a variant of Win32/Taobao.B potentially unwanted

Dmitry Sokolov recommends UnHackMe!

UnHackMe is a powerful tool against malware.

UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

: Solved! 5 Stars (5 / 5)

a variant of Win32/Taobao.B potentially unwanted also known as PUA.Taobao.

Malware Analysis of a variant of Win32/Taobao.B potentially unwanted – BROWSER_V5.6.14087.7_R_4644_(BUILD1607010949).EXE

Created files:

%Program Files%\UCBrowser\Application\wow_helper.exe
%TEMP%\AA.LNK
%TEMP%\BROWSER_V5.6.14087.7_R_4644_(BUILD1607010949).EXE
%TEMP%\SCOPED_DIR3148_7581\STATS_UPLOADER.EXE
%TEMP%\SETUP.EXE

Autostart registry keys:

HKLM\Software\Classes\UCHTML\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.CRX\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.HTM\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.HTML\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.MHT\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.SHTM\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.SHTML\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.WEBP\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.XHT\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.XHTML\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Clients\StartMenuInternet\UCBrowser\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe””
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\: “UC???”
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\StubPath: “”%Program Files%\UCBrowser\Application\5.6.14087.7\Installer\chrmstp.exe” –configure-user-settings –verbose-logging –system-level”
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\Localized Name: “UC???”
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\IsInstalled: 0x00000001
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\Version: “43,0,0,0”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\apphide: “%Program Files%\badu\uc.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser\DisplayName: “UC???”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser\UninstallString: “”%Program Files%\UCBrowser\Application\Uninstall.exe” –uninstall –system-level”
HKLM\Software\UCBrowser\UninstallString: “%Program Files%\UCBrowser\Application\Uninstall.exe”

Detected by UnHackMe:

BROWSER_V5.6.14087.7_R_4644_(BUILD1607010949).EXE
DEFAULT LOCATION: %TEMP%\BROWSER_V5.6.14087.7_R_4644_(BUILD1607010949).EXE

Dropper hash(md5): 17d04ab16c0ecb16a54bafa58bb91077

Share This:

Written by 

Malware Hunter.

UnHackMe removes malware invisible for your antivirus!

Free Download

1
UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera