HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Trojan.Agent_r!IK (Emsisoft), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: bbdb156b0aca92f6b3e72bb4370e3b0e
SHA1: 2ae8f852412f5fb41a03c576bef21462f742b1ea
SHA256: cf8ee43c7123ea989c85c5ce44be0b4a2843bafcc0147d8fc4cee4612eefe113
SSDeep: 24576:W8dhLKXZfGw9vU2n6uUJs9ITZaqdiXSp0c02uFG6dAk3CMeNH:RdsGqhU TZaqdwk0c05HGiY
Size: 1908736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: WinterSoft
Created at: 2013-10-06 05:03:47
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
| Behaviour | Description |
|---|---|
| EmailWorm | Worm can send e-mails. |
Process activity
The Trojan creates the following process(es):
Reader_sl.exe:1064
wuauclt.exe:344
jusched.exe:1056
The Trojan injects its code into the following process(es):
bbdb156b0aca92f6b3e72bb4370e3b0e.exe:280
File activity
The process bbdb156b0aca92f6b3e72bb4370e3b0e.exe:280 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\common[1].js (42233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\dot[1].gif (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\core[1].php (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\fl_bm_c[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\collapsed_no[1].gif (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\qmenu[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\online_moderator[1].gif (375 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\1[1].gif (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\online_admin[1].gif (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\72_avatar_small[1].jpg (1648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\search[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\noavatar_small[1].gif (3148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\fl_bm_c_r[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\toptb[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\discuz_tips[1].js (583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\online_member[1].gif (365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\chart[1].png (990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\online_supermod[1].gif (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\switch_width[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\panel-toggle-drop[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\toss_11[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\forum[1].js (7219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\common_37_icon[1].jpg (894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\common_extra[1].js (20816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\common_39_icon[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\site_qq[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\style_2_widthauto[1].css (25 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\nav_bg[1].png (1253 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\fl_h2[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\common_41_icon[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lm.gli[2].txt (4531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\discuz_tips[2].js (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\pt_item[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\MjU4NTc4ODU=[1].js (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\6dbdbe6d369556ee72b89e3c17a1aa06[1].jpg (14340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\home[1].png (420 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\js[1].touclick (1890 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\logo[1].png (1141 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@gli[1].txt (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\follow_quick_03[1].js (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\common_40_icon[1].jpg (895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\loading[1].gif (1047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\ping[1].js (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\CAQZ6N2H.gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\fl_bm_c_l[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\81_avatar_small[1].jpg (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\noavatar_small[1].gif (1574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\title[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\2[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\nav_active_bg[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\style_2_forum_index[1].css (2809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\da3515dbee9263eefca9e73a244dd081[1].jpg (5672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\dwzscqgx[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lm.gli[1].txt (5361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\index[1].php (932 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\logging[1].js (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\scrolltop[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\ping[2].js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\like[1].htm (738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\style_2_common[1].css (48799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\qq_login[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\pn[1].png (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\73_avatar_small[1].jpg (1606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\common_2_icon[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\jquery[1].js (1544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\newarow[1].gif (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\quickfollowbgnew[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\quickfollownewstyle3[1].css (799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\background[1].gif (3665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\3ef5e00b939f583c9f41085f1649c7f8[1].jpg (10693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\jquery[2].js (4478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\follow_quick_03[2].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\forum[1].htm (8217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\fe6d33f440f3870e95112b10edf87420[1].jpg (19478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\common_38_icon[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\sortnum[1].png (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\index[1].htm (1 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\px[1].png (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\75_avatar_small[1].jpg (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\pic[1].gif (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\93e545ac7ac8a4c5002be47be870b8a9[1].jpg (6748 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\discuz_tips[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\jquery[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\follow_quick_03[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lm.gli[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\ping[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lm.gli[2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\noavatar_small[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\noavatar_small[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
The process wuauclt.exe:344 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
The Trojan deletes the following file(s):
%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)
The process jusched.exe:1056 makes changes in a file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
Registry activity
The process bbdb156b0aca92f6b3e72bb4370e3b0e.exe:280 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013103020131031]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013103020131031]
"CacheLimit" = "8192"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1024x768x32(BGR 0)" = "31,31,31,31"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013103020131031]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "bbdb156b0aca92f6b3e72bb4370e3b0e.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1381025027"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013103020131031]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013103020131031\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 D7 B4 08 8F A7 67 19 CF 19 23 64 F0 76 B2 97"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013103020131031]
"CachePrefix" = ":2013103020131031:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process Reader_sl.exe:1064 makes changes in a system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Network activity (URLs)
| URL | IP |
|---|---|
| hxxp://gli.la/dwzscqgx.txt | 103.27.126.83 |
| hxxp://gli.la/ | |
| hxxp://gli.la/forum.php | |
| hxxp://gli.la/data/cache/style_2_common.css?a88 | |
| hxxp://gli.la/data/cache/style_2_forum_index.css?a88 | |
| hxxp://gli.la/static/js/common.js?a88 | |
| hxxp://gli.la/data/cache/style_2_widthauto.css?a88 | |
| hxxp://gli.la/static/js/forum.js?a88 | |
| hxxp://gli.la/template/ailexun_free/alx_img/logo.png | |
| hxxp://gli.la/static/js/logging.js?a88 | |
| hxxp://gli.la/template/ailexun_free/alx_img/background.gif | |
| hxxp://gli.la/static/image/diy/panel-toggle-drop.png | |
| hxxp://gli.la/template/ailexun_free/alx_img/toptb.png | |
| hxxp://gli.la/static/image/common/switch_width.png | |
| hxxp://gli.la/static/image/common/px.png | |
| hxxp://gli.la/static/image/common/newarow.gif | |
| hxxp://gli.la/connect.php?mod=check&op=cookie | |
| hxxp://gli.la/static/image/common/qq_login.gif | |
| hxxp://js.touclick.com/js.touclick?b=8945ab12-cd42-42c8-ac71-aa65088ab434&v=v3-0&pf=discuz | 42.121.69.134 |
| hxxp://gli.la/static/image/common/pn.png | |
| hxxp://gli.la/template/ailexun_free/alx_img/search.png | |
| hxxp://gli.la/template/ailexun_free/alx_img/nav_bg.png | |
| hxxp://gli.la/data/attachment/block/6d/6dbdbe6d369556ee72b89e3c17a1aa06.jpg | |
| hxxp://tcss.tcdn.qq.com/ping.js?v=1a88 | |
| hxxp://gli.la/data/attachment/block/fe/fe6d33f440f3870e95112b10edf87420.jpg | |
| hxxp://gli.la/data/attachment/block/93/93e545ac7ac8a4c5002be47be870b8a9.jpg | |
| hxxp://tcss.tcdn.qq.com/icon/toss_11.gif | |
| hxxp://tcss.tcdn.qq.com/heatmap/85/MjU4NTc4ODU=.js?rand=7483188951 | |
| hxxp://gli.la/data/attachment/block/3e/3ef5e00b939f583c9f41085f1649c7f8.jpg | |
| hxxp://c.cnzz.com/stat.php?id=5490795&web_id=5490795&show=pic | |
| hxxp://pingtcss.qq.com/pingd?dm=lm.gli.la&url=/forum.php&arg=-&rdm=-&rurl=-&adt=-&rarg=-&pvi=1553322580&si=s4014721349&ui=0&ty=1&rt=forum&md=index&pn=1&qq=000&r2=25857885&scr=1024x768&scl=32-bit&lg=en-us&jv=1&pf=Win32&tz=-2&fl=11.0&ct=lan&ext=bc=0;adid=&r3=5250 | 112.90.141.233 |
| hxxp://gli.la/data/attachment/block/da/da3515dbee9263eefca9e73a244dd081.jpg | |
| hxxp://c.cnzz.com/core.php?web_id=5490795&show=pic&t=z | |
| hxxp://z3.cnzz.com/stat.htm?id=5490795&r=&lg=en-us&ntime=none&repeatip=0&rtime=0&cnzz_eid=503982556-1383181182-http://lm.gli.la&showp=1024x768&st=0&sin=&t=????,????,???????,?????,??????,??????,??????,?????&rnd=221211073 | |
| hxxp://icon.cnzz.com/img/pic.gif | 42.121.103.217 |
| hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=360902695 | |
| hxxp://gli.la/template/ailexun_free/alx_img/qmenu.png | |
| hxxp://gli.la/template/ailexun_free/alx_img/nav_active_bg.png | |
| hxxp://pcookie.split.cnzz.com/app.gif?&cna=fqT4CpjcEw8CAbhrJiaULGDN | |
| hxxp://gli.la/template/ailexun_free/alx_img/home.png | |
| hxxp://js.touclick.com/Configure/image/classical/4-14/white/ie6/1.gif?tem=1 | |
| hxxp://gli.la/static/image/common/pt_item.png | |
| hxxp://js.touclick.com/Configure/image/classical/4-14/white/loading.gif | |
| hxxp://js.touclick.com/Configure/image/classical/4-14/white/ie6/2.gif | |
| hxxp://gli.la/static/image/common/chart.png | |
| hxxp://gli.la/static/js/common_extra.js?a88 | |
| hxxp://gli.la/static/image/common/title.png | |
| hxxp://gli.la/static/image/common/dot.gif | |
| hxxp://gli.la/uc_server/avatar.php?uid=1141&size=small | |
| hxxp://gli.la/uc_server/avatar.php?uid=1&size=small | |
| hxxp://gli.la/uc_server/images/noavatar_small.gif | |
| hxxp://gli.la/uc_server/avatar.php?uid=1314&size=small | |
| hxxp://gli.la/uc_server/avatar.php?uid=1281&size=small | |
| hxxp://gli.la/uc_server/data/avatar/000/00/12/81_avatar_small.jpg | |
| hxxp://gli.la/uc_server/avatar.php?uid=1277&size=small | |
| hxxp://gli.la/uc_server/avatar.php?uid=1275&size=small | |
| hxxp://gli.la/uc_server/avatar.php?uid=1273&size=small | |
| hxxp://gli.la/uc_server/data/avatar/000/00/12/75_avatar_small.jpg | |
| hxxp://gli.la/uc_server/data/avatar/000/00/12/73_avatar_small.jpg | |
| hxxp://gli.la/data/attachment/common/a5/common_37_icon.jpg | |
| hxxp://gli.la/data/attachment/common/d6/common_40_icon.jpg | |
| hxxp://gli.la/data/attachment/common/a5/common_38_icon.jpg | |
| hxxp://gli.la/data/attachment/common/d6/common_39_icon.jpg | |
| hxxp://gli.la/data/attachment/common/34/common_41_icon.jpg | |
| hxxp://gli.la/static/image/common/online_supermod.gif | |
| hxxp://gli.la/static/image/common/online_admin.gif | |
| hxxp://gli.la/static/image/common/online_moderator.gif | |
| hxxp://gli.la/static/image/common/online_member.gif | |
| hxxp://gli.la/template/ailexun_free/alx_img/fl_bm_c.png | |
| hxxp://gli.la/template/ailexun_free/alx_img/fl_bm_c_l.png | |
| hxxp://gli.la/template/ailexun_free/alx_img/fl_bm_c_r.png | |
| hxxp://gli.la/template/ailexun_free/alx_img/fl_h2.png | |
| hxxp://gli.la/static/image/common/site_qq.jpg | |
| hxxp://gli.la/home.php?mod=misc&ac=sendmail&rand=1383181167 | |
| hxxp://gli.la/static/image/common/sortnum.png | |
| hxxp://gli.la/uc_server/avatar.php?uid=1135&size=small | |
| hxxp://gli.la/uc_server/avatar.php?uid=1272&size=small | |
| hxxp://discuzstatic.tcdn.qq.com/cloud/scripts/discuz_tips.js?v=1 | |
| hxxp://gli.la/static/image/common/collapsed_no.gif | |
| hxxp://gli.la/static/image/common/scrolltop.png | |
| hxxp://gli.la/uc_server/data/avatar/000/00/12/72_avatar_small.jpg | |
| hxxp://gli.la/data/attachment/common/c8/common_2_icon.jpg | |
| hxxp://gli.la/api/connect/like.php | |
| hxxp://show.v.t.qq.com/index.php?c=follow&a=quick&name=kamenglianmeng&style=3&f=1 | |
| hxxp://a1574.b.akamai.net/app/vt/js/follow/jquery.js | |
| hxxp://a1574.b.akamai.net/app/vt/css/follow/quickfollownewstyle3.css?v=1215 | |
| hxxp://a1574.b.akamai.net/app/vt/js/follow/follow_quick_03.js | |
| hxxp://a1574.b.akamai.net/app/vt/images/follow/quickfollowbgnew.gif?v=1215 | |
| zs25.cnzz.com | 42.156.140.16 |
| lm.gli.la | 103.27.126.83 |
| mat1.gtimg.com | 157.238.74.34 |
| tcss.qq.com | 119.188.94.53 |
| discuz.gtimg.cn | 60.210.9.53 |
| pcookie.cnzz.com | 42.121.149.45 |
| s25.cnzz.com | 1.99.192.16 |
| cnzz.mmstat.com | 42.121.149.44 |
| follow.v.t.qq.com | 58.250.135.154 |
HOSTS file anomalies
No activity has been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wuauclt.exe:344
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\common[1].js (42233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\dot[1].gif (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\core[1].php (796 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\fl_bm_c[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\collapsed_no[1].gif (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\qmenu[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\online_moderator[1].gif (375 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\1[1].gif (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\online_admin[1].gif (363 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\72_avatar_small[1].jpg (1648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\search[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\noavatar_small[1].gif (3148 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\fl_bm_c_r[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\toptb[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\discuz_tips[1].js (583 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\online_member[1].gif (365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\chart[1].png (990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\online_supermod[1].gif (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\switch_width[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\panel-toggle-drop[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\toss_11[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (14556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\forum[1].js (7219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\common_37_icon[1].jpg (894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\common_extra[1].js (20816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\common_39_icon[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\site_qq[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\style_2_widthauto[1].css (25 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (163 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\nav_bg[1].png (1253 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\fl_h2[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\common_41_icon[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lm.gli[2].txt (4531 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\discuz_tips[2].js (893 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\pt_item[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\stat[1].php (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\MjU4NTc4ODU=[1].js (41 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\6dbdbe6d369556ee72b89e3c17a1aa06[1].jpg (14340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\home[1].png (420 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\js[1].touclick (1890 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\logo[1].png (1141 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@gli[1].txt (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\follow_quick_03[1].js (2 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz.mmstat[1].txt (204 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\common_40_icon[1].jpg (895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\loading[1].gif (1047 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\ping[1].js (584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\CAQZ6N2H.gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\fl_bm_c_l[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\81_avatar_small[1].jpg (823 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\noavatar_small[1].gif (1574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\title[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\2[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\nav_active_bg[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\style_2_forum_index[1].css (2809 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\da3515dbee9263eefca9e73a244dd081[1].jpg (5672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\dwzscqgx[1].txt (237 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@lm.gli[1].txt (5361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\index[1].php (932 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\logging[1].js (603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\scrolltop[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\ping[2].js (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\like[1].htm (738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\style_2_common[1].css (48799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\qq_login[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\pn[1].png (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\73_avatar_small[1].jpg (1606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\common_2_icon[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\jquery[1].js (1544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\newarow[1].gif (327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\quickfollowbgnew[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\quickfollownewstyle3[1].css (799 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\background[1].gif (3665 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\3ef5e00b939f583c9f41085f1649c7f8[1].jpg (10693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\jquery[2].js (4478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\follow_quick_03[2].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\forum[1].htm (8217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\fe6d33f440f3870e95112b10edf87420[1].jpg (19478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\W56ZCPMR\common_38_icon[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\sortnum[1].png (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\index[1].htm (1 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KL4ZF8AW\px[1].png (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\75_avatar_small[1].jpg (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\YDC94HED\pic[1].gif (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TUV91UVD\93e545ac7ac8a4c5002be47be870b8a9[1].jpg (6748 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.