLSX&r=http://www.2345.com/?k36500594&fBL=1024*768&lO=k36500594


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1] (4319 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\bgs14[1].png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\myfav_1212[1].png (7 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\data-userdata[1].xml (408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\ttx123[1].htm (136 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@www.ttx123[1].txt (164 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\data-userdata[1].xml (274 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\christmas[1].xml (54 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@2345[3].txt (327 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\mystyle_wait[1].gif (381 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\hao123[1].htm (3930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\time[1].txt (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\baidu_20140110_01[1].js (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\body0_2[1].png (183 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\index_20140127_03[1].css (2967 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\baidu_web[1].gif (1 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\wc[1].xml (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SkinH_EL.dll (100 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@2345[1].txt (2274 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\entertainChannel_20140103[1].js (7 bytes)
    %Documents and Settings%\%current user%\UserData\KTOR0Z81\data-userdata[1].xml (162 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\__TOOLSBOX__[1].xml (54 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@union2.50bang[1].txt (190 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\ico_taobao[1].png (958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\skin0_17[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\w_night40[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\2345[1].htm (2973 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@2345[2].txt (2460 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\siteClicks[1].xml (250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\icos23[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\mz_toggle[1].png (986 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\ico_vipshop[1].png (439 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\tmall_GIF_0126[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\logo_0128[1].gif (778 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\blank[1].png (953 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\lc[1].xml (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\func_20140121_01[1].js (2454 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\20140129[1].js (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\20140127160354[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ajax[2].txt (327 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xq.swf (169 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\w_day40[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@ajax[1].txt (152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\act_0127_png8[1].png (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\newsChannel_20140103[1].js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\jsVersion[1].js (201 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\20140127160524[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\ico_amazon[1].png (536 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\__siteClicksTip__[1].xml (142 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\tipSet_ie6[1].png (731 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\banner_0127[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\common_20140110_01[1].js (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\lazyloading[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@hao123[1].txt (196 bytes)
    %Documents and Settings%\%current user%\UserData\4XCFALMJ\data-userdata[1].xml (202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\input_20140110_01[1].js (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\stopie6[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4LUFCD6N\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (14652 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\MUOL4SW7\mz_0116[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ZTURSJKD\google_web[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\ico_tuniu_2[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\O7W1ET8J\2345_0120[1].eot (2067 bytes)
    %Documents and Settings%\%current user%\UserData\YJM90VAL\toptip_ie6[1].xml (162 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

Network Activity

Map

Strings from Dumps