PUA.AdKill!

Dmitry Sokolov recommends UnHackMe!

UnHackMe is a powerful tool against malware.

UnHackMe quickly removes rootkits/malware/adware/browser hijack issues!

: Solved! 5 Stars (5 / 5)

PUA.AdKill! also known as Riskware.Win32.SBYinYing.ebdviy, Adwareare.Adkill.Gen!c, PUA.InfoAxe.

Malware Analysis of PUA.AdKill! – LYCORE.DLL

Created files:

%Program Files%\RMSoft\luyou\libeay32.dll
%Program Files%\RMSoft\luyou\luyou.exe
%Program Files%\RMSoft\luyou\lycore.dll
%Program Files%\RMSoft\luyou\lycore.ini
%Program Files%\RMSoft\luyou\lycore64.dll

Autostart registry keys:

HKLM\Software\Classes\CLSID\{085CB97F-6D0B-487D-B94C-E11A736C38CE}\InprocServer32\: “%Program Files%\IQIYI Video\LStyle\QYPlugin.dll”
HKLM\Software\Classes\CLSID\{307B3CDB-9EE3-4137-9D18-F9AD6537ECEB}\InprocServer32\: “%Program Files%\IQIYI Video\LStyle\Accelerator\IEHelper.dll”
HKLM\Software\Classes\CLSID\{34B3C588-D06C-4F92-929C-2C3A0BC7F821}\InprocServer32\: “%Program Files%\LuDaShi\ComputerZ7.dll”
HKLM\Software\Classes\CLSID\{5E6A8DA1-5731-465B-B036-B9E16EF26CAC}\InprocServer32\: “%Program Files%\IQIYI Video\LStyle\QYPlugin.dll”
HKLM\Software\Classes\CLSID\{7FFC32EE-E81A-4E1C-8C98-E2E6F94F0A92}\InProcServer32\: “%Program Files%\JisuCopy\TunBase.dll”
HKLM\Software\Classes\CLSID\{AE3D5C7A-413F-4CDB-9331-0E1894637310}\InprocServer32\: “C:\DOCUME~1\ADMINI~1\APPLIC~1\Baidu\BDWEBA~1\30359~1.0\BDEXIE.dll”
HKLM\Software\Classes\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\Shell\Open\Command\: “%Program Files%\IQIYI Video\LStyle\QyClient.exe web_startup_tray”
HKLM\Software\Classes\CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}\InProcServer32\: “shdocvw.dll”
HKLM\Software\Classes\CLSID\{D64016F6-4D8E-4B35-AB22-9B2060800112}\InprocServer32\: “%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\BaiducnAx.dll”
HKLM\Software\Classes\CLSID\{FB4F6285-4C32-49F2-950F-A5998F9CEC6C}\InprocServer32\: “%Program Files%\IQIYI Video\LStyle\Accelerator\IEHelper.dll”
HKLM\Software\Classes\BaiduImeDictFile\Shell\Open\Command\: “%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\cellinst.exe “%1″”
HKLM\Software\Classes\BaiduImeSkinFile\Shell\Open\Command\: “%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\skininst.exe “%1″”
HKLM\Software\Classes\magnet2\shell\open\command\: “”%Program Files%\IQIYI Video\LStyle\QyClient.exe” -ppstream “%1″”
HKLM\Software\Classes\pps\shell\open\command\: “”%Program Files%\IQIYI Video\LStyle\QyClient.exe” -ppstream “%1″”
HKLM\Software\Classes\ppsrun\shell\open\command\: “”%Program Files%\IQIYI Video\LStyle\QyClient.exe” -ppstream “%1″”
HKLM\Software\Classes\ppstream\shell\open\command\: “”%Program Files%\IQIYI Video\LStyle\QyClient.exe” -ppstream “%1″”
HKLM\Software\Classes\pps_pfv\shell\open\command\: “”%Program Files%\IQIYI Video\LStyle\QyClient.exe” -runfrom openfile “%1″”
HKLM\Software\Classes\pps_qsv\shell\open\command\: “”%Program Files%\IQIYI Video\LStyle\QyClient.exe” -runfrom openfile “%1″”
HKLM\Software\Classes\qips\shell\open\command\: “”%Program Files%\IQIYI Video\LStyle\QyClient.exe” -ppstream “%1″”
HKLM\Software\Classes\qisu\shell\open\command\: “”%Program Files%\IQIYI Video\LStyle\QyClient.exe” -ppstream “%1″”
HKLM\Software\Classes\qygameclient\shell\open\command\: “”%Program Files%\IQIYI Video\Common\QyGameClient\QyGameClient.exe” -qygameclient “%1″”
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BaiduPinyin: “”%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\baidupinyin.exe” –autorun”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BaiduPinyin\UninstallString: “”%Program Files%\Baidu\BaiduPinyin\3.3.2.1028\Uninst.exe””
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\BaiduPinyin\DisplayName: “?????”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Ludashi_is1\DisplayName: “???”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Ludashi_is1\UninstallString: “%Program Files%\LuDaShi\uninst.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP\DisplayName: “????WiFi”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MaohaAP\UninstallString: “%Program Files%\Maoha\MaohaAP\Uninstall.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream\DisplayName: “???PPS”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPStream\UninstallString: “%Program Files%\IQIYI Video\LStyle\QyUninst.exe”
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{FE3175D3-A1BE-4FAF-B03A-6FA445118D02}_is1\UninstallString: “”%Program Files%\RMSoft\luyou\unins000.exe””
HKLM\Software\QiYi\QiSu\DisplayName: “???4.0”
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804\Ime File: “BAIDUCN.IME”
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804\Layout Text: “??(??) – ?????”
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804\Layout File: “kbdus.dll”
HKLM\System\CurrentControlSet\Control\Keyboard Layouts\E0200804\Layout Display Name: “@%SystemRoot%\system32\baiducn.ime,-112”
HKLM\System\CurrentControlSet\Services\Bonjour Service\ImagePath: “%Program Files%\IQIYI Video\LStyle\mDNSResponder.exe”
HKLM\System\CurrentControlSet\Services\Bonjour Service\DisplayName: “Bonjour Service”
HKLM\System\CurrentControlSet\Services\ComputerZ\ImagePath: “\??\%Program Files%\LuDaShi\ComputerZ.sys”
HKLM\System\CurrentControlSet\Services\ComputerZ\DisplayName: “ComputerZ”
HKLM\System\CurrentControlSet\Services\ComputerZLock\ImagePath: “\??\%Program Files%\LuDaShi\ComputerZLock.sys”
HKLM\System\CurrentControlSet\Services\ComputerZLock\DisplayName: “ComputerZLock”
HKLM\System\CurrentControlSet\Services\Dependes\ImagePath: “%Program Files%\JisuCopy\Dependes.exe”
HKLM\System\CurrentControlSet\Services\Dependes\DisplayName: “Dependes”
HKLM\System\CurrentControlSet\Services\MaohaWifiNetPro\ImagePath: “\??\%Program Files%\Maoha\MaohaAP\MaoHaWiFiNet.sys”
HKLM\System\CurrentControlSet\Services\MaohaWifiNetPro\DisplayName: “MaohaWifiNetPro”
HKLM\System\CurrentControlSet\Services\MaohaWifiSvr\ImagePath: “%Program Files%\Maoha\MaohaAP\MaohaWifiSvr.exe”
HKLM\System\CurrentControlSet\Services\MaohaWifiSvr\DisplayName: “MaohaWiFiService”
HKLM\System\CurrentControlSet\Services\PowerSaveZ\ImagePath: “\??\%Program Files%\LuDaShi\PowerSaveZ.sys”
HKLM\System\CurrentControlSet\Services\PowerSaveZ\DisplayName: “PowerSaveZ”
HKLM\System\CurrentControlSet\Services\QiyiService\ImagePath: “%Program Files%\IQIYI Video\LStyle\QiyiService.exe”
HKLM\System\CurrentControlSet\Services\QiyiService\DisplayName: “IQIYI Video Platform Service”
HKLM\System\CurrentControlSet\Services\Routerlib\ImagePath: “\??\%Program Files%\RMSoft\luyou\rmhelper.dll”
HKLM\System\CurrentControlSet\Services\Routerlib\DisplayName: “Router lib”
HKLM\System\CurrentControlSet\Services\RouterService\ImagePath: “%SystemRoot%\system32\svchost -k RouterService”
HKLM\System\CurrentControlSet\Services\RouterService\DisplayName: “Router Service”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\luyou: “”%Program Files%\RMSoft\luyou\luyou.exe” /start”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\HCDNClient: “”%Program Files%\IQIYI Video\LStyle\QyKernel.exe” -shell_start”
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ComputerZ-Tray: “”%Program Files%\LuDaShi\ComputerZTray.exe” /autorun”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnityWebPlayer\UninstallString: “%Local Appdata%\Unity\WebPlayer\Uninstall.exe /CurrentUser”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\UnityWebPlayer\DisplayName: “Unity Web Player”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\kaola\DisplayName: “JisuCopy”
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\kaola\UninstallString: “%Program Files%\JisuCopy\uninst.exe”

Detected by UnHackMe:

LYCORE.DLL
Default location: %PROGRAM FILES%\RMSOFT\LUYOU\LYCORE.DLL

Dropper hash(md5): ad10cbc6d2d4c7ef4619c8ed1da43aa8

Written by 

Malware Hunter.

UnHackMe removes malware invisible for your antivirus!

Free Download

4
UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10. UnHackMe uses minimum of computer resources.

WordPress SEO fine-tune by Meta SEO Pack from Poradnik Webmastera