Dmitry Sokolov recommends UnHackMe!

UnHackMe is a powerful tool against malware.

UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

Alex NightWatcher: Solved! (5 / 5)

Malware Analysis of Trojan.KillProc.33953 – QQPCMGR_V10.8.16208.227_71919_SILENCE.EXE

Created files:

%Temp%\nsm3.tmp\KVInstallHelper.dll
%Temp%\QQPCMgrInstall_20150506170842.Log
%Temp%\qqpcmgr_v10.8.16208.227_71919_Silence.exe
%Temp%\setup3.exe
%Temp%\Tencent\QQPCMgr\~5a947\UpdateTrayIcon.exe

Autostart registry keys:

HKLM\Software\Classes\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}\InprocServer32\: “%Program Files%\Baidu\BaiduSd\3.0.0.4605\BDShellExt.dll”
HKLM\Software\Classes\CLSID\{0C5C9741-79A4-4A5F-A9B3-9E686CFF879B}\InProcServer32\: “%Program Files%\Baidu\BaiduSd\3.0.0.4605\BDShellExt.dll”
HKLM\Software\Classes\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32\: “%Program Files%\Baidu\BaiduAn\4.0.0.5166\BDSWShellExt.dll”
HKLM\Software\Classes\CLSID\{15DEE173-1BE9-4424-81E0-58A87076E9B1}\InprocServer32\: “%Program Files%\Baidu\BaiduSd\3.0.0.4605\websafe\WebMonBHO.dll”
HKLM\Software\Classes\CLSID\{29B6CFD5-0064-411A-8C42-9890C83F9921}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\10.8.16208.227\npQMExtensionsIE.dll”
HKLM\Software\Classes\CLSID\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\InprocServer32\: “%Program Files%\Baidu\BaiduSd\3.0.0.4605\explugin\ieBaiduSDDetectPlug.dll”
HKLM\Software\Classes\CLSID\{4C097DF1-0716-4FA1-84A9-025BC1E7B03F}\LocalServer32\: “”%Program Files%\Tencent\QQPCMgr\10.8.16208.227\TAOFrame.exe””
HKLM\Software\Classes\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QMContextScan.dll”
HKLM\Software\Classes\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32\: “c:\program files\common files\baidu\bddownload\109\bdcomproxy.dll”
HKLM\Software\Classes\CLSID\{70DE12EA-79F4-46bc-9812-86DB50A2FD64}\LocalServer32\: “”c:\program files\common files\tencent\qqdownload\130\tencentdl.exe””
HKLM\Software\Classes\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}\InprocServer32\: “%Program Files%\Baidu\BaiduSd\3.0.0.4605\BDKVDeskBand.dll”
HKLM\Software\Classes\CLSID\{88260EA6-BC91-42DF-ABEF-4A683E8A3C23}\LocalServer32\: “”%Program Files%\Tencent\QQPCMgr\10.8.16208.227\TAOFrame.exe””
HKLM\Software\Classes\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32\: “”c:\program files\common files\baidu\bddownload\109\bddownloader.exe””
HKLM\Software\Classes\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\InProcServer32\: “%Program Files%\Baidu\BaiduAn\4.0.0.5166\BDSWShellExt.dll”
HKLM\Software\Classes\CLSID\{B7667919-3765-4815-A66D-98A09BE662D6}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QMGCShellExt.dll”
HKLM\Software\Classes\CLSID\{CBDECEF7-7A29-4cbf-A009-2673D82C7BF9}\InprocServer32\: “%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QMContextUninstall.dll”
HKLM\Software\Classes\CLSID\{D4801E96-E7A1-45F6-B124-7A36DFB40B81}\InProcServer32\: “%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QMContextUninstall.dll”
HKLM\Software\Classes\CLSID\{E52EB753-1F56-4DF7-BE53-2C314AC5F8A1}\InProcServer32\: “%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QMContextScan.dll”
HKLM\Software\Classes\CLSID\{EC0FA563-E0F2-406F-8659-1E728458A91E}\LocalServer32\: “”%Program Files%\Tencent\QQPCMgr\10.8.16208.227\TAOFrame.exe””
HKLM\Software\Classes\PCMgrRepairIEExtensions\Shell\Open\Command\: “”%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QQPCMgr.exe”%1 ”
HKLM\Software\Classes\qmgcfiles\Shell\open\Command\: “”%Program Files%\Tencent\QQPCMgr\10.8.16208.227\\QMDeskTopGC.exe” /file=”%1″”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1FA18F7974E099CDFFF18C3B9B1A1EE8\InstallProperties\UninstallString: “MsiExec.exe /I{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1FA18F7974E099CDFFF18C3B9B1A1EE8\InstallProperties\DisplayName: “Visual C++ 8.0 ATL (x86) WinSXS MSM”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DA42BC89BF25F5BDFFF18C3B9B1A1EE8\InstallProperties\UninstallString: “MsiExec.exe /I{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\DA42BC89BF25F5BDFFF18C3B9B1A1EE8\InstallProperties\DisplayName: “Visual C++ 8.0 CRT (x86) WinSXS MSM”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\baidusdTray: “”%Program Files%\Baidu\BaiduSd\3.0.0.4605\BaiduSdTray.exe” -stmd=3″
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BaiduAnTray: “”%Program Files%\Baidu\BaiduAn\4.0.0.5166\BaiduAnTray.exe” -stmd=3″
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ QQPCTray: “”%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QQPCTray.exe” /regrun”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}\UninstallString: “MsiExec.exe /I{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}\DisplayName: “Visual C++ 8.0 ATL (x86) WinSXS MSM”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}\UninstallString: “MsiExec.exe /I{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}\DisplayName: “Visual C++ 8.0 CRT (x86) WinSXS MSM”
HKLM\System\CurrentControlSet\Services\BaiduHips\ImagePath: “”%Program Files Common%\Baidu\BaiduHips\1.2.0.751\BaiduHips.exe””
HKLM\System\CurrentControlSet\Services\BaiduHips\DisplayName: “BaiduHips”
HKLM\System\CurrentControlSet\Services\bd0001\ImagePath: “system32\DRIVERS\bd0001.sys”
HKLM\System\CurrentControlSet\Services\bd0001\DisplayName: “bd0001”
HKLM\System\CurrentControlSet\Services\bd0002\ImagePath: “system32\DRIVERS\bd0002.sys”
HKLM\System\CurrentControlSet\Services\bd0002\DisplayName: “bd0002”
HKLM\System\CurrentControlSet\Services\bd0003\ImagePath: “system32\DRIVERS\bd0003.sys”
HKLM\System\CurrentControlSet\Services\bd0003\DisplayName: “bd0003”
HKLM\System\CurrentControlSet\Services\BDArKit\ImagePath: “system32\DRIVERS\BDArKit.sys”
HKLM\System\CurrentControlSet\Services\BDArKit\DisplayName: “BDArKit”
HKLM\System\CurrentControlSet\Services\BDDefense\ImagePath: “\??\%SysDir%\drivers\BDDefense.sys”
HKLM\System\CurrentControlSet\Services\BDDefense\DisplayName: “BDDefense”
HKLM\System\CurrentControlSet\Services\BDEnhanceBoost\ImagePath: “system32\DRIVERS\BDEnhanceBoost.sys”
HKLM\System\CurrentControlSet\Services\BDEnhanceBoost\DisplayName: “BDEnhanceBoost”
HKLM\System\CurrentControlSet\Services\BDFileDefend\ImagePath: “system32\DRIVERS\BDFileDefend.sys”
HKLM\System\CurrentControlSet\Services\BDFileDefend\DisplayName: “BDFileDefend”
HKLM\System\CurrentControlSet\Services\BDKVRTP\ImagePath: “”%Program Files%\Baidu\BaiduSd\3.0.0.4605\BaiduSdSvc.exe” -r”
HKLM\System\CurrentControlSet\Services\BDKVRTP\DisplayName: “BDKVRTP Service”
HKLM\System\CurrentControlSet\Services\BDMNetMon\ImagePath: “system32\DRIVERS\BDMNetMon.sys”
HKLM\System\CurrentControlSet\Services\BDMNetMon\DisplayName: “BDMNetMon”
HKLM\System\CurrentControlSet\Services\BDMRTP\ImagePath: “”%Program Files%\Baidu\BaiduAn\4.0.0.5166\BaiduAnSvc.exe” -r”
HKLM\System\CurrentControlSet\Services\BDMRTP\DisplayName: “BDMRTP Service”
HKLM\System\CurrentControlSet\Services\BDMWrench\ImagePath: “system32\DRIVERS\BDMWrench.sys”
HKLM\System\CurrentControlSet\Services\BDMWrench\DisplayName: “BDMWrench”
HKLM\System\CurrentControlSet\Services\BdSandBox\ImagePath: “system32\DRIVERS\BdSandBox.sys”
HKLM\System\CurrentControlSet\Services\BdSandBox\DisplayName: “BdSandBox”
HKLM\System\CurrentControlSet\Services\QMIEProtect\ImagePath: “\??\%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QMIEProtect.sys”
HKLM\System\CurrentControlSet\Services\QMIEProtect\DisplayName: “QMIEProtect”
HKLM\System\CurrentControlSet\Services\QMUdisk\ImagePath: “\??\%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QMUdisk.sys”
HKLM\System\CurrentControlSet\Services\QMUdisk\DisplayName: “tencent QMUdisk”
HKLM\System\CurrentControlSet\Services\QQPCRTP\ImagePath: “”%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QQPCRtp.exe” -r”
HKLM\System\CurrentControlSet\Services\QQPCRTP\DisplayName: “QQPCMgr RTP Service”
HKLM\System\CurrentControlSet\Services\QQSysMon\ImagePath: “\??\%Program Files%\Tencent\QQPCMgr\10.8.16208.227\QQSysMon.sys”
HKLM\System\CurrentControlSet\Services\QQSysMon\DisplayName: “QQSysMon”
HKLM\System\CurrentControlSet\Services\TAOFrame\ImagePath: “”%Program Files%\Tencent\QQPCMgr\10.8.16208.227\TAOFrame.exe””
HKLM\System\CurrentControlSet\Services\TAOFrame\DisplayName: “TAOFrame”
HKLM\System\CurrentControlSet\Services\TAOKernelDriver\ImagePath: “\??\%SysDir%\drivers\TAOKernelXP.sys”
HKLM\System\CurrentControlSet\Services\TAOKernelDriver\DisplayName: “Tencent Auto Optimize Platform.”
HKLM\System\CurrentControlSet\Services\TFsFlt\ImagePath: “system32\Drivers\TFsFlt.sys”
HKLM\System\CurrentControlSet\Services\TFsFlt\DisplayName: “TFsFlt”
HKLM\System\CurrentControlSet\Services\TSDefenseBt\DisplayName: “TSDefenseBt”
HKLM\System\CurrentControlSet\Services\TSDefenseBt\ImagePath: “system32\DRIVERS\TSDefenseBt.sys”
HKLM\System\CurrentControlSet\Services\TsFltMgr\ImagePath: “system32\drivers\TsFltMgr.sys”
HKLM\System\CurrentControlSet\Services\TsFltMgr\DisplayName: “tencent TsFltMgr”
HKLM\System\CurrentControlSet\Services\TSKSP\ImagePath: “\??\%Program Files%\Tencent\QQPCMgr\10.8.16208.227\TSKsp.sys”
HKLM\System\CurrentControlSet\Services\TSKSP\DisplayName: “TSKsp”
HKLM\System\CurrentControlSet\Services\TSSK\ImagePath: “System32\tssk.sys”
HKLM\System\CurrentControlSet\Services\TSSK\DisplayName: “TSSK”
HKLM\System\CurrentControlSet\Services\TSSysKit\ImagePath: “\??\%Program Files%\Tencent\QQPCMgr\10.8.16208.227\TSSysKit.sys”
HKLM\System\CurrentControlSet\Services\TSSysKit\DisplayName: “TSSysKit”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\apphide: “%Program Files%\baidu\baidu.exe”

Detected by UnHackMe:

QQPCMGR_V10.8.16208.227_71919_SILENCE.EXE
Default location: %TEMP%\QQPCMGR_V10.8.16208.227_71919_SILENCE.EXE

Dropper hash(md5): ba669fe3e656d71c07db8c7c06ab9cdf

Written by NightWatcher

Malware Hunter.
Google+

UnHackMe removes malware invisible for your antivirus!

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.