malicious_confidence_80% (W)

Dmitry Sokolov recommends UnHackMe!

UnHackMe is a powerful tool against malware.

UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

: Solved! 5 Stars (5 / 5)

malicious_confidence_80% (W) also known as Trojan.Agent.rpi, Win.Trojan.Clicker-3867, BehavesLike.Win32.Tool.vc.

Malware Analysis of malicious_confidence_80% (W) – SETUP_CHEN02_.EXE

Created files:

%APPDATA%\MXBH\61984_61984\NDFQQSBV.EXE
%APPDATA%\MXBH\61984_61984\QQBROWSER_SETUP_89077.EXE
%APPDATA%\MXBH\61984_61984\SETUP_CHEN02_.EXE
%APPDATA%\MXBH\61984_61984\XCTG.EXE
%APPDATA%\MXBH\CONFIG.INI

Autostart registry keys:

HKLM\SOFTWARE\CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}\LOCALSERVER32\: “”%APPDATA%\360SE6\APPLICATION\360SE.EXE””
HKLM\Software\Classes\CLSID\{A981255C-6123-4487-B21A-9CF468EB3FC7}\InprocServer32\: “%Program Files%\Tencent\QQBrowser\9.3.7080.400\webp\WebpDecodeFilter.dll”
HKLM\SOFTWARE\CLASSES\CLSID\{AE3D5C7A-413F-4CDB-9331-0E1894637310}\INPROCSERVER32\: “%APPDATA%\BAIDU\BDWEBA~1\30359~1.0\BDEXIE.DLL”
HKLM\Software\Classes\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\: “%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll”
HKLM\SOFTWARE\CLASSES\360SEURL\SHELL\OPEN\COMMAND\: “”%APPDATA%\360SE6\APPLICATION\360SE.EXE” — “%1″”
HKLM\Software\Classes\BaiduImeDictFile\Shell\Open\Command\: “%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe “%1″”
HKLM\Software\Classes\BaiduImeSkinFile\Shell\Open\Command\: “%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe “%1″”
HKLM\Software\Classes\QQBrowser.File\shell\open\command\: “”%Program Files%\Tencent\QQBrowser\QQBrowser.exe” — “%1″”
HKLM\Software\Classes\QQBrowser.Protocol\shell\open\command\: “”%Program Files%\Tencent\QQBrowser\QQBrowser.exe” — “%1″”
HKLM\Software\Classes\Tencent.QQBrowser.Default\.exe\shell\open\command\: “”%Program Files%\Tencent\QQBrowser\QQBrowser.exe” %*”
HKLM\Software\Classes\UCHTML\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.CRX\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.HTM\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.HTML\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.MHT\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.SHTM\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.SHTML\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.WEBP\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.XHT\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\Software\Classes\UCHTML.AssocFile.XHTML\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe” — “%1″”
HKLM\SOFTWARE\CLIENTS\STARTMENUINTERNET\360SE6\SHELL\OPEN\COMMAND\: “”%APPDATA%\360SE6\APPLICATION\360SE.EXE””
HKLM\Software\Clients\StartMenuInternet\UCBrowser\shell\open\command\: “”%Program Files%\UCBrowser\Application\UCBrowser.exe””
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\: “UC???”
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\StubPath: “”%Program Files%\UCBrowser\Application\5.7.14377.702\Installer\chrmstp.exe” –configure-user-settings –verbose-logging –system-level”
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\Localized Name: “UC???”
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\IsInstalled: 0x00000001
HKLM\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\Version: “43,0,0,0”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\mxbh: “%Program Files%\mxbh\mxbh.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin: “”%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe” –autorun”
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\BaiduImeUtil: “”%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\imeutil.exe” –clean_old”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BaiduPinyin\UninstallString: “%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\uninst.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BaiduPinyin\DisplayName: “?????”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\mxbh\UninstallString: “%Program Files%\mxbh\UnInstall.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\mxbh\DisplayName: “????”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser\DisplayName: “QQ???”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser\UninstallString: “%Program Files%\Tencent\QQBrowser\uninst.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser\DisplayName: “UC???”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\UCBrowser\UninstallString: “”%Program Files%\UCBrowser\Application\Uninstall.exe” –uninstall –system-level”
HKLM\Software\UCBrowser\UninstallString: “%Program Files%\UCBrowser\Application\Uninstall.exe”
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804\Ime File: “BAIDUCN.IME”
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804\Layout Text: “??(??) – ?????”
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804\Layout File: “kbdus.dll”
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804\Layout Display Name: “@%SystemRoot%\system32\baiducn.ime,-112”
HKLM\System\CurrentControlSet\services\BaiduPinyinUpdater\ImagePath: “”%Program Files%\Baidu\BaiduPinyinUpdate\bdupdate.exe””
HKLM\System\CurrentControlSet\services\BaiduPinyinUpdater\DisplayName: “BaiduPinyin Updater”
HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TSQBDRV\IMAGEPATH: “\??\%SYSDIR%\DRIVERS\TSQBDRV.SYS”
HKLM\System\CurrentControlSet\services\TsQBDrv\DisplayName: “TsQBDrv”
HKLM\System\CurrentControlSet\services\TxQBService\ImagePath: “”%Program Files%\Tencent\QQBrowser\TsService.exe””
HKLM\System\CurrentControlSet\services\TxQBService\DisplayName: “TxQBService”
HKLM\System\CurrentControlSet\services\UCBrowserSvc\ImagePath: “”%Program Files%\UCBrowser\Application\UCService.exe””
HKLM\System\CurrentControlSet\services\UCBrowserSvc\DisplayName: “UC???????”
HKLM\System\CurrentControlSet\services\UCGuard\ImagePath: “system32\DRIVERS\ucguard.sys”
HKCU\Software\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9}\Version: “43,0,0,0”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\kxbox\DisplayName: “?????”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\kxbox\UninstallString: “%Program Files%\kxbox\uninst.exe”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\360se6\DisplayName: “360?????”
HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\360SE6\UNINSTALLSTRING: “”%APPDATA%\360SE6\APPLICATION\8.1.1.152\INSTALLER\SETUP.EXE” –UNINSTALL”
HKCU\SOFTWARE\360\360SE6\UPDATE\CLIENTSTATE\{02E720BD-2B50-4404-947C-65DBE64F6970}\UNINSTALLSTRING: “%APPDATA%\360SE6\APPLICATION\8.1.1.152\INSTALLER\SETUP.EXE”
HKCU\Software\Tencent\QQBrowser\http\shell\open\command\: “”%Program Files%\Mozilla Firefox\firefox.exe” -osint -url “%1″”

Detected by UnHackMe:

SETUP_CHEN02_.EXE
DEFAULT LOCATION: %APPDATA%\MXBH\61984_61984\SETUP_CHEN02_.EXE

Dropper hash(md5): 49533c51670c227d56385ab59116b49a

Written by 

Malware Hunter.

UnHackMe removes malware invisible for your antivirus!

Free Download

4
UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera