How to kill Notepad.exe with a USB flash drive in Notepad

Features:
1. After notepad.exe is run, % SYSTEMROOT % system32 creates a random named folder 935F0D and releases C: \ WINDOWS \ system32 \ 935F0D \ 96B69A. EXE,

2. In the % USERPROFILE % Start Menu \ Program \ Start, create a shortcut with the icon as the folder file name as a space, pointing to c: \ windows \ system32 \ 935f0d \ 96b69a.exe

3. Add start to HKLM \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run, pointing to c: \ windows \ system32 \ 935f0d \ 96b69a.exe

4. Download the virus token
5. Access two webpages
Http://hidatabase.cn/ul.htm
Dfg4tgurl {44,193, 0,102,174, 46,250,134,104,116,161,192, 51,233,229,224,121,219,205,183,163, 35,204,225,220,222,174,125,238,187,143,193, 26,194,177,227, 55,191, 10,174, 172,239, 36,220, 70,223,215, 232,138,210,134,173, 156,102,252, 9,207, 87,164,143,209,186, 51,106,208, 171,193, 46,229,125,119, 94,215,107,239,195,221,237, 40,244,246, 57,147, 19,200,120, 21,148, 21,214,170,229, 2,251, 199,140, 35,172, 19,170, 226,236,143,254, 44,129, 11,242,101, 31}
Http://hidatabase.cn/ol.htm
5 rtgfforder {177,224,116,197,104,196,222, 40,140,201,129, 57,168,216,162,249,154, 92,206, 13,158, 57,188, 43,158, 85,148,241,175,135,213,100,155, 23,151,108,110,120, 224,197, 58,202,250,134,104,116,161,192, 182,253,207,106, 61,166,112, 202,130, 139,231,111,218,104, 57,244,147, 66,114, 114,228, 2,143,150, 102,129, 51,178, 97,164,100, 75,196, 99,134, 44,139, 54,204, 244,246,107,133,174,101,253,189,232, 57,127,204, 15,135, 180,227,227, 152,119, 55,130,180, 49,159,151, 102,235,187,198, 97,160, 94,188, 42,192,171, 27,161,142,191,186,238,187, 77,203,201, 61,143, 99,221,134,191,215,193,231,200,252,100, 36,200,130, 86,240, 6,242, 0,211, 36,134,120, 127,216, 47,194,242, 228,161,250, 131,105, 60,105,204,173, 59,114, 89,163,158,147,230,244,125, 242,101,189,204, 8,138, 172,199, 152,134,180, 17,247,199,108, 5,178,238,216, 173,175,133,137,182,109,222, 93,242,158, 52,160,185,249, 65,248,193, 0,220,198, 33,108, 31,224,233, 86,244,215,128,110,170,227,149, 63,232,145, 21,199,181,200,205,202, 73,111,135, 42,181,101,110,140,123, 162,229, 70,209, 22,128,132,226, 131,169,204, 50,207,245,220,156,188,108, 39,100,195,192,199, 24,160, 95,126, 247,201, 26,230,255, 51,134,148,113,244,184, 82,118, 11,203,136,162,242, 180,175,155, 62, 23,230, 64,134, 184,196, 95,235,184,110, 90,124,232,250,252,240,158, 81,255, 6,192,222,222, 149,137, 232,229,133, 110,195, 79,208, 41,215,250, 85,207,113, 15,174,165,129, 212,148, 79,219,123,156, 9,171,241, 3,146,106,244, 97,217,221,153,191, 39,217,156,220, 18,145, 121,227, 24,225, 49,140,167,187,232, 43, 167,137, 37,134, 4,217,228,211,113, 63,107, 71,178, 0,152,224,254,183,123, 92,165, 13,140,241,112,201, 50,229,106, 0,194,169,126, 188,103, 149,206,248, 87,216,193,216,220,202,120,242, 133,183,111,219,191,116,236,156, 124,204,178,162,107,149, 227,233,212, 248,250,127,151, 213,226,226,182, 50,213, 144,137,209, 18,241, 12,220,125,174,104,228, 81,225,207,247, 222,100, 36,200,130, 86,240, 192,201,111,154,148,247, 5,178,132, 16,112,203,235,250, 28,205,191, 101,110,151,218, 130,205,108, 3,220,154,240, 62,115,233,118,221,192, 151,199,141,234,171, 116,109,132, 77,185,145,181,132, 57,125,171,194, 2,241,173, 46,168,229,158,125,171, 3,108, 79,111,215, 239,128,224, 54,106, 37,101, 86,154,116,249,219,115, 25,101,180,220,238,246,164,226,176, 93,235, 71,146,118,235,131, 183,241,159,237,189, 124,135,122, 57,131, 34,115,143,198, 100,144,206,234,238,158,147,254, 76,127,191, 43,245, 55,225,223, 39,109, 244,175,142, 59,234,220,172,149, 27,166,244, 4,117, 226,192,240, 248,144,110, 85,130, 84,111,147,213, 47,139,218, 17,159,159, 84,175,121,130, 16,205,150,150, 50,222, 56,114,160,232,220, 39,138,173, 92,164,141, 250,175,145,154,109, 107,134, 4,174,168, 54,100}
Two strange webpage files.

Delete it with icesword.