Full Analysis Report of sdg24i1-107-20-4154.exe

Summary:

  • Summary of the findings

      No. What's been found Severity
      1 Set a program to start automatically when windows starts

Technical details:

  • General

    • User : \\TEST-R7CHD9Q826\Administrator
    • Application type : Windows application
    • Priority : Normal
    • Size : 1298906
    • Path : C:\Samples\sdg24i1-107-20-4154.exe
    • Command : "C:\Samples\sdg24i1-107-20-4154.exe"
    • MD5: ce3a4554b184917975bd99d5e5a3f23f
    • SHA1: e95fe058d4f1f36abdc59fb7c2a3c2236a4adebf
    • Version details

      • Company :
      • File version :
      • Product version :
      • Desciption :
      • Product name :
      • Legal copyright :
      • Internal name :
    • File times

      • Creation time : Saturday, May 17, 2014 - 20:02:44
      • Modification time : Saturday, May 17, 2014 - 20:03:03
      • Last access time : Tuesday, May 20, 2014 - 18:43:06
    • Process times

      • Start time : 18 : 43 : 06
      • Exit time : 18 : 45 : 07
      • Kernel time : 0.453125 (s)
      • User time : 0.140625 (s)
    • IO counters

      • Read operation : 510
      • Write operation : 149
      • Other operation : 9762
      • Read transfer : 4085362
      • Write transfer : 3547695
      • Other transfer : 131062
    • Memory details

      • Page fault count : 2449
      • Page file usage : 0
      • Peak page file usage : 3649536
      • Peak working set size : 7823360
      • Quota non paged pool usage : 0
      • Quota paged pool usage : 0
      • Quota peak non paged pool usage : 6352
      • Quota peak paged pool usage : 95380
      • Working set size : 28672
    • Process privileges

      • SeChangeNotifyPrivilege
      • SeSecurityPrivilege
      • SeBackupPrivilege
      • SeRestorePrivilege
      • SeSystemtimePrivilege
      • SeShutdownPrivilege
      • SeRemoteShutdownPrivilege
      • SeTakeOwnershipPrivilege
      • SeDebugPrivilege
      • SeSystemEnvironmentPrivilege
      • SeSystemProfilePrivilege
      • SeProfileSingleProcessPrivilege
      • SeIncreaseBasePriorityPrivilege
      • SeLoadDriverPrivilege
      • SeCreatePagefilePrivilege
      • SeIncreaseQuotaPrivilege
      • SeUndockPrivilege
      • SeManageVolumePrivilege
      • SeImpersonatePrivilege
      • SeCreateGlobalPrivilege
  • Events statistics

      Event Count
      OpenKey 77
      DeleteValueKey 1
      SetValueKey 56
      CreateFile 12
      CreateFolder 1
      WriteFile 154
      Process Create 1
      Process Exit 1
      Thread Create 6
      Thread Exit 6
      Load Image 61
  • Modules

      Index Name Path Load Address Image Size Entry Point Version Size Company Description
      1 ntdll.dll %System%\ntdll.dll 0x7C930000 0xD2000 0x00000000 5.2.3790.3290 (srv03_sp1_gdr.090203-1205) 841216 Microsoft Corporation NT Layer DLL
      2 KERNEL32.dll %System%\kernel32.dll 0x7C800000 0x12C000 0x7C825FB4 5.2.3790.3311 (srv03_sp1_gdr.090321-1245) 1206784 Microsoft Corporation Windows NT BASE API Client DLL
      3 USER32.dll %System%\user32.dll 0x77E10000 0x91000 0x77E1947C 5.2.3790.2892 (srv03_sp1_gdr.070301-0030) 584192 Microsoft Corporation Windows USER API Client DLL
      4 GDI32.dll %System%\gdi32.dll 0x77BD0000 0x49000 0x77BDB23E 5.2.3790.3233 (srv03_sp1_gdr.081022-1216) 286208 Microsoft Corporation GDI Client DLL
      5 ADVAPI32.dll %System%\advapi32.dll 0x77F30000 0xAC000 0x77F4DFCD 5.2.3790.3290 (srv03_sp1_gdr.090203-1205) 686592 Microsoft Corporation Advanced Windows 32 Base API
      6 RPCRT4.dll %System%\rpcrt4.dll 0x77C20000 0x9F000 0x77C45061 5.2.3790.2971 (srv03_sp1_gdr.070709-2334) 642560 Microsoft Corporation Remote Procedure Call Runtime
      7 shell32.dll %System%\shell32.dll 0x7CA10000 0x7E1000 0x7CA90660 6.00.3790.3158 (srv03_sp1_gdr.080617-1231) 8242176 Microsoft Corporation Windows Shell Common Dll
      8 msvcrt.dll %System%\msvcrt.dll 0x77B70000 0x5A000 0x77B7F78B 7.0.3790.1830 (srv03_sp1_rtm.050324-1447) 348672 Microsoft Corporation Windows NT CRT DLL
      9 SHLWAPI.dll %System%\shlwapi.dll 0x77EB0000 0x52000 0x77ED86F9 6.00.3790.3304 (srv03_sp1_gdr.090303-1204) 320512 Microsoft Corporation Shell Light-weight Utility Library
      10 Comctl32.dll %Windir%\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.1830_x-ww_7AE38CCF\comctl32.dll 0x77CD0000 0x103000 0x77D5A81E 6.0 (srv03_sp1_rtm.050324-1447) 1051136 Microsoft Corporation User Experience Controls Library
      11 ole32.dll %System%\ole32.dll 0x774B0000 0x134000 0x774F5C37 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 1244672 Microsoft Corporation Microsoft OLE for Windows
      12 VERSION.dll %System%\version.dll 0x77B60000 0x8000 0x77B61186 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 18432 Microsoft Corporation Version Checking and File Installation Libraries
      13 IMM32.DLL %System%\imm32.dll 0x76180000 0x1D000 0x761812D0 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 110592 Microsoft Corporation Windows IMM32 API Client DLL
      14 LPK.DLL %System%\lpk.dll 0x63090000 0x9000 0x63092EB2 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 22016 Microsoft Corporation Language Pack
      15 USP10.dll %System%\usp10.dll 0x74AE0000 0x61000 0x74B189AC 1.0422.3790.1830 (srv03_sp1_rtm.050324-1447) 364032 Microsoft Corporation Uniscribe Unicode script processor
      16 rta1.tmp %Temp%rta1.tmp 0x00A30000 0x73000 0x00AA1910 176128
      17 MPR.dll %System%\mpr.dll 0x71B30000 0x11000 0x71B311E0 5.2.3790.0 (srv03_rtm.030324-2048) 57344 Microsoft Corporation Multiple Provider Router DLL
      18 OLEAUT32.dll %System%\oleaut32.dll 0x775F0000 0x8C000 0x775F3F9B 5.2.3790.3057 557568 Microsoft Corporation
      19 WSOCK32.dll %System%\wsock32.dll 0x71B10000 0xB000 0x71B11060 5.2.3790.0 (srv03_rtm.030324-2048) 28672 Microsoft Corporation Windows Socket 32-Bit DLL
      20 WS2_32.dll %System%\ws2_32.dll 0x71B60000 0x17000 0x71B61276 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 83968 Microsoft Corporation Windows Socket 2.0 32-Bit DLL
      21 WS2HELP.dll %System%\ws2help.dll 0x71B50000 0x8000 0x71B5123D 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 19968 Microsoft Corporation Windows Socket 2.0 Helper for Windows NT
      22 MSCTF.dll %System%\MSCTF.dll 0x4B210000 0x51000 0x4B2113EE 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 317440 Microsoft Corporation MSCTF Server DLL
      23 SHFOLDER.dll %System%\shfolder.dll 0x76610000 0x9000 0x7661121F 6.00.3790.1830 (srv03_sp1_rtm.050324-1447) 25088 Microsoft Corporation Shell Folder Service
      24 SETUPAPI.dll %System%\setupapi.dll 0x770D0000 0x176000 0x770D15D6 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 1522688 Microsoft Corporation Windows Setup API
      25 xpsp2res.dll %System%\xpsp2res.dll 0x10000000 0x549000 0x00000000 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 5535744 Microsoft Corporation Service Pack 2 Messages
      26 xID.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp8.tmp\xID.dll 0x00BF0000 0x4000 0x00BF11B8 10056
      27 WININET.dll %System%\wininet.dll 0x779E0000 0xA4000 0x779E1596 6.00.3790.3304 (srv03_sp1_gdr.090303-1204) 648192 Microsoft Corporation Internet Extensions for Win32
      28 CRYPT32.dll %System%\crypt32.dll 0x760A0000 0x91000 0x760A156D 5.131.3790.1830 (srv03_sp1_rtm.050324-1447) 587264 Microsoft Corporation Crypto API32
      29 MSASN1.dll %System%\msasn1.dll 0x76080000 0x12000 0x7608436D 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 57856 Microsoft Corporation ASN.1 Runtime APIs
      30 Secur32.dll %System%\secur32.dll 0x76EB0000 0x13000 0x76EB318F 5.2.3790.3290 (srv03_sp1_gdr.090203-1205) 65536 Microsoft Corporation Security Support Provider Interface
      31 RASAPI32.dll %System%\rasapi32.dll 0x76DF0000 0x3F000 0x76DF2779 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 244224 Microsoft Corporation Remote Access API
      32 rasman.dll %System%\rasman.dll 0x76DA0000 0x12000 0x76DA1220 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 62976 Microsoft Corporation Remote Access Connection Manager
      33 NETAPI32.dll %System%\netapi32.dll 0x71BA0000 0x58000 0x71BAA4A5 5.2.3790.3229 (srv03_sp1_gdr.081016-1620) 350208 Microsoft Corporation Net Win32 API DLL
      34 TAPI32.dll %System%\tapi32.dll 0x76DC0000 0x2F000 0x76DE55A5 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 183808 Microsoft Corporation Microsoft(R) Windows(TM) Telephony API Client DLL
      35 rtutils.dll %System%\rtutils.dll 0x76D90000 0xC000 0x76D9194D 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 35328 Microsoft Corporation Routing Utilities
      36 WINMM.dll %System%\winmm.dll 0x769E0000 0x2A000 0x769E33A6 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 164352 Microsoft Corporation MCI API DLL
      37 sensapi.dll %System%\sensapi.dll 0x72230000 0x5000 0x722310A0 5.2.3790.0 (srv03_rtm.030324-2048) 6144 Microsoft Corporation SENS Connectivity API DLL
      38 USERENV.dll %System%\userenv.dll 0x75870000 0xBF000 0x758725F9 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 769024 Microsoft Corporation Userenv
      39 urlmon.dll %System%\urlmon.dll 0x77250000 0xAD000 0x77251809 6.00.3790.3304 (srv03_sp1_gdr.090303-1204) 689664 Microsoft Corporation OLE32 Extensions for Win32
      40 MSWSOCK.dll %System%\mswsock.dll 0x71A80000 0x40000 0x71A815C6 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 251904 Microsoft Corporation Microsoft Windows Sockets 2.0 Service Provider
      41 hnetcfg.dll %System%\hnetcfg.dll 0x69660000 0x56000 0x69699708 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 341504 Microsoft Corporation Home Networking Configuration Manager
      42 wshtcpip.dll %System%\wshtcpip.dll 0x71A40000 0x8000 0x71A41176 5.2.3790.0 (srv03_rtm.030324-2048) 18432 Microsoft Corporation Windows Sockets Helper DLL
      43 CLBCatQ.DLL %System%\clbcatq.dll 0x77680000 0x83000 0x776844B0 2001.12.4720.1830 (srv03_sp1_rtm.050324-1447) 514560 Microsoft Corporation COM+ Configuration Catalog
      44 COMRes.dll %System%\comres.dll 0x76F70000 0x15A000 0x76F71048 2001.12.4720.0 (srv03_rtm.030324-2048) 1401344 Microsoft Corporation COM+ Resources
      45 LINKINFO.dll %System%\linkinfo.dll 0x76820000 0x8000 0x76821D1D 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 19456 Microsoft Corporation Windows Volume Tracking
      46 ntshrui.dll %System%\ntshrui.dll 0x76830000 0x24000 0x76831F3D 6.00.3790.1830 (srv03_sp1_rtm.050324-1447) 136704 Microsoft Corporation Shell extensions for sharing
      47 xpsp2res.dll %System%\xpsp2res.dll 0x010A0000 0x549000 0x00000000 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 5535744 Microsoft Corporation Service Pack 2 Messages
      48 apphelp.dll %System%\apphelp.dll 0x75D60000 0x27000 0x75D61239 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 150016 Microsoft Corporation Application Compatibility Client Library
      49 cscui.dll %System%\cscui.dll 0x76430000 0x4E000 0x76431800 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 304640 Microsoft Corporation Client Side Caching UI
      50 cscdll.dll %System%\cscdll.dll 0x76410000 0x1D000 0x76411270 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 100352 Microsoft Corporation Offline Network Agent
      51 SHDOCVW.dll %System%\shdocvw.dll 0x77860000 0x175000 0x778A9481 6.00.3790.3304 (srv03_sp1_gdr.090303-1204) 1514496 Microsoft Corporation Shell Doc Object and Control Library
      52 CRYPTUI.dll %System%\cryptui.dll 0x75290000 0x70000 0x752915FD 5.131.3790.1830 (srv03_sp1_rtm.050324-1447) 444416 Microsoft Corporation Microsoft Trust UI Provider
      53 WINTRUST.dll %System%\wintrust.dll 0x76B10000 0x2B000 0x76B11551 5.131.3790.1830 (srv03_sp1_rtm.050324-1447) 164864 Microsoft Corporation Microsoft Trust Verification APIs
      54 imagehlp.dll %System%\imagehlp.dll 0x76B70000 0x29000 0x76B7127A 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 148992 Microsoft Corporation Windows NT Image Helper
      55 wldap32.dll %System%\wldap32.dll 0x76E70000 0x2E000 0x76E7112A 5.2.3790.1830 (srv03_sp1_rtm.050324-1447) 177152 Microsoft Corporation Win32 LDAP API DLL

       

  • File system modifications

    • The following files were created

      • %Temp%nsz1F5.tmp
      • %Temp%yfq1F6.tmp
      • %Temp%nse1F7.tmp
      • %Temp%nse1F7.tmp\System.dll
      • %Temp%nse1F7.tmp\config0.ini
      • %Temp%nse1F7.tmp\xID.dll
      • %Temp%nse1F7.tmp\Md5dll.dll
      • %Temp%nse1F7.tmp\bind.dll
      • %Windir%\Debug\UserMode\ChkAcc.log
      • %InternetCache%\Content.IE5\IABY676R\stat[1].htm
      • %Temp%nse1F7.tmp\config.ini
    • The following folders were created

      • %Temp%nse1F7.tmp
    • The following files were modified

      • %Temp%yfq1F6.tmp
      • %Temp%nse1F7.tmp\System.dll
      • %Temp%nse1F7.tmp\config0.ini
      • %Temp%nse1F7.tmp\xID.dll
      • %Temp%nse1F7.tmp\Md5dll.dll
      • %Temp%nse1F7.tmp\bind.dll
      • %InternetCache%\Content.IE5\IABY676R\stat[1].htm
      • %Temp%nse1F7.tmp\config.ini
      • %ProgramFiles%\shandian\shandian.exe
      • %ProgramFiles%\shandian\bin\sdad.exe
      • %ProgramFiles%\shandian\bin\shandian.exe
      • %ProgramFiles%\shandian\bin\shandian.ini
      • %ProgramFiles%\shandian\ico\360.ico
      • %ProgramFiles%\shandian\ico\anquan.ico
      • %ProgramFiles%\shandian\ico\ie.ico
      • %ProgramFiles%\shandian\ico\taobao.ico
      • %ProgramFiles%\shandian\config.ini
      • %ProgramFiles%\shandian\uninst.exe
      • %AppData%\Microsoft\Internet Explorer\Quick Launch\.lnk
      • %Desktop%\.lnk
      • %Programs%\\.lnk
      • %Programs%\\ж.lnk
      • %Desktop%\360ȫ.lnk
      • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
        %AppData% is a variable that refers to the application data folder. By default, this is C:\Documents and Settings\[UserName]\Application Data
        %InternetCache% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temporary Internet Files (Windows NT/2000/XP).
        %Windows% is a variable that refers to the windows root folder. By default, this is C:\windows (Windows 95/98/Me/xp/vista/win7), C:\winnt (Windows NT/2000/2003/2008).
        %ProgramFiles% is a variable that refers to the Program Files folder. A typical path is C:\Program Files.
        %Desktop% is a variable that refers to the file system directory used to physically store file objects on the desktop (not to be confused with the desktop folder itself). A typical path is C:\Documents and Settings\username\Desktop.
        %Programs% is a variable that refers to a file system directory that contains the user's program groups (which are themselves file system directories). A typical path is C:\Documents and Settings\[username]\Start Menu\Programs.

    • Memory modifications

      • There were new processes created in the system:
          Process Name Command Line
          Process Create C:\Program Files\shandian\shandian.exe
    • Registry modifications

      • The following Registry entry was deleted:

        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\autoconfigurl
      • The following Registry value was created:

        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\shandian = "C:\Program Files\shandian\shandian.exe"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\displayname = ""
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\uninstallstring = "C:\Program Files\shandian\uninst.exe"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\displayicon = "C:\Program Files\shandian\shandian.exe"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\displayversion = "1.0.0.0"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\urlinfoabout = "http://www.sd.com"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninsta
      • The following Registry value was modified:

        • HKEY_LOCAL_MACHINE\software\microsoft\cryptography\rng\seed = 1A B6 2A 0B FB 35 B6 B3 ...
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db21b9c4-ec68-11e1-844d-806e6f6e6963}\baseclass = "Drive"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db21b9c1-ec68-11e1-844d-806e6f6e6963}\baseclass = "Drive"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db21b9c0-ec68-11e1-844d-806e6f6e6963}\baseclass = "Drive"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\cache = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\cache\paths\directory = "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\cache\paths\path1\cachelimit = 0x0004FFB3
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\cookies = "C:\Documents and Settings\Administrator\Cookies"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\history = "C:\Documents and Settings\Administrator\Local Settings\History"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\common appdata = "C:\Documents and Settings\All Users\Application Data"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\appdata = "C:\Documents and Settings\Administrator\Application Data"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\migrateproxy = 0x00000001
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\proxyenable = 0x00000001
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\proxyserver = "127.0.0.1:8087"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\proxyoverride = ""
        • HKEY_LOCAL_MACHINE\system\controlset001\hardware profiles\0001\software\microsoft\windows\currentversion\internet settings\proxyenable = 0x00000001
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\connections\savedlegacysettings = 3C 00 00 00 E5 00 00 00 ...
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\proxybypass = 0x00000001
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\intranetname = 0x00000001
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\internet settings\zonemap\uncasintranet = 0x00000001
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\personal = "C:\Documents and Settings\Administrator\My Documents"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\common documents = "C:\Documents and Settings\All Users\Documents"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\desktop = "C:\Documents and Settings\Administrator\"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\common desktop = "C:\Documents and Settings\All Users\"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\start menu = "C:\Documents and Settings\Administrator\ʼ˵"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\common start menu = "C:\Documents and Settings\All Users\ʼ˵"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\my pictures = ""
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\commonpictures = ""
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\commonmusic = "C:\Documents and Settings\All Users\Documents\My Music"
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\commonvideo = ""
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell folders\common programs = "C:\Documents and Settings\All Users\ʼ˵\"
        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\shell folders\programs = "C:\Documents and Settings\Admin
    • Network activity

    • How to get rid of

      • Terminate these following process:

        • C:\Program Files\shandian\shandian.exe
      • Remove these following files:

        • C:\Documents and Settings\Administrator\Local Settings\Temp\nsz1F5.tmp
        • C:\Documents and Settings\Administrator\Local Settings\Temp\yfq1F6.tmp
        • C:\WINDOWS\Debug\UserMode\ChkAcc.log
        • C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IABY676R\stat[1].htm
      • Remove these following folders:

        • C:\Documents and Settings\Administrator\Local Settings\Temp\nsz1F5.tmp
      • Remove these following registry key values:

        • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\shandian
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\displayname
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\uninstallstring
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\displayicon
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\displayversion
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\urlinfoabout
        • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\\publ
        • How to protect yourself in the future

This report was created with Ax3soft Scout.