Trojan.Win32.Delphi_db58f75c49

by malwarelabrobot on January 18th, 2014 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), Virus.Win32.Heur!IK (Emsisoft), Trojan.Win32.Delphi.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Virus, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Technical Details
Removal Recommendations

MD5: db58f75c494eaa9ea5268da20ae60471
SHA1: 24eaba7c54a1490a0aa79fade941283e13c4243c
SHA256: ef7c4fdaa339b9b5e279375a20159a4a24e57b18c6f54bdf3d968237d5251286
SSDeep: 12288:OdPKAosCd2zw8zXYAniOnjipB/Z KoxBsy6MBDRkVIYzQtp:OUbMw8zXDiy JoxOMB9kVIIyp
Size: 585728 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-05 06:32:26
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

setup_3019-47336.exe:996
YyfmPlay.exe:1956

The Trojan injects its code into the following process(es):

%original file name%.exe:1232
YYNews.exe:1480

File activity

The process %original file name%.exe:1232 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\setup_3019-47336.exe (23407 bytes)
%Program Files%\xfjc.exe (109 bytes)

The process YYNews.exe:1480 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\YYueDMS\OLDSet.Xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\YYueDMS\DMSet.Xml (2 bytes)

The process setup_3019-47336.exe:996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Yyfm\2014117\Skin\tab_comm.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\bg_2.png (1 bytes)
%Program Files%\Yyfm\2014117\Unins.exe (9608 bytes)
%Program Files%\Yyfm\2014117\Skin\random01a.jpg (2 bytes)
%Program Files%\Yyfm\2014117\Skin\ÒôÁ¿µ÷½Úµã.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\btn-fav.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\btn-delete.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\system_menu_btnsteup.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\color_002highlight.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\LyricFrameVoice.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\close.png (1 bytes)
%Program Files%\Yyfm\2014117\pthreadGC2.dll (3616 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmLrcChild.xml (263 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_mutevol.png (3 bytes)
%Program Files%\Yyfm\2014117\SysConfig.ini (280 bytes)
%Program Files%\Yyfm\2014117\Skin\minea.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\playingrandom.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_005highlight.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\frmlogin.xml (3 bytes)
%Program Files%\Yyfm\2014117\Skin\voice0520.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmMenuFrame.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\channel.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\color_bg.bmp (784 bytes)
%Program Files%\Yyfm\2014117\Skin\slider_bg.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_list_bk.png (1552 bytes)
%Program Files%\Yyfm\2014117\Skin\playerbg02.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionbiga.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_db.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\font_bkcolor.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\bkcolor_1.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensioncloseahover.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_back.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_014.bmp (1 bytes)
%Program Files%\Yyfm\2014117\Skin\lista.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmSystemMenuFrame.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\progresstooltip.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\playingplaying.jpg (2 bytes)
%Program Files%\Yyfm\2014117\Skin\play2.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\sys_check_btn_whiter.png (318 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_set.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\forgettt.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\sys_check_btn_red.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\random0520.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\lyriclikea2.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\color_015.bmp (1 bytes)
%Program Files%\Yyfm\2014117\Skin\musiclibrary.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\random03hover.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\bkcolor_4.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\playingprev.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_004.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionfeedback.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_split.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\LrcBk.png (7 bytes)
%Program Files%\Yyfm\2014117\Skin\prev0520.png (1 bytes)
%Program Files%\Yyfm\2014117\lyrics\baidu_262581.lrc (993 bytes)
%Program Files%\Yyfm\2014117\Skin\input-user.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\forecolor_5.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_fh.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\like.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\reflash.png (1 bytes)
%Program Files%\Yyfm\2014117\channels.xml (784 bytes)
%Program Files%\Yyfm\2014117\Skin\random01.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionset.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\frmdownmenu.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_008highlight.bmp (552 bytes)
%Program Files%\Yyfm\2014117\Skin\btn-play.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_prev.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\mini.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\random03.jpg (1 bytes)
%Program Files%\Yyfm\2014117\source.dll (6584 bytes)
%Program Files%\Yyfm\2014117\Skin\color_007.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\frmProgressToolTip.xml (393 bytes)
%Program Files%\Yyfm\2014117\Skin\loading04.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\list_item_bg.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_001highlight.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\playingrandoma.jpg (2 bytes)
%Program Files%\Yyfm\2014117\Skin\frmplayer.xml (10 bytes)
%Program Files%\Yyfm\2014117\Skin\exit.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_btn_down.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionsetahover.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\125x125.jpg (784 bytes)
%Program Files%\Yyfm\2014117\Skin\headimg.png (784 bytes)
%Program Files%\Yyfm\2014117\Skin\color_009.bmp (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionfeedbackahover.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\frmplaylist.xml (5 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_ok_red.png (2 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\¹Ù·½Ö÷Ò³.lnk (334 bytes)
%Program Files%\Yyfm\2014117\Skin\DownLoadProgressForeImage.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\btn-login2.png (6 bytes)
%Program Files%\Yyfm\2014117\Skin\voiceall0528.png (1 bytes)
%Program Files%\Yyfm\2014117\audio.dll (3616 bytes)
%Program Files%\Yyfm\2014117\Skin\prev.png (2 bytes)
%Program Files%\Yyfm\2014117\icon\gouwu.ico (9 bytes)
%Program Files%\Yyfm\2014117\Skin\playingpreva.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\sound.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\forecolor_2.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_ok.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\color_006highlight.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\menu.png (1 bytes)
%Program Files%\Yyfm\2014117\favorfm.xml (66 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_pause.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\system_menu_btnexit.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_kw.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\pop_bkimage.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensiontopa.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionbigahover.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmConfig.xml (4 bytes)
%Program Files%\Yyfm\2014117\Skin\voice00528.png (1 bytes)
%Program Files%\Yyfm\2014117\swresample-0.dll (3312 bytes)
%Program Files%\Yyfm\2014117\Skin\MessageBox.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmSetWindowLrcFrame.xml (3 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmPopWnd.xml (354 bytes)
%Program Files%\Yyfm\2014117\Skin\play0520.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\BtnRightTop.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\random02a.jpg (2 bytes)
%Program Files%\Yyfm\2014117\Skin\forecolor_3.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\color_012.bmp (1 bytes)
%Program Files%\Yyfm\2014117\Skin\history.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\downd.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\button.png (3 bytes)
%Program Files%\Yyfm\2014117\YyfmPlay.exe (32784 bytes)
%Program Files%\Yyfm\2014117\DuiLib.dll (16288 bytes)
%Program Files%\Yyfm\2014117\Skin\WindowLrcbkIamge.png (732 bytes)
%Program Files%\Yyfm\2014117\Skin\bkcolor_3.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_close.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\PlayProgressForeImage.png (142 bytes)
%Program Files%\Yyfm\2014117\Skin\list_scroll_bar.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\sys_check_btn_blue.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\back.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionclosea.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\update.xml (2 bytes)
%Program Files%\Yyfm\2014117\Data\setup.ini (125 bytes)
%Program Files%\Yyfm\2014117\Skin\frmWindowLrcParent.xml (157 bytes)
%Program Files%\Yyfm\2014117\Skin\320x225.png (784 bytes)
%Program Files%\Yyfm\2014117\Skin\collection.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmHotKeyTip.xml (482 bytes)
%Program Files%\Yyfm\2014117\Skin\lyricdelete.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\power.png (5 bytes)
%Program Files%\Yyfm\2014117\Data\client.ini (38 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_forward.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\home.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\color_010.bmp (1 bytes)
%Program Files%\Yyfm\2014117\Skin\normalVolume.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionmin.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_bg.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmColor.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_9k.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\color_013.bmp (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_vol.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionmina.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmFeedBack.xml (411 bytes)
%Program Files%\Yyfm\2014117\Skin\sys_check_btn.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\SetTipFrame.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_001.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\random01hover.jpg (2 bytes)
%Program Files%\Yyfm\2014117\Skin\color_005.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\lyricdeletea.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\list_play.png (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\ÅäÖù¤¾ß\жÔØÒôÀÖFM.lnk (771 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionlogin.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\downdahover.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmLrc.xml (7 bytes)
%Program Files%\Yyfm\2014117\icon\ie.ico (784 bytes)
%Program Files%\Yyfm\2014117\Skin\voice0a0528.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\steup.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_close.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_icon.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\random02hover.jpg (2 bytes)
%Program Files%\Yyfm\2014117\Skin\list_pause.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionfeedbacka.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_comm.png (1 bytes)
%Program Files%\Yyfm\2014117\PlayerUpdate.exe (5064 bytes)
%Program Files%\Yyfm\2014117\Skin\random03a.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_002.bmp (564 bytes)
%Documents and Settings%\All Users\Desktop\ÒôÀÖFM.lnk (764 bytes)
%Program Files%\Yyfm\2014117\Skin\bkcolor_5.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\color_004highlight.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_desktop.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\bg2.png (1 bytes)
%Program Files%\Yyfm\2014117\avcore.dll (2392 bytes)
%Program Files%\Yyfm\2014117\Skin\fbcaptionbk.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\remembertt.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_003.bmp (560 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionclose.png (1 bytes)
%Program Files%\Yyfm\2014117\picture\baidu_c2cec3fdfc03924517c1df928694a4c27d1e2532.jpg (784 bytes)
%Program Files%\Yyfm\2014117\Skin\max.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\list_scroll_bar2.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\frmWebBrowser.xml (308 bytes)
%Program Files%\Yyfm\2014117\Skin\font_forecolor.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\system_menu_btnmini.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\system_menu_btnfeedback.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\mainframeshadow.png (4992 bytes)
%Program Files%\Yyfm\2014117\Skin\btn-anonymity.png (8 bytes)
%Program Files%\Yyfm\2014117\Data\server.ini (1 bytes)
%Program Files%\Yyfm\2014117\Skin\forecolor_1.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\lrclist.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\progresstooltipbk.png (1552 bytes)
%Program Files%\Yyfm\2014117\Skin\btn-next.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_small.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\list.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\hotkeytipbk.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\playersidebg.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\playerbg01.png (1 bytes)
%Program Files%\Yyfm\2014117\picture\baidu_c8ea15ce36d3d539f9c9305e3b87e950342ab0b2.jpg (784 bytes)
%Program Files%\Yyfm\2014117\Data\dh.ini (56 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_res.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_feedback.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\progress_fore.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\prevention.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\voice1000528.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\loading01.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\forecolor_7.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\system_menu_btntop.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_bd.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\scrollbar.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\search.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\system_menu_btnexit - ¸±±¾.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\border.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensiontop.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\lyricdeletea2.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\BtnHidePlayList.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\dash.png (955 bytes)
%Program Files%\Yyfm\2014117\Skin\min.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\list_item.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\system_menu_btnmin.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\bkcolor_2.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\DefaultUserImage.jpg (6 bytes)
%Program Files%\Yyfm\2014117\Skin\astop.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_itself.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\more.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\next0520.png (1 bytes)
%Program Files%\Yyfm\2014117\Data\version.ini (32 bytes)
%Program Files%\Yyfm\2014117\avutil-52.dll (5520 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_next.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_big.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\btn-pause.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\downda.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\playingnext.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\color_006.bmp (560 bytes)
%Program Files%\Yyfm\2014117\Skin\icon.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\mini´°.png (1 bytes)
%Program Files%\Yyfm\2014117\icon\ccjs.ico (13 bytes)
%Program Files%\Yyfm\2014117\Skin\listahover.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\playinginga.jpg (5 bytes)
%Program Files%\Yyfm\2014117\Skin\next.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\FrmDropDownMenuFrame.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionminahover.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_003highlight.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\forecolor_6.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\playerlist.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_color.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_play.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\LoginBk.png (3312 bytes)
%Program Files%\Yyfm\2014117\Skin\playingvoice.png (3 bytes)
%Program Files%\Yyfm\2014117\lyrics\baidu_13881991.lrc (1 bytes)
%Program Files%\Yyfm\2014117\Skin\mine.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\playinging.jpg (2 bytes)
%Program Files%\Yyfm\2014117\Skin\ÒôÁ¿Ìõ.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_sc.png (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\ÒôÀÖFM.lnk (776 bytes)
%Program Files%\Yyfm\2014117\Skin\sound (2).jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\loading03.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionseta.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_007highlight.bmp (564 bytes)
%Program Files%\Yyfm\2014117\Skin\SelectColor_SliderBar_Thumb.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\forecolor_4.png (4 bytes)
%Program Files%\Yyfm\2014117\Skin\input-password.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_008.bmp (556 bytes)
%Program Files%\Yyfm\2014117\Skin\list_title_bg.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_016.bmp (1 bytes)
%Program Files%\Yyfm\2014117\picture\baidu_e1fe9925bc315c60bbe955728cb1cb134954772a.jpg (784 bytes)
%Program Files%\Yyfm\2014117\Skin\lyrictoplay.png (1 bytes)
%Program Files%\Yyfm\2014117\libav.dll (6360 bytes)
%Program Files%\Yyfm\2014117\Skin\bkcolor_6.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\bkcolor_7.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensionbig.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\bg3.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\sound100.jpg (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pushedVolume.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_xm.png (5 bytes)
%Program Files%\Yyfm\2014117\Skin\btn_ok_blue.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\suspensiontopahover.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\AutoRunTipFrame.xml (1 bytes)
%Program Files%\Yyfm\2014117\Skin\lyriclike.png (1 bytes)
%Program Files%\Yyfm\2014117\avformat-54.dll (12536 bytes)
%Program Files%\Yyfm\2014117\Skin\lyricmute.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\btn-login.png (3 bytes)
%Program Files%\Yyfm\2014117\Skin\frmWindowLrc.xml (174 bytes)
%Program Files%\Yyfm\2014117\Skin\color_011.bmp (1 bytes)
%Program Files%\Yyfm\2014117\Skin\color_unsel.bmp (5 bytes)
%Program Files%\Yyfm\2014117\Skin\tooltipbk.png (319 bytes)
%Program Files%\Yyfm\2014117\Skin\random.jpg (1 bytes)
%Program Files%\Yyfm\2014117\YYNews.exe (20416 bytes)
%Program Files%\Yyfm\2014117\lyrics\baidu_13766042.lrc (1 bytes)
%Program Files%\Yyfm\2014117\Skin\lyriclikea.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\pl_btn_on.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\random02.jpg (1 bytes)
%Program Files%\Yyfm\2014117\avcodec-54.dll (23936 bytes)
%Program Files%\Yyfm\2014117\Skin\loading02.png (1 bytes)
%Program Files%\Yyfm\2014117\Skin\bk.png (3616 bytes)
%Program Files%\Yyfm\2014117\Skin\feedback.png (2 bytes)
%Program Files%\Yyfm\2014117\Skin\mineahover.png (1 bytes)

The process YyfmPlay.exe:1956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Yyfm\2014117\Data\server.ini (1 bytes)
%Program Files%\Yyfm\2014117\Data\user2.ini (395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA6VPD0Y.htm (3 bytes)
%Program Files%\Yyfm\2014117\Data\client.ini (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].ashx (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ver[1].txt (36 bytes)
%Program Files%\Yyfm\2014117\SysConfig.ini (34 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA6VPD0Y.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].ashx (0 bytes)

Registry activity

The process %original file name%.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE DA 00 01 8C 26 0A C9 6C D0 72 6F 55 BA DC E9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process YYNews.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 EE FF 7C BB 21 78 D6 62 48 25 DB EF C6 4D DD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup_3019-47336.exe:996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayName" = "ÒôÀÖFM"
"Publisher" = "ÒôÀÖFM"

[HKLM\SOFTWARE\YyfmPlay]
"Rd" = "_2014117"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 40 5A 99 5F C4 A9 C6 DE C8 3E 5D 7D 49 55 78"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"UninstallString" = "%Program Files%\Yyfm\2014117\Unins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ÒôÀÖFM]
"DisplayIcon" = "%Program Files%\Yyfm\2014117\Unins.exe"

The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BoxNews"

"YyfmPlay"

The process YyfmPlay.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 DA A0 67 8A 11 48 8D 19 44 A0 58 54 0B 05 44"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YyfmPlay_2014117" = "%Program Files%\Yyfm\2014117\YyfmPlay.exe -mini"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BoxNews_2014117" = "%Program Files%\Yyfm\2014117\YYNews.exe -mini"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Network activity (URLs)

URL IP
hxxp://61.155.149.87/qq.php?u=bb61f16d2d789291d04a5c7a0ae78a90.exe
hxxp://sh.yun.ftn.qq.com/ftn_handler/fa4fe64f43785fafa82ba96e4d8aa469f7fbb691a451aaef21f3d130b7e07657/?fname=345205210351224213350256241346254241.rar&cn=0&cv=30013 (Malicious) 61.151.224.28
hxxp://61.155.149.87/qq.php?u=ec75557fcff70f6dd96b38363597d549.exe
hxxp://update.yinyue.fm/tj.ashx 222.186.60.13
hxxp://xa.yun.ftn.qq.com/ftn_handler/0cd08175c53fc74b2b2699a6c5ed9024d7bde9c51694591548bd1f449ad6e76e/?fname=tbwlwKAVSETUPS_66_66322.exe&cn=0&cv=30013 (ET POLICY PE EXE or DLL Windows file download , Malicious) 113.142.21.83
hxxp://update.yinyue.fm/a.ashx?v=51856086832E9ADBC968DABBD16BCDAF9F6ADB9258ED895D87DB4E3E2FB3FC3E9B41D7BD9B97BBD9B0495A727792E7C18E797EE7D6C52FBBAFB6989AE0748590CB197BBE9D3CE5B36C9940812ED7C668CBB450A377F6C9121D7E016D77BBD5CD854575DB1F2CE36DEA17BDC5073C0BB8891E8C4F171462747D9A3C92715353E0D11842A7027EAE37
hxxp://update.yinyue.fm/appupdate/ver.txt
hxxp://update.yinyue.fm/DM2/DMSet.xml
tongji.yinyue.fm 222.186.60.13


HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    setup_3019-47336.exe:996
    YyfmPlay.exe:1956

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\setup_3019-47336.exe (23407 bytes)
    %Program Files%\xfjc.exe (109 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\YYueDMS\OLDSet.Xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\YYueDMS\DMSet.Xml (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\tab_comm.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\bg_2.png (1 bytes)
    %Program Files%\Yyfm\2014117\Unins.exe (9608 bytes)
    %Program Files%\Yyfm\2014117\Skin\random01a.jpg (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\ÒôÁ¿µ÷½Úµã.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn-fav.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn-delete.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\system_menu_btnsteup.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_002highlight.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\LyricFrameVoice.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\close.png (1 bytes)
    %Program Files%\Yyfm\2014117\pthreadGC2.dll (3616 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmLrcChild.xml (263 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_mutevol.png (3 bytes)
    %Program Files%\Yyfm\2014117\SysConfig.ini (280 bytes)
    %Program Files%\Yyfm\2014117\Skin\minea.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\playingrandom.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_005highlight.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\frmlogin.xml (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\voice0520.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmMenuFrame.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\channel.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_bg.bmp (784 bytes)
    %Program Files%\Yyfm\2014117\Skin\slider_bg.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_list_bk.png (1552 bytes)
    %Program Files%\Yyfm\2014117\Skin\playerbg02.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionbiga.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_db.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\font_bkcolor.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\bkcolor_1.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensioncloseahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_back.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_014.bmp (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\lista.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmSystemMenuFrame.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\progresstooltip.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\playingplaying.jpg (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\play2.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\sys_check_btn_whiter.png (318 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_set.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\forgettt.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\sys_check_btn_red.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\random0520.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\lyriclikea2.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_015.bmp (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\musiclibrary.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\random03hover.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\bkcolor_4.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\playingprev.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_004.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionfeedback.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_split.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\LrcBk.png (7 bytes)
    %Program Files%\Yyfm\2014117\Skin\prev0520.png (1 bytes)
    %Program Files%\Yyfm\2014117\lyrics\baidu_262581.lrc (993 bytes)
    %Program Files%\Yyfm\2014117\Skin\input-user.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\forecolor_5.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_fh.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\like.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\reflash.png (1 bytes)
    %Program Files%\Yyfm\2014117\channels.xml (784 bytes)
    %Program Files%\Yyfm\2014117\Skin\random01.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionset.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\frmdownmenu.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_008highlight.bmp (552 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn-play.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_prev.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\mini.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\random03.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\source.dll (6584 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_007.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\frmProgressToolTip.xml (393 bytes)
    %Program Files%\Yyfm\2014117\Skin\loading04.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\list_item_bg.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_001highlight.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\playingrandoma.jpg (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\frmplayer.xml (10 bytes)
    %Program Files%\Yyfm\2014117\Skin\exit.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_btn_down.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionsetahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\125x125.jpg (784 bytes)
    %Program Files%\Yyfm\2014117\Skin\headimg.png (784 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_009.bmp (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionfeedbackahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\frmplaylist.xml (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_ok_red.png (2 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\¹Ù·½Ö÷Ò³.lnk (334 bytes)
    %Program Files%\Yyfm\2014117\Skin\DownLoadProgressForeImage.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn-login2.png (6 bytes)
    %Program Files%\Yyfm\2014117\Skin\voiceall0528.png (1 bytes)
    %Program Files%\Yyfm\2014117\audio.dll (3616 bytes)
    %Program Files%\Yyfm\2014117\Skin\prev.png (2 bytes)
    %Program Files%\Yyfm\2014117\icon\gouwu.ico (9 bytes)
    %Program Files%\Yyfm\2014117\Skin\playingpreva.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\sound.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\forecolor_2.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_ok.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_006highlight.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\menu.png (1 bytes)
    %Program Files%\Yyfm\2014117\favorfm.xml (66 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_pause.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\system_menu_btnexit.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_kw.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\pop_bkimage.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensiontopa.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionbigahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmConfig.xml (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\voice00528.png (1 bytes)
    %Program Files%\Yyfm\2014117\swresample-0.dll (3312 bytes)
    %Program Files%\Yyfm\2014117\Skin\MessageBox.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmSetWindowLrcFrame.xml (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmPopWnd.xml (354 bytes)
    %Program Files%\Yyfm\2014117\Skin\play0520.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\BtnRightTop.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\random02a.jpg (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\forecolor_3.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_012.bmp (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\history.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\downd.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\button.png (3 bytes)
    %Program Files%\Yyfm\2014117\YyfmPlay.exe (32784 bytes)
    %Program Files%\Yyfm\2014117\DuiLib.dll (16288 bytes)
    %Program Files%\Yyfm\2014117\Skin\WindowLrcbkIamge.png (732 bytes)
    %Program Files%\Yyfm\2014117\Skin\bkcolor_3.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_close.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\PlayProgressForeImage.png (142 bytes)
    %Program Files%\Yyfm\2014117\Skin\list_scroll_bar.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\sys_check_btn_blue.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\back.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionclosea.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\update.xml (2 bytes)
    %Program Files%\Yyfm\2014117\Data\setup.ini (125 bytes)
    %Program Files%\Yyfm\2014117\Skin\frmWindowLrcParent.xml (157 bytes)
    %Program Files%\Yyfm\2014117\Skin\320x225.png (784 bytes)
    %Program Files%\Yyfm\2014117\Skin\collection.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmHotKeyTip.xml (482 bytes)
    %Program Files%\Yyfm\2014117\Skin\lyricdelete.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\power.png (5 bytes)
    %Program Files%\Yyfm\2014117\Data\client.ini (38 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_forward.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\home.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_010.bmp (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\normalVolume.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionmin.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_bg.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmColor.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_9k.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_013.bmp (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_vol.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionmina.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmFeedBack.xml (411 bytes)
    %Program Files%\Yyfm\2014117\Skin\sys_check_btn.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\SetTipFrame.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_001.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\random01hover.jpg (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_005.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\lyricdeletea.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\list_play.png (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\ÅäÖù¤¾ß\жÔØÒôÀÖFM.lnk (771 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionlogin.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\downdahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmLrc.xml (7 bytes)
    %Program Files%\Yyfm\2014117\icon\ie.ico (784 bytes)
    %Program Files%\Yyfm\2014117\Skin\voice0a0528.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\steup.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_close.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_icon.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\random02hover.jpg (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\list_pause.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionfeedbacka.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_comm.png (1 bytes)
    %Program Files%\Yyfm\2014117\PlayerUpdate.exe (5064 bytes)
    %Program Files%\Yyfm\2014117\Skin\random03a.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_002.bmp (564 bytes)
    %Documents and Settings%\All Users\Desktop\ÒôÀÖFM.lnk (764 bytes)
    %Program Files%\Yyfm\2014117\Skin\bkcolor_5.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_004highlight.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_desktop.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\bg2.png (1 bytes)
    %Program Files%\Yyfm\2014117\avcore.dll (2392 bytes)
    %Program Files%\Yyfm\2014117\Skin\fbcaptionbk.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\remembertt.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_003.bmp (560 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionclose.png (1 bytes)
    %Program Files%\Yyfm\2014117\picture\baidu_c2cec3fdfc03924517c1df928694a4c27d1e2532.jpg (784 bytes)
    %Program Files%\Yyfm\2014117\Skin\max.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\list_scroll_bar2.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\frmWebBrowser.xml (308 bytes)
    %Program Files%\Yyfm\2014117\Skin\font_forecolor.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\system_menu_btnmini.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\system_menu_btnfeedback.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\mainframeshadow.png (4992 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn-anonymity.png (8 bytes)
    %Program Files%\Yyfm\2014117\Data\server.ini (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\forecolor_1.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\lrclist.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\progresstooltipbk.png (1552 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn-next.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_small.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\list.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\hotkeytipbk.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\playersidebg.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\playerbg01.png (1 bytes)
    %Program Files%\Yyfm\2014117\picture\baidu_c8ea15ce36d3d539f9c9305e3b87e950342ab0b2.jpg (784 bytes)
    %Program Files%\Yyfm\2014117\Data\dh.ini (56 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_res.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_feedback.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\progress_fore.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\prevention.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\voice1000528.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\loading01.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\forecolor_7.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\system_menu_btntop.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_bd.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\scrollbar.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\search.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\system_menu_btnexit - ¸±±¾.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\border.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensiontop.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\lyricdeletea2.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\BtnHidePlayList.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\dash.png (955 bytes)
    %Program Files%\Yyfm\2014117\Skin\min.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\list_item.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\system_menu_btnmin.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\bkcolor_2.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\DefaultUserImage.jpg (6 bytes)
    %Program Files%\Yyfm\2014117\Skin\astop.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_itself.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\more.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\next0520.png (1 bytes)
    %Program Files%\Yyfm\2014117\Data\version.ini (32 bytes)
    %Program Files%\Yyfm\2014117\avutil-52.dll (5520 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_next.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_big.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn-pause.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\downda.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\playingnext.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_006.bmp (560 bytes)
    %Program Files%\Yyfm\2014117\Skin\icon.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\mini´°.png (1 bytes)
    %Program Files%\Yyfm\2014117\icon\ccjs.ico (13 bytes)
    %Program Files%\Yyfm\2014117\Skin\listahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\playinginga.jpg (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\next.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\FrmDropDownMenuFrame.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionminahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_003highlight.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\forecolor_6.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\playerlist.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_color.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_play.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\LoginBk.png (3312 bytes)
    %Program Files%\Yyfm\2014117\Skin\playingvoice.png (3 bytes)
    %Program Files%\Yyfm\2014117\lyrics\baidu_13881991.lrc (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\mine.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\playinging.jpg (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\ÒôÁ¿Ìõ.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_sc.png (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÒôÀÖFM\ÒôÀÖFM.lnk (776 bytes)
    %Program Files%\Yyfm\2014117\Skin\sound (2).jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\loading03.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionseta.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_007highlight.bmp (564 bytes)
    %Program Files%\Yyfm\2014117\Skin\SelectColor_SliderBar_Thumb.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\forecolor_4.png (4 bytes)
    %Program Files%\Yyfm\2014117\Skin\input-password.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_008.bmp (556 bytes)
    %Program Files%\Yyfm\2014117\Skin\list_title_bg.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_016.bmp (1 bytes)
    %Program Files%\Yyfm\2014117\picture\baidu_e1fe9925bc315c60bbe955728cb1cb134954772a.jpg (784 bytes)
    %Program Files%\Yyfm\2014117\Skin\lyrictoplay.png (1 bytes)
    %Program Files%\Yyfm\2014117\libav.dll (6360 bytes)
    %Program Files%\Yyfm\2014117\Skin\bkcolor_6.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\bkcolor_7.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensionbig.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\bg3.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\sound100.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pushedVolume.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_xm.png (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn_ok_blue.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\suspensiontopahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\AutoRunTipFrame.xml (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\lyriclike.png (1 bytes)
    %Program Files%\Yyfm\2014117\avformat-54.dll (12536 bytes)
    %Program Files%\Yyfm\2014117\Skin\lyricmute.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\btn-login.png (3 bytes)
    %Program Files%\Yyfm\2014117\Skin\frmWindowLrc.xml (174 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_011.bmp (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\color_unsel.bmp (5 bytes)
    %Program Files%\Yyfm\2014117\Skin\tooltipbk.png (319 bytes)
    %Program Files%\Yyfm\2014117\Skin\random.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\YYNews.exe (20416 bytes)
    %Program Files%\Yyfm\2014117\lyrics\baidu_13766042.lrc (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\lyriclikea.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\pl_btn_on.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\random02.jpg (1 bytes)
    %Program Files%\Yyfm\2014117\avcodec-54.dll (23936 bytes)
    %Program Files%\Yyfm\2014117\Skin\loading02.png (1 bytes)
    %Program Files%\Yyfm\2014117\Skin\bk.png (3616 bytes)
    %Program Files%\Yyfm\2014117\Skin\feedback.png (2 bytes)
    %Program Files%\Yyfm\2014117\Skin\mineahover.png (1 bytes)
    %Program Files%\Yyfm\2014117\Data\user2.ini (395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\CA6VPD0Y.htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tj[1].ashx (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ver[1].txt (36 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "YyfmPlay_2014117" = "%Program Files%\Yyfm\2014117\YyfmPlay.exe -mini"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BoxNews_2014117" = "%Program Files%\Yyfm\2014117\YYNews.exe -mini"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.