Trojan.NSIS.StartPage_725c5b639c

by malwarelabrobot on January 19th, 2014 in Malware Descriptions.

Trojan.Win32.Badur.ghqe (Kaspersky), Artemis!725C5B639C3C (McAfee), WS.Reputation.1 (Symantec), NSIS:Adware-MT [PUP] (Avast), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, PUP, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: 725c5b639c3cbe28f047a95e96437c9f
SHA1: 7387d8bc6a8a1f87c6b7ea966500c1772b3c18f9
SHA256: 052d83c697742a14a0babebcada7f690cf82ca36e8857a06aff611e1251f75c8
SSDeep: 3072:6gXdZt9P6D3XJJkGg6359hOn5KLwhOZFd:6e34EG1hYULwhkFd
Size: 101455 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

weatherRealTimeService.exe:1124
365weatherIns_61.exe:1828
pihhrpg_30310.exe:1292
Reader_sl.exe:1064
wuauclt.exe:344
akradl_70254.exe:1244
jusched.exe:1056

The Trojan injects its code into the following process(es):

%original file name%.exe:440

File activity

The process 365weatherIns_61.exe:1828 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\newfeather2.jpg (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\ToggleImages.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nscA.tmp (79841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\loading1.bmp (456 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\loading2.bmp (456 bytes)
%Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
%Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
%Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
%Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Program Files%\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SL2LODE9\aztongji_61[1].htm (2 bytes)
%Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
%Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
%Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\bg.bmp (18424 bytes)
%Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
%Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\checkbox1.bmp (5 bytes)
%Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\btn_next.bmp (3616 bytes)
%Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ð¶ÔØ.lnk (804 bytes)
%Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
%Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
%Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
%Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
%Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
%Program Files%\pcWeather365\msweather.dll (5520 bytes)
%Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
%Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\newfeather3.jpg (784 bytes)
%Program Files%\pcWeather365\skins\common\close.png (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\cnzzonline.html (2 bytes)
%Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
%Program Files%\pcWeather365\weather.db (6584 bytes)
%Program Files%\pcWeather365\uninst.exe (2691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\System.dll (11 bytes)
%Program Files%\pcWeather365\skins\common\err.png (784 bytes)
%Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\btn_close.bmp (2 bytes)
%Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\checkbox2.bmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\nsWindows.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\btn_complete.bmp (3616 bytes)
%Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
%Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
%Program Files%\pcWeather365\areacode.db (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\newfeather1.jpg (784 bytes)
%Program Files%\pcWeather365\skins\common\min.png (440 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh9.tmp (0 bytes)

The process pihhrpg_30310.exe:1292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\res\onlineWnd.zip (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMDownload.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\tmptjufdg.dll (76078 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMReport.dll.bdl (35316 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (151988 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDLogicUtils.dll (30968 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMNet.dll.bdl (2164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMSkin.dll (38495 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (8 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk6.tmp (0 bytes)

The process wuauclt.exe:344 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Trojan deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process akradl_70254.exe:1244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\BDLogicUtils.dll (31856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\tmpbhjmp5.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\hu.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\dl.dll (65945 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\BDMNetGetInfo.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\BDMDownload.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\BDMSkin.dll (36698 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (125790 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\res\onlineWnd.zip (15536 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp (0 bytes)

The process jusched.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)

The process %original file name%.exe:440 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (122132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AA8Y2JK7\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe (192612 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\xID.dll (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\akradl_70254.exe (199370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (115053 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BY9E8YT0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\open.ini (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WAAWGESV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SL2LODE9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\Md5dll.dll (8 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm1.tmp (0 bytes)

Registry activity

The process weatherRealTimeService.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF A4 A0 3A F7 18 3A 69 27 E1 26 9E 91 BD 92 54"

[HKCR\AppID\weatherService.EXE]
"AppID" = "{636DA746-D508-400B-86A0-AE7F3C4008F7}"

[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService" = "weatherRealTimeService"
"(Default)" = "weatherService"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{636DA746-D508-400B-86A0-AE7F3C4008F7}]
"LocalService"

The process 365weatherIns_61.exe:1828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"UninstallString" = "%Program Files%\pcWeather365\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayIcon" = "%Program Files%\pcWeather365\pcWeather365.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"appdata" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"URLInfoAbout" = "http://114tq.com/"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"quick" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"Publisher" = "365ÆøÏó¹¤×÷ÊÒ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"(Default)" = "%Program Files%\pcWeather365\pcWeather365.exe"
"desk" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%]
"pcWeather365/weatherRealTimeService.exe" = "weatherRealTimeService"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayName" = "pcWeather365 1.0.0.1004"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Index" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"Mac" = "00-0C-29-64-A0-20"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 0A 84 4D CC 85 92 13 DF 46 4D A6 5B A3 AA 5F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcWeather365]
"DisplayVersion" = "1.0.0.1004"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"collection" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\pcWeather365.exe]
"jieguo" = "mac=00-0C-29-64-A0-20&soft_id=33&tuiguang_id=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\365weatherIns_61.exe&yanzheng=fb815cd10206670e32ad5cf9d247badc"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process pihhrpg_30310.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 14 51 ED EE A5 39 11 15 5F B3 3B 27 7F 17 43"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\metnsd\clsid]
"SequenceID" = "8B E3 24 B9 25 3F B6 47 9C 4E 6E 1F 91 DC 89 51"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"pihhrpg_30310.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe:*:Enabled:百度杀毒在线安装程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\Local Settings\Temp]
"pihhrpg_30310.exe" = "%Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe:*:Enabled:百度杀毒在线安装程序"

The process Reader_sl.exe:1064 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process akradl_70254.exe:1244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 88 90 E1 04 67 FC 23 13 0B 0A C5 44 09 DB FA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayVersion" = "1.0.0.2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Â̶¹]
"DisplayName" = "Â̶¹ 1.0.0.2"
"Publisher" = "haha264"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 24 2E 5A 6E 26 DE F9 10 61 2E C8 6C B8 89 EA"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "http://www.p100.pw"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Network activity (URLs)

URL IP
hxxp://pxsw.n.shifen.com/
p.x.baidu.com 123.125.65.152


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    weatherRealTimeService.exe:1124
    365weatherIns_61.exe:1828
    pihhrpg_30310.exe:1292
    wuauclt.exe:344
    akradl_70254.exe:1244

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\newfeather2.jpg (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\ToggleImages.html (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nscA.tmp (79841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\loading1.bmp (456 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\loading2.bmp (456 bytes)
    %Program Files%\pcWeather365\updateInfo\loading.gif (8 bytes)
    %Program Files%\pcWeather365\sqliteApi.dll (784 bytes)
    %Program Files%\pcWeather365\tianqiUpdate.1004.exe (9320 bytes)
    %Program Files%\pcWeather365\skins\common\large\n99.png (784 bytes)
    %Program Files%\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
    %Program Files%\pcWeather365\config.ini (325 bytes)
    %Program Files%\pcWeather365\sqlite3.dll (20416 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SL2LODE9\aztongji_61[1].htm (2 bytes)
    %Program Files%\pcWeather365\skins\default\btn_close.jpg (3 bytes)
    %Program Files%\pcWeather365\skins\default\bg_large.png (1856 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\config.ini (325 bytes)
    %Program Files%\pcWeather365\weatherPng2Ico.exe (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\bg.bmp (18424 bytes)
    %Program Files%\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
    %Program Files%\pcWeather365\skins\default\btn_min.jpg (3 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨.lnk (836 bytes)
    %Program Files%\pcWeather365\skins\common\kz.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\checkbox1.bmp (5 bytes)
    %Program Files%\pcWeather365\weatherRealTimeService.exe (4992 bytes)
    %Program Files%\pcWeather365\skins\default\btn_max.jpg (3 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\updateInfo\AlreadyUpdate.db (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\btn_next.bmp (3616 bytes)
    %Program Files%\pcWeather365\skins\default\btn_move.jpg (1 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\pcWeather365\×ÀÃæÌìÆøÔ¤±¨Ð¶ÔØ.lnk (804 bytes)
    %Program Files%\pcWeather365\pm25Function.exe (6584 bytes)
    %Program Files%\pcWeather365\pmAqiFunction.exe (4992 bytes)
    %Program Files%\pcWeather365\skins\default\btn_setting.jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\SkinBtn.dll (4 bytes)
    %Documents and Settings%\All Users\Application Data\pcWeather365\weatherInfo\weatherInfo.db (428 bytes)
    %Program Files%\pcWeather365\skins\common\topbar.png (3 bytes)
    %Program Files%\pcWeather365\skins\default\skin.xml (6 bytes)
    %Program Files%\pcWeather365\msweather.dll (5520 bytes)
    %Program Files%\pcWeather365\skins\common\future\n99.png (6 bytes)
    %Program Files%\pcWeather365\updateInfo\update.html (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\newfeather3.jpg (784 bytes)
    %Program Files%\pcWeather365\skins\common\close.png (873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\cnzzonline.html (2 bytes)
    %Program Files%\pcWeather365\updateInfo\un_update.html (1 bytes)
    %Program Files%\pcWeather365\weather.db (6584 bytes)
    %Program Files%\pcWeather365\uninst.exe (2691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\System.dll (11 bytes)
    %Program Files%\pcWeather365\skins\common\err.png (784 bytes)
    %Program Files%\pcWeather365\updateInfo\i.gif (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\btn_close.bmp (2 bytes)
    %Program Files%\pcWeather365\skins\default\bg_small.png (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\checkbox2.bmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\nsWindows.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\btn_complete.bmp (3616 bytes)
    %Program Files%\pcWeather365\pcWeather365.exe (25776 bytes)
    %Program Files%\pcWeather365\skins\common\loading.png (3 bytes)
    %Program Files%\pcWeather365\areacode.db (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsxB.tmp\newfeather1.jpg (784 bytes)
    %Program Files%\pcWeather365\skins\common\min.png (440 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\res\onlineWnd.zip (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMDownload.dll (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\tmptjufdg.dll (76078 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\dl.dll (65930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\hu.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMReport.dll.bdl (35316 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (382 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (151988 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDLogicUtils.dll (30968 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMNet.dll.bdl (2164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv8.tmp\BDMSkin.dll (38495 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (8 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (3576 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\BDLogicUtils.dll (31856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\tmpbhjmp5.dll (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\hu.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\dl.dll (65945 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\BDMNetGetInfo.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\BDMDownload.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\BDMSkin.dll (36698 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc4.tmp (125790 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp\res\onlineWnd.zip (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jusched.log (347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\365weatherIns_61.exe (122132 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AA8Y2JK7\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\Inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pihhrpg_30310.exe (192612 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\xID.dll (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\akradl_70254.exe (199370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\setup_3128.exe (115053 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\BY9E8YT0\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\open.ini (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WAAWGESV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\SL2LODE9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\Md5dll.dll (8 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "pcWeather365" = "%Program Files%\pcWeather365\pcWeather365.exe /autorun"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.