Technical Information
- [<HKLM>\SOFTWARE\Classes\Applications\uninstall.exe\shell\open\command] '' = '%WINDIR%\uninstall.exe "%1" %*'
- '%WINDIR%\uninstall.exe'
- '<SYSTEM32>\cmd.exe' /c %PROGRAM_FILES%\userpic\qr.bat
- '<SYSTEM32>\wscript.exe' qr.vbe
- '<SYSTEM32>\wscript.exe' %WINDIR%\up.vbe
- '<SYSTEM32>\ping.exe' 127.0.0.1 -n 1
- '<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\scrrun.dll
- '<SYSTEM32>\regsvr32.exe' /s <SYSTEM32>\wshom.ocx
- '<SYSTEM32>\cmd.exe' /c %WINDIR%\copy.bat
- %WINDIR%\up.vbe
- %WINDIR%\qr.txt
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\KHMHGZ4F\001[1].jpg
- %HOMEPATH%\Local Settings\Temporary Internet Files\Content.IE5\U98D4X8H\CADK4V5D.asp
- %PROGRAM_FILES%\userpic\sogoupyupdate.exe
- %PROGRAM_FILES%\userpic\qr.bat
- %WINDIR%\uninstall.exe
- %WINDIR%\copy.bat
- %PROGRAM_FILES%\userpic\qr.VBE
- %PROGRAM_FILES%\userpic\qr.TXT
- %TEMP%\~DFEB66.tmp
- %PROGRAM_FILES%\userpic\qr.VBE
- %WINDIR%\qr.txt
- %TEMP%\~DF1B07.tmp
- %PROGRAM_FILES%\userpic\qr.TXT
- '16###.pqpq.net':80
- 'cn####5.chinaw3.com':80
- 'localhost':1036
- 'localhost':1038
- 16###.pqpq.net/soft/001.jpg
- DNS ASK cn####5.chinaw3.com
- DNS ASK 16###.pqpq.net