Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Internet Explorer\Extensions\{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}] 'ClsidExtension' = '{5C3853CF-C7E0-4946-B3FA-1ABDB6F48108}'
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'CdnCtr' = '%PROGRAM_FILES%\CNNIC\Cdn\cdnup.exe'
- [<HKLM>\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptimg] 'DllName' = ''
- [<HKLM>\SYSTEM\ControlSet001\Services\ssst] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\hidproc] 'Start' = '00000002'
- [<HKLM>\SYSTEM\ControlSet001\Services\acpidisk] 'Start' = '00000002'
- '%TEMP%\ad_1176\InstCryptimg.exe'
- '%TEMP%\temp.exe'
- '%TEMP%\ad_1176\ad_1176.exe'
- '%TEMP%\D\setup.exe' 00010802
- '%TEMP%\AIS_1176_0.EXE'
- '%TEMP%\scfile.exe' /s:%TEMP%\mms22_1.exe\t:C:\DOCUME~1\%USERNAME%\LOCALS~1\Temp\temp.exe\p:N9q6r5T13
- '%PROGRAM_FILES%\ad1359.exe'
- '%PROGRAM_FILES%\tshz103.exe'
- '%PROGRAM_FILES%\dodolook212.exe'
- '%TEMP%\173.exe' 7212
- '%PROGRAM_FILES%\mms22.exe'
- '<SYSTEM32>\rundll32.exe'
- '<SYSTEM32>\rundll32.exe' %PROGRAM_FILES%\nnno\xxxy.dll,Service -s
- '<SYSTEM32>\regsvr32.exe' /u /s "%PROGRAM_FILES%\SearchNet\SNHpr.dll"
- '<SYSTEM32>\regsvr32.exe' /s "%CommonProgramFiles%\CPUSH\cpush.dll"
- NtSetValueKey, handler: hidproc.sys
- NtDeleteValueKey, handler: hidproc.sys
- NtDeleteKey, handler: hidproc.sys
- %TEMP%\D\cdnins.dll
- <SYSTEM32>\uuuv.uni
- %TEMP%\D\cdnaux.dll
- %TEMP%\D\cdnforie.dll
- %TEMP%\D\cdnprot.sys
- %TEMP%\D\cdnunins.exe
- %TEMP%\D\cdnprh.dll
- %TEMP%\D\cdnprot.dat
- %PROGRAM_FILES%\nnno\xxxy.dll
- %PROGRAM_FILES%\nnno\iiij.ini
- %PROGRAM_FILES%\nnno\mmmn.ini
- %TEMP%\8nw9q.dll
- %PROGRAM_FILES%\nnno\cccd.dll
- %PROGRAM_FILES%\nnno\fffg.dll
- %TEMP%\D\cdn.dll
- %PROGRAM_FILES%\nnno\aaab.dll
- %TEMP%\D\cdnup.exe
- %PROGRAM_FILES%\CNNIC\Cdn\cdnaux.dll
- %PROGRAM_FILES%\CNNIC\Cdn\cdnup.exe
- %PROGRAM_FILES%\CNNIC\Cdn\cdnunins.exe
- %PROGRAM_FILES%\CNNIC\Cdn\src.dat
- %PROGRAM_FILES%\nnno\qqqr\qqqr.ini
- %PROGRAM_FILES%\nnno\kkkl\kkkl.ini
- %PROGRAM_FILES%\CNNIC\Cdn\cdnforie.dll
- %PROGRAM_FILES%\nnno\iiij\iiij.ini
- %TEMP%\D\setup.exe
- %TEMP%\D\src.dat
- %TEMP%\D\cdnvers.dat
- %TEMP%\D\idnconvs.dll
- %PROGRAM_FILES%\CNNIC\Cdn\idnconvs.dll
- %PROGRAM_FILES%\CNNIC\Cdn\cdnvers.dat
- %PROGRAM_FILES%\nnno\rrrs.ini
- %TEMP%\src.tmp
- %TEMP%\nsz6.tmp
- %TEMP%\scfile.exe
- %TEMP%\nsi4.tmp\System.dll
- %TEMP%\173.exe
- <DRIVERS>\e.sys
- %TEMP%\mms22_1.exe
- %TEMP%\nsc8.tmp\System.dll
- %PROGRAM_FILES%\tshz103.exe
- %PROGRAM_FILES%\mms22.exe
- %PROGRAM_FILES%\dodolook212.exe
- %PROGRAM_FILES%\ad1359.exe
- %CommonProgramFiles%\CPUSH\Uninst.exe
- %CommonProgramFiles%\CPUSH\cpush.dll
- %TEMP%\t2k4ts.dll
- %TEMP%\nsg2.tmp
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\efaccdf0-7a51-4ccd-b5f7-2e6c548afa7e
- %TEMP%\ad_1176\init.txt
- %TEMP%\ad_1176\ad_1176.exe
- %TEMP%\nsyB.tmp
- %TEMP%\ad_1176\InstCryptimg.exe
- %WINDIR%\Debug\bmhrt.log
- %TEMP%\insshell.exe
- <DRIVERS>\hidproc.sys
- <SYSTEM32>\cryptimg.dll
- %TEMP%\acpidisk.sys
- %APPDATA%\Microsoft\Crypto\RSA\S-1-5-21-2052111302-484763869-725345543-1003\ec702f375e1b12d218f67ab9ef19ca23_23ef5514-3059-436f-a4a7-4cefaab20eb1
- %TEMP%\DoSSSetup.dll
- %APPDATA%\Microsoft\Protect\S-1-5-21-2052111302-484763869-725345543-1003\Preferred
- <SYSTEM32>\winlib .dll
- <SYSTEM32>\mprmsgse.axz
- %TEMP%\temp.exe
- <DRIVERS>\acpidisk.sys
- %TEMP%\AIS_1176_0.EXE
- %TEMP%\ad_1176\ad_1176.exe
- %TEMP%\ad_1176\InstCryptimg.exe
- %TEMP%\ad_1176\init.txt
- <DRIVERS>\e.sys
- C:\~deE.tmp
- %TEMP%\src.tmp
- %TEMP%\8nw9q.dll
- %TEMP%\temp.exe
- %TEMP%\nsc8.tmp\System.dll
- %TEMP%\mms22_1.exe
- %TEMP%\t2k4ts.dll
- <SYSTEM32>\winlib .dll
- %TEMP%\DoSSSetup.dll
- %TEMP%\nsi4.tmp\System.dll
- %TEMP%\173.exe
- %TEMP%\acpidisk.sys
- from %TEMP%\AIS_1176_0.EXE to C:\~deE.tmp
- from %TEMP%\insshell.exe to %TEMP%\AIS_1176_0.EXE
- 'up####.borlander.cn':80
- 'ac####.borlander.com.cn':80
- 'gs.###system.com':80
- up####.borlander.cn/updadini/updadini.ini
- up####.borlander.cn/updstd3/updstdix.ini
- up####.borlander.cn/updstd3/updstdii.ini
- gs.###system.com/gs.php?12##########################################################################################################################################
- ac####.borlander.com.cn/active?t=###########################################
- DNS ASK up####.borlander.cn
- DNS ASK ac####.borlander.com.cn
- DNS ASK gs.###system.com
- ClassName: '' WindowName: 'CdnUp'
- ClassName: '' WindowName: 'Chinese Navigation Upgrade'
- ClassName: '' WindowName: 'Chinese Navigation'
- ClassName: '' WindowName: 'CdnHide'
- ClassName: 'EDIT' WindowName: ''
- ClassName: 'Shell_TrayWnd' WindowName: ''
- ClassName: '_stdup_cha_wnd_' WindowName: '_stdup_cha_wnd_'