Backdoor.Win32.Caphaw_QKKBAL_b8a371a478

by malwarelabrobot on April 10th, 2018 in Malware Descriptions.

Gen:Variant.Graftor.416620 (BitDefender), Trojan-Downloader.JS.ChPlug.b (Kaspersky), Trojan.Win32.Generic!BT (VIPRE), DLOADER.Trojan (DrWeb), Gen:Variant.Graftor.416620 (B) (Emsisoft), Artemis!B8A371A4783C (McAfee), Trojan.Gen.2 (Symantec), Trojan.Win32.Idsohtu (Ikarus), Win32:GenMaliciousA-LWV [Trj] (AVG), Win32:GenMaliciousA-LWV [Trj] (Avast), TROJ_GEN.R002C0RAQ18 (TrendMicro), Trojan.Win32.BHO.FD, Trojan.Win32.Swrort.3.FD, BackdoorCaphaw_QKKBAL.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: b8a371a4783c5d6be859c52e8d4404f6
SHA1: f8bb150c539496e4c88b18a096b60514625b26fe
SHA256: 3128b13f5a9827bbbb3e82ff5afbb3edb4f80f51c2f8e4e7b5cde21f805e938e
SSDeep: 24576:o4f2sQl8e2DFk Fn0NrWn7sSaBLU5KXN9:oaQHRsqUoFQ5KXN
Size: 920064 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2018-01-23 10:33:11
Analyzed on: Windows7 SP1 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):
No processes have been created.
The Backdoor injects its code into the following process(es):

%original file name%.exe:4000

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:4000 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dseb[1].dat (46 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (1837 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\gajp[1].dat (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mtbill[1].dat (1069 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ghfot[1].dat (1243 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\upopup[1].dat (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\psip[1].dat (48 bytes)
C:\Windows\System32\psip.dat (48 bytes)
C:\Windows\System32\PSvr.ini (118 bytes)
C:\Windows\System32\psip.ini (53 bytes)
C:\Windows\System32\mulone1.ini (192 bytes)
C:\Windows\System32\gajp.dat (54 bytes)
C:\Windows\System32\ghfot.dat (1 bytes)
C:\Windows\System32\dseb.dat (46 bytes)
C:\Windows\System32\prefer (27 bytes)
C:\$Directory (2304 bytes)
C:\Windows\System32\mulone1.dat (139 bytes)
C:\Windows\Procnt2.sys (37 bytes)
C:\Windows\System32\PSvr.dat (107 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (4334 bytes)
C:\Windows\System32\upopup.dat (4 bytes)
C:\Windows\System32\ghfot.ini (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\mulone1[1].dat (139 bytes)
C:\Windows\System32\dseb.ini (50 bytes)
C:\Windows\System32\mtbill.dat (1 bytes)
C:\Windows\System32\config\SYSTEM (4002 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\PSvr[1].dat (107 bytes)
C:\Windows\System32\gajp.ini (50 bytes)
C:\Windows\System32\mulone2.ini (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mulone2[1].dat (126 bytes)
C:\Windows\System32\mulone2.dat (126 bytes)
C:\Windows\System32\mtbill.ini (2 bytes)

The Backdoor deletes the following file(s):

C:\Windows\System32\dseb.ini (0 bytes)
C:\Windows\Procnt2.sys (0 bytes)
C:\Windows\System32\mulone2.ini (0 bytes)
C:\Windows\System32\psip.ini (0 bytes)
C:\Windows\System32\gajp.ini (0 bytes)
C:\Windows\System32\PSvr.ini (0 bytes)
C:\Windows\System32\mulone1.ini (0 bytes)
C:\Windows\System32\upopup.ini (0 bytes)
C:\Windows\System32\ghfot.ini (0 bytes)
C:\Windows\System32\mtbill.ini (0 bytes)

Registry activity

The process %original file name%.exe:4000 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\Procnt2\Security]
"Security" = "01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3]
"1609" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"

[HKLM\System\CurrentControlSet\Services\Procnt2]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page" = "Type: REG_SZ, Length: 0"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "Type: REG_SZ, Length: 0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Services\Procnt2]
"DisplayName" = "Procnt2"
"ImagePath" = "\??\C:\Windows\Procnt2.sys"
"ErrorControl" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\b8a371a4783c5d6be859c52e8d4404f6_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\Procnt2]
"Start" = "3"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.5.3
Legal Copyright: Copyright (C) 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.5.3
File Description:
Comments: 2018-1-15 13:52:08
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 2187264 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 2191360 917504 915456 5.54493 213bd6ffb12718da1baec4aec7af6c55
.rsrc 3108864 4096 3584 2.78292 18f6405028d9c3614a2c2d4438c79036

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://res.duduniu.cn/iprotectinit/bak/1/ghfot.dat 60.217.234.17
hxxp://res.duduniu.cn/iprotectinit/bak/1/PSvr.dat 60.217.234.17
hxxp://res.duduniu.cn/iprotectinit/bak/1/dseb.dat 60.217.234.17
hxxp://res.duduniu.cn/iprotectinit/bak/1/gajp.dat 60.217.234.17
hxxp://res.duduniu.cn/iprotectinit/bak/1/mulone1.dat 60.217.234.17
hxxp://res.duduniu.cn/iprotectinit/bak/1/mulone2.dat 60.217.234.17
hxxp://res.duduniu.cn/iprotectinit/bak/1/mtbill.dat 60.217.234.17
hxxp://res.duduniu.cn/iprotectinit/bak/1/upopup.dat 60.217.234.17
hxxp://res.duduniu.cn/iprotectinit/bak/1/psip.dat 60.217.234.17


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

The Backdoor connects to the servers at the folowing location(s):

%original file name%.exe_4000:

`.rsrc
RG.NO
QSSShl
RSSShl
RWSShl
PWSShl
xSSSh
FTPjKS
FtPj;S
C.PjRV
diu2.iuH)iu2
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
Global\{21896A5C-BAA6-4BF6-9399-F0987AEBB145}
%Program Files%\Windows Joumal\
udo.exe
svchost.exe
iexplore.exe
d.ini
CHROME
\Google\Chrome\User Data\Default\preferences
ChromeConfig.cpp
C:\Windows\System32\prefer
"startup_urls"
hXXp://
"startup_urls_migration_time"
"startup_urls": [ "
hXXp://113.106.48.74/new/interface/processInfo.jsp?domainId=%d&netBarId=%d&idCard=%s&processName=%s&qq=&startTime=%s&endTime=%s
d-d-d d:d:d
QQ.exe
Global\11B1387C-0BA2-4D05-9EF4-39E71850F4DE
Global\1096A7DC-F14E-4B7D-B922-F4BAFEC6E933
hXXp://113.106.48.74/new/interface/processInfo.jsp?domainId=%d&netBarId=%d&idCard=%s&processName=&qq=%s&startTime=%s&endTime=%s
%d%d%s%s
domainId=%d&netBarId=%d&IDNum=%s&a=%s
hXXp://info.dodonew.com/collect/interface/processLove.jsp
C:\Windows\System32\
FILTER%d
DESTURL%d
JSURL
UDOJUMPURL
media.52wba.com;
SLOT%d
C:\Windows\
SRC%d
SRCNOTHOST%d
LNKNAME%d
ICON%d
FOLDER%d
EXENAME%d
NSEXENAME
BaiduWeb
\Baidu\BaiduBrowser\7.6.504.3052\baidubrowser.exe
baie.exe
SRC%s%d
DEST%d
RAND%d
SPAN%d
KEEPTIME%d
2KEEPTIME%d
v.youku.com/v_show/*
valf.atm.youku.com/vf?*
OPEN%s
MINI%s
CTRLSHOW%d
CTRLSHOWTEST%d
PROC%d
PATH%d
OPEN%s%d
RANDNUM%d
ReportGame
TYPE%d
INJECT%d
TARGET%d
QMA.dll
QMASetup.exe
Config.cpp
EXCLUDE%d
REPLACECODE%d
SRCRAND%d
RANDPERCENT%d
FILENAME%d
FILEINFO%d
WNDNAME%d
CLASSNAME%d
FILEDESC%d
PROPERTY%d
SIGNNAME%d
SIGNMAIL%d
MINSIZE%d
MAXSIZE%d
URLPOPUP
http:\
DesktopShortCut.cpp
hXXps://
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\\.\DoFile
\\.\Procnt2
\\.\Procnt1
C:\Windows\newverlog.dat
-360se.exe
360chrome.exe
chrome.exe
baidubrowser.exe
liebao.exe
0.0.0.0
\\.\doRedir
\\.\LI0000012
BarClientView.exe
eyuscore.exe
EyooMenu.exe
ST_Desktop.exe
111YIYOU=--------------error exe
HintClient.exe
nxprun.exe
hxdrun.exe
MZDRunClient.exe
MZDClient.EXE
knbclient.exe
ebClnt.exe
nmenu_client.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SYSTEM\ControlSet001\Services\ebClnt.svc
SYSTEM\ControlSet002\Services\ebClnt.svc
%s\%s
\\.\%s
NTDLL.dll
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Ftp\UserChoice\
X-X-X-X-X-X
%d.%d.%d.%d
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/15.0.849.0 Safari/535.1
Content-Type: application/x-www-form-urlencoded
VVV.baidu.com
Global\0A80C80A-6BC6-4497-98D0-BD4EAADDF27C
hXXp://*
hXXps://*
Global\DC4C7E77-92AB-4ACE-B095-298C5FF4B27D
%d=%s
{WND-B868-43CC-A0A5-825EA574C4DD}
{CLASS-1400-4B06-90E7-7A283B1D3061}
ckurl.exe
C:\Windows\System32\ckurl.ini
C:\Windows\System32\ckurl.dat
OLEACC.DLL
InsertJs2Web.cpp
dsp:GetDspClickUrl begin
dsp:GetDspClickUrl error
,x
hXXp://shuttable
gasc.dat
\mygasc.ini
d:\mtwork\
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/ghfot.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/PSvr.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/dseb.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/gajp.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/mulone1.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/mulone2.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/mtbill.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/upopup.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/psip.dat
LogicHelper.cpp
ghfot.ini
ghfot.dat
PSvr.ini
PSvr.dat
dseb.ini
dseb.dat
gajp.ini
gajp.dat
mulone1.ini
mulone1.dat
mulone2.ini
mulone2.dat
mtbill.ini
mtbill.dat
upopup.ini
upopup.dat
psip.ini
psip.dat
%s;%s
Global\5252FC07-911D-4A27-8FC1-840181A8F6DD
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ReportBusiness
ReportComputerInfo
Global\{B6701EE0-FD83-4862-B4E7-9E13C8882D86}
Global\{FB43A492-E501-4D86-9817-212F66686DA5}
hXXp://mp.api.duduniu.cn/mp/common/ReportNetbar/reportTipInfo?domainId=%d&netbarId=%d&tipsId=%d&type=click&terminal=%s
%d%s%d
hXXp://dp.adhei.com:8888/?opt=put&mq=dp_wca_plugins&data=gid=%d&mac=%s&pcname=%s&bootid=%s&opt_type=1&opt_status=1001&key_words=&key_words_match=&browser_info=%s&os_info=%s&plugin_version=1.0.1.0&time_stamp=%d
Filter.dll
AddUrlPopup
LockUrlJump
Wcwpcap.dll
WcwPacket.dll
npptools.dll
wcw.sys
\StringFileInfo\XX\
ddd
CheckFile.exe
DspDriver.exe
DtiDriver.exe
iprotect.exe
iprot.exe
UDO.exe
hXXp://mp.api.duduniu.cn/mp/
%d*%d|%d*%d
domain=%d&netid=%d&pname=%s&sysver=%s&game=%s
&a0=%s&a1=%s&a2=%s&a3=%s&a4=%s&a5=%s&a6=%s&a7=%s&a8=%s
&a9=%s&a10=%s&a11=%s&a12=%s&a13=%s
Result_Baidu.jsp
?domain=%d&netid=%d&tn=%s&ip=%s
&a0=%s&a1=%s&a2=%s&a3=%s&a4=%s&a5=%s
Result_HomePage.jsp
?domain=%d&netid=%d&home=%s
Result_Shortcut.jsp
domain=%d&netid=%d
&a%d=%s
&a%d=
Global\A7490CA7-93EF-442f-9497-DCCEDA4FBF3E
Result_ShortcutExe.jsp
?domain=%d&netid=%d
&a0=%s&a1=%s&a2=%s&a3=%s&a4=%s&a5=%s&a6=%s&a7=%s
Global\B41870E2-0237-4210-AF73-5B8C6E98A545
C:\Windows\SysWOW64\
CWatchExe2
CheckUDO.exe
Global\632F17C9-DCC0-40da-AAFA-22EE1D24A538
632F17C9-DCC0-40da-AAFA-22EE1D24A538
Global\18D28D76-FE53-5ED3-327D-46348C661039
18D28D76-FE53-5ED3-327D-46348C661039
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
checkudo.exe
DoFile.sys
winlogon.exe
C:\Windows\mysavepro2.dat
C:\Windows\syswow64\
.dsunke
RegNotify.cpp
hXXp://mp.api.duduniu.cn/mp/common/ReportNetbar/reportBrower?domainId=%d&netBarId=%d&syncsize=100&brower=%s
hXXp://mp.api.duduniu.cn/mp/report/NetbarMachine/doReport?domainId=%d&netBarId=%d&terminal=%s&a1=%s&a2=%s&a3=&a4=&a5=&a6=&syncsize=100
%d%d%s
hXXp://mp.api.duduniu.cn/mp/gameReport2?netBarId=%d&domainId=%d&gameName=%s&pcName=%s&checkCode=%s&games=%s&qq=%s&idCard=%s
\images\system.img -data
\images\userdata.img -ramdisk
\images\ramdisk.img -kernel
\adb.exe
shell input keyevent 82
shell am start -n com.example.webdemo/com.example.webdemo.MainActivity
SOFTWARE\360\360se6\Chrome
SOFTWARE\360Chrome\chrome
Windows
360se.exe
hXXp://mp.api.duduniu.cn/mp/common/ReportNetbar/reportGameTt?domainId=%d&netBarId=%d&games=%s&gameName=%s&pcName=%s&idCard=%s&qq=%s&syncsize=100
CryptQueryObject failed with %x
CryptMsgGetParam failed with %x
CertFindCertificateInStore failed with %x
Signer Certificate:
CertGetNameString failed.
Subject Name: %s
C:\log.txt
39859E00-A5FB-4a88-AC5A-16A9424A0520
SogouWatch.cpp
bgopie.exe
ntdll.dll
D:\MTWork\
\SogouWatch\Release\SogouWatch.pdb
zcÁ
.?AVCWatchExeHelp@@
.?AVCBaiduWeb@@
.?AVChromeConfig@@
.?AVHttpSocketDemo@@
.?AVCIEWebBase@@
.?AVInsertJs2Web@@
.?AVCWatchExe2@@
.?AVCReportBusiness@@
.?AVCReportComputerInfo@@
.?AVCReportGame@@
.?AVCSetWebIEVersion@@
.?AVCWaitQQLogin@@
c:\%original file name%.exe
192.168.11.134
00239999
c:\windows\
"alternate_urls": [ "{google:baseURL}#q={searchTerms}", "{google:baseURL}search#q={searchTerms}", "{google:baseURL}webhp#q={searchTerms}" ],
"icon_url": "hXXp://VVV.google.com/favicon.ico",
"image_url": "{google:baseURL}searchbyimage/upload",
"image_url_post_params": "encoded_image={google:imageThumbnail},image_url={google:imageURL},sbisrc={google:imageSearchSource},original_width={google:imageOriginalWidth},original_height={google:imageOriginalHeight}",
"instant_url": "{google:baseURL}webhp?sourceid=chrome-instant&{google:RLZ}{google:forceInstantResults}{google:instantExtendedEnabledParameter}{google:ntpIsThemedParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}",
"instant_url_post_params": "",
"keyword": "google.com",
"new_tab_url": "{google:baseURL}_/chrome/newtab?{google:RLZ}{google:instantExtendedEnabledParameter}{google:ntpIsThemedParameter}ie={inputEncoding}",
"search_terms_replacement_key": "espv",
"search_url": "{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}",
"search_url_post_params": "",
"suggest_url": "{google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter}",
"suggest_url_post_params": ""
"host_referral_list": [ 2, [ "hXXp://VVV.hao123.com/", [ "hXXp://img1.hao123.com/", 1.4768250359221144, "hXXp://img2.hao123.com/", 2.832696840169498, "hXXp://nsclick.baidu.com/", 1.4768250359221144, "hXXp://passport.baidu.com/", 1.4768250359221144, "hXXp://s0.hao123img.com/", 16.60321943202129, "hXXp://s1.hao123img.com/", 13.679671274148566, "hXXp://VVV.hao123.com/", 12.32379946990118 ] ] ],
"startup_list": [ 1, "hXXp://img1.hao123.com/", "hXXp://img2.hao123.com/", "hXXp://nsclick.baidu.com/", "hXXp://passport.baidu.com/", "hXXp://s0.hao123img.com/", "hXXp://s1.hao123img.com/", "hXXp://VVV.hao123.com/" ]
"chrome_url_overrides": {
"bookmarks": [ "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno/main.html" ]
"last_chrome_version": "34.0.1847.131",
"api": [ "management", "webstorePrivate" ],
"from_webstore": false,
"web_url": "hXXps://chrome.google.com/webstore"
"urls": [ "hXXps://chrome.google.com/webstore" ]
"description": "Chrome Web Store",
"128": "webstore_icon_128.png",
"16": "webstore_icon_16.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtl3tO0osjuzRsf6xtD2SKxPlTfuoy7AWoObysitBPvH5fE1NaAA1/2JkPWkVDhdLBWLaIBPYeXbzlHp3y4Vv/4XG aN5qFE3z 1RU/NqkzVYHtIpVScf3DjTYtKVL66mzVGijSoAIwbFCC3LpGdaoe6Q1rSRDp76wR6jjFzsYwQIDAQAB",
"permissions": [ "webstorePrivate", "management" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\web_store",
"explicit_host": [ "chrome://favicon/*", "chrome://resources/*" ],
"initial_keybindings_set": true,
"chrome_url_overrides": {
"bookmarks": "main.html"
"content_security_policy": "object-src 'none'; script-src chrome://resources 'self'",
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQcByy eN9jzazWF/DPn7NW47sW7lgmpk6eKc0BQM18q8hvEM3zNm2n7HkJv/R6fU X5mtqkDuKvq5skF6qqUF4oEyaleWDFhd1xFwV7JV /DU7bZ00w2 6gzqsabkerFpoP33ZRIw7OviJenP0c0uWqDWF8EGSyMhB3txqhOtiQIDAQAB",
"permissions": [ "bookmarks", "bookmarkManagerPrivate", "metricsPrivate", "systemPrivate", "tabs", "chrome://favicon/", "chrome://resources/" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\bookmark_manager",
"scriptable_host": [ "hXXp://*/*" ]
"path": "C:\\Program Files\\Chromes\\ChromePuls",
"explicit_host": [ "chrome://settings-frame/*" ],
"events": [ "app.runtime.onLaunched" ],
"scripts": [ "settings_app.js" ]
"128": "settings_app_icon_128.png",
"16": "settings_app_icon_16.png",
"32": "settings_app_icon_32.png",
"48": "settings_app_icon_48.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoVDPGX6fvKPVVgc gnkYlGqHuuapgFDyKhsy4z7UzRLO/95zXPv8h8e5EacqbAQJLUbP6DERH5jowyNEYVxq9GJyntJMwP1ejvoz/52hnY3CCGGCmttmKzzpp5zwLuq3iZf8bslwywfflNUYtaCFSDa0TtrBZz0aOPrAAd/AhNwIDAQAB",
"permissions": [ "chrome://settings-frame/" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\settings_app",
"explicit_host": [ "chrome://resources/*" ],
"events": [ "feedbackPrivate.onFeedbackRequested" ],
"scripts": [ "js/event_handler.js" ]
"content_security_policy": "default-src 'none'; script-src 'self' chrome://resources; style-src 'unsafe-inline' *; img-src *; media-src 'self'"
"32": "images/icon32.png",
"64": "images/icon64.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMZElzFX2J1g1nRQ/8S3rg/1CjFyDltWOxQg 9M8aVgNVxbutEWFQz oQzIP9BB67mJifULgiv12ToFKsae4NpEUR8sPZjiKDIHumc6pUdixOm8SJ5Rs16SMR6 VYxFUjlVW 5CA3IILptmNBxgpfyqoK0qRpBDIhGk1KDEZ4zqQIDAQAB",
"permissions": [ "feedbackPrivate", "chrome://resources/" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\feedback",
"api": [ "cloudPrintPrivate" ],
"web_url": "hXXps://VVV.google.com/cloudprint"
"urls": [ "hXXps://VVV.google.com/cloudprint/enable_chrome_connector" ]
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqOhnwk4 HXVfGyaNsAQdU/js1Na56diW08oF1MhZiwzSnJsEaeuMN9od9q9N4ZdK3o1xXOSARrYdE syV7Dl31nf6qz3A6K D5NHe6sSB9yvYlIiN37jdWdrfxxE0pRYEVYZNTe3bzq3NkcYJlOdt1UPcpJB isXpAGUKUvt7EQIDAQAB",
"permissions": [ "cloudPrintPrivate" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\cloud_print",
"web_url": "hXXp://THIS-WILL-BE-REPLACED"
"description": "Chrome as an app",
"128": "product_logo_128.png",
"16": "product_logo_16.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNuYLEQ1QPMcc5HfWI/9jiEf6FdJWqEtgRmIeI7qtjPLBM5oje Ny2E2mTAhou5qdJiO2CHWdU1DQXY2F7Zu2gZaKZgHLfK4WimHxUT5Xd9/aro/R9PCzjguM1BLusiWYc9xlj1IsZpyiN1hcjU7SCnBhv1feQlv2WSB5KRiXwhQIDAQAB",
"name": "Chrome",
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\chrome_app",
"explicit_host": [ "hXXps://VVV.google.com/*" ],
"events": [ "ttsEngine.onPause", "ttsEngine.onResume", "ttsEngine.onSpeak", "ttsEngine.onStop" ],
"scripts": [ "tts_extension.js" ]
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8GSbNUMGygqQTNDMFGIjZNcwXsHLzkNkHjWbuY37PbNdSDZ4VqlVjzbWqODSe MjELdv5Keb51IdytnoGYXBMyqKmWpUrg RnKvQ5ibWr4MW9pyIceOIdp9GrzC1WZGgTmZismYR3AjaIpufZ7xDdQQv XrghPWCkdVqLN qZDA1HU DURznkMICiDDSH2sU0egm9UbWfS218bZqzKeQDiC3OnTPlaxcbJtKUuupIm5knjze3Wo9Ae9poTDMzKgchg0VlFCv3uqox wlD8sjXBoyBCCK9HpImdVAF1a7jpdgiUHpPeV/26oYzM9/grltwNR3bzECQgSpyXp0eyoegwIDAQAB",
"permissions": [ "systemPrivate", "ttsEngine", "hXXps://VVV.google.com/" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\network_speech_synthesis",
"api": [ "alarms", "desktopCapture", "webConnectable", "webrtcAudioPrivate", "webrtcLoggingPrivate", "system.cpu" ],
"page": "background.html",
"matches": [ "hXXps://*.google.com/hangouts*", "*://localhost/*" ]
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAQt2ZDdPfoSe/JI6ID5bgLHRCnCu9T36aYczmhw/tnv6QZB2I6WnOCMZXJZlRdqWc7w9jo4BWhYS50Vb4weMfh/I0On7VcRwJUgfAxW2cHB EkmtI1v4v/OU24OqIa1Nmv9uRVeX0GjhQukdLNhAE6ACWooaf5kqKlCeK 1GOkQIDAQAB",
"permissions": [ "alarms", "desktopCapture", "system.cpu", "webrtcAudioPrivate", "webrtcLoggingPrivate" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\hangout_services",
"api": [ "identity", "webRequestInternal", "webview" ],
"explicit_host": [ "hXXps://checkout.google.com/*", "hXXps://sandbox.google.com/*", "hXXps://VVV.google.com/*", "hXXps://VVV.googleapis.com/*" ],
"from_webstore": true,
"scripts": [ "craw_background.js" ]
"128": "images/icon_128.png",
"16": "images/icon_16.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrKfMnLqViEyokd1wk57FxJtW2XXpGXzIHBzv9vQI/01UsuP0IV5/lj0wx7zJ/xcibUgDeIxobvv9XD zO1MdjMWuqJFcKuSS4Suqkje6u pMrTSGOSHq1bmBVh0kpToN8YoJs/P/yrRd7FEtAXTaFTGxQL4C385MeXSjaQfiRiQIDAQAB",
"minimum_chrome_version": "29",
"client_id": "203784468217.apps.googleusercontent.com",
"scopes": [ "hXXps://VVV.googleapis.com/auth/sierra", "hXXps://VVV.googleapis.com/auth/sierrasandbox", "hXXps://VVV.googleapis.com/auth/chromewebstore", "hXXps://VVV.googleapis.com/auth/chromewebstore.readonly" ]
"permissions": [ "identity", "webview", "hXXps://checkout.google.com/", "hXXps://sandbox.google.com/checkout/", "hXXps://VVV.google.com/", "hXXps://VVV.googleapis.com/*" ],
"update_url": "hXXps://clients2.google.com/service/update2/crx",
"version": "0.0.6.1"
"path": "nmmhkkegccagdldgiimedpiccmgmieda\\0.0.6.1_0",
"http_server_properties": {
"clients2.google.com:443": {
"port": 443,
"4": 100
"supports_spdy": true
"clients2.googleusercontent.com:443": {
"created_by_version": "34.0.1847.131",
"startup_urls": [ "hXXp://VVV.hao123.com/?tn=99202075_hao_pg" ],
"startup_urls_migration_time": "13043309417314841"
ChromePuls/PK
ChromePuls/js/PK
ChromePuls/js/status.js
F2nt-b}
ChromePuls/js/status1.js
ChromePuls/manifest.json]P
ChromePuls/
ChromePuls/js/
ChromePuls/manifest.json
khdnkkdpnikidnhfjcpgnenmjokpooob/1.0_0/js/status.js
khdnkkdpnikidnhfjcpgnenmjokpooob/1.0_0/js/status1.js
khdnkkdpnikidnhfjcpgnenmjokpooob/1.0_0/manifest.json]P
khdnkkdpnikidnhfjcpgnenmjokpooob/1.0_0/manifest.json
"last_chrome_version": "7.2.100.95",
"api": [ "management", "system.display", "system.storage", "webstorePrivate", "system.cpu", "system.memory", "system.network" ],
Google Chrome
"name": "Chrome
"permissions": [ "webstorePrivate", "management", "system.cpu", "system.display", "system.memory", "system.network", "system.storage" ],
"path": "C:\\Documents and Settings\\Administrator\\Application Data\\Baidu\\BaiduBrowser\\plugin\\extends\\{C060303D-ECBF-4D67-9B86-C48DC33EC8F0}\\7.2.100.95\\resources\\web_store",
"api": [ "contextMenus", "notifications", "tabs", "unlimitedStorage", "webNavigation", "webRequest", "webRequestBlocking", "bidu" ],
"explicit_host": [ "hXXp://*/*", "hXXps://*/*" ],
"scriptable_host": [ "hXXp://*/*", "hXXps://*/*" ]
"scripts": [ "lib/compat.js", "lib/info.js", "lib/io.js", "lib/adblockplus.js", "lib/punycode.js", "lib/publicSuffixList.js", "lib/basedomain.js", "lib/sha1.js", "lib/jsbn.js", "lib/rsa.js", "webrequest.js", "popupBlocker.js", "background.js", "bd.js" ]
"js": [ "include.preload.js" ],
"matches": [ "hXXp://*/*", "hXXps://*/*" ],
"js": [ "include.postload.js" ],
Chrome
"128": "icons/abp-128.png",
"16": "icons/abp-16.png",
"19": "icons/abp-19.png",
"32": "icons/abp-32.png",
"48": "icons/abp-48.png"
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxqwnot8LhWinlkXoH/2e 50iJ7o3fPByPlecnuCr5PvOekTGk9Zl7KZ07O9FIyRKR9X5CpQFyoydo2C7fTmjS1aEj5iNMA3VF02LSbR5uxVGToXHiEKOd8QbUyorM2RJQnxYXDts9lBcO3EIsiROu058IwMZRxyvgo6HJsCvozOoss6oqFVIpoC8ZWT8ppdkM5L2dX5inKeGFiZ0d8vMKcFQb2mLH3uFTR/qffl5eCD/ZuvrSIwf0vM2bycYViEKpyVphNBi65dyBHZ3eGABd24ZPbzHKlbv30DfT9YLiqYy76lv34B4jn8cCu1wxp2t4MatZtBTQS9Dk8OGPsMAKwIDAQAB",
"minimum_chrome_version": "18.0",
"options_page": "options.html",
"permissions": [ "bidu", "tabs", "hXXp://*/*", "hXXps://*/*", "contextMenus", "webRequest", "webRequestBlocking", "webNavigation", "unlimitedStorage", "notifications" ],
"version": "1.6.3"
"path": "fiomnmjeoicmfpndbdliigppeobhhmgp\\1.6.3_0",
"scriptable_host": [ "file:///*", "hXXp://*/*", "hXXps://*/*" ]
"scripts": [ "js/zepto.js", "js/base.js", "js/background.js" ]
"css": [ "css/content-script.css" ],
"js": [ "js/data-report.js", "js/content-script.js" ],
"matches": [ "hXXp://*/*", "hXXps://*/*", "file://*/*" ],
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LXnBOh0UC5AldSyEb3k9PaZjgjvHarLZUq7tzHWrjsHTymmaHa2XHzl6AHYNUeRt1LuNU4b8misgXLY 2TQTxPmo6TCrQ6KwGBSJujMPRP k0kSx1y70J0w4x2qvoFywt5lD8D EEcvLXTMsLo1sW7iwh5PPMlSz6kidr0ax66qWzGvcWS7JkFcC 7SBl wNy4x4x8t9rO0S4OwdJcluiWPOMm956AF2 iBYPNjGxbFPBYpx7i8IgUzeUtW3dwF17Vdb7LO8dB/4g1/C5OHvf5rTaw4qT0uqs9U4ZkbilWGtzmu3HNhMleK5v0Fa5DzJBi 0qK3RYhk/h6Phr0sSwIDAQAB",
"permissions": [ "hXXp://*/*", "hXXps://*/*", "clipboardWrite", "tabs", "bidu" ],
"version": "1.0.8",
"web_accessible_resources": [ "css/**/*.png" ]
"path": "jgecdcpcbljcijjgceonmpjopjmeelfp\\1.0.8_0",
"js": [ "js/status.js" ],
"matches": [ "hXXp://*/*" ]
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoMfRZ3sVk EOwoZKCp2q8O92qyQxIYnExTEmFq/39KIz65UWjFU3D 5kwFY1dOd/bBCJv0aDe8 V7AfT/Sd0o/HNKdnchrdNErONqO9tTPuESlyKpy5Q6xXGlPLaL6RASJzwffsMQ38m2vYrTcLgJRSWbsUdHYGO886erG6H0jIdR67YTZyL0WBQ7afnniRVmVOINSxR00vQIvPdA7YLFwZNS2NdU3MTblKQxVmMizl7KtQcbj210VzmQohl4EGZC8KQ31pkJ2PPx3Jsa1SMrZ6hwBF W0p DvwSLKhkSm8aTeTwZ32ipPvNc0xYylvet35tgxLiO9pOSmX6RoEMOQIDAQAB",
}, "webConnectable" ],
"explicit_host": [ "hXXps://VVV.gstatic.com/*" ],
"scripts": [ "util.js", "b64.js", "sha256.js", "countdown.js", "countdowntimer.js", "devicestatuscodes.js", "errorcodes.js", "gnubbycodetypes.js", "webrequest.js", "gnubbymsgtypes.js", "messagetypes.js", "factoryregistry.js", "closeable.js", "requesthelper.js", "enroller.js", "requestqueue.js", "signer.js", "origincheck.js", "textfetcher.js", "appid.js", "gstaticorigincheck.js", "gnubbydevice.js", "hidgnubbydevice.js", "usbgnubbydevice.js", "gnubbies.js", "gnubby.js", "gnubby-u2f.js", "gnubbyfactory.js", "singlesigner.js", "multiplesigner.js", "generichelper.js", "inherits.js", "devicefactoryregistry.js", "usbhelper.js", "usbenrollhandler.js", "usbsignhandler.js", "usbgnubbyfactory.js", "cryptotokenbackground.js" ]
"matches": [ "hXXps://accounts.google.com/*", "hXXps://security.google.com/*", "hXXps://login.corp.google.com/*" ]
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq7zRobvA AVlvNqkHSSVhh1sEWsHSqz4oR/XptkDe/Cz3 gW9ZGumZ20NCHjaac8j1iiesdigp8B1LJsd/2WWv2Dbnto4f8GrQ5MVphKyQ9WJHwejEHN2K4vzrTcwaXqv5BSTXwxlxS/mXCmXskTfryKTLuYrcHEWK8fCHb 0gvr8b/kvsi75A1aMmb6nUnFJvETmCkOCPNX5CHTdy634Ts/x0fLhRuPlahk63rdf7agxQv5viVjQFk tbgv6aa9kdSd11Js/RZ9yZjrFgHOBWgP4jTBqud4 HUglrzu8qynFipyNRLCZsaxhm NItTyNgesxLdxZcwOz56KD1Q4IQIDAQAB",
"permissions": [ "usb", "hid", "hXXps://VVV.gstatic.com/", {
"version": "0.8.59"
"path": "C:\\Documents and Settings\\Administrator\\Application Data\\Baidu\\BaiduBrowser\\plugin\\extends\\{C060303D-ECBF-4D67-9B86-C48DC33EC8F0}\\7.2.100.95\\resources\\cryptotoken",
"api": [ "alarms", "identity", "metricsPrivate", "notifications", "pushMessaging", "storage", "tabs", "webstorePrivate" ],
"explicit_host": [ "*://*.google.com/*", "*://*.gstatic.com/*", "hXXps://*.googleapis.com/*", "hXXps://*.googleusercontent.com/*" ],
"events": [ "alarms.onAlarm", "identity.onSignInChanged", "notifications.onButtonClicked", "notifications.onClicked", "notifications.onClosed", "notifications.onPermissionLevelChanged", "notifications.onShowSettings", "pushMessaging.onMessage", "runtime.onInstalled", "runtime.onStartup", "runtime.onSuspend", "storage.onChanged" ],
"scripts": [ "utility.js", "cards.js", "background.js" ]
"description": "Integrates Google Now into Chrome.",
"128": "images/icon128.png",
"16": "images/icon16.png",
"48": "images/icon48.png"
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkhqJr32OFD/bMXW4Md7jMfd7LbwHXVc6x5bBQG5U dloofoxrICDR20yur/40mQ8O//0sS1b8srvbab1CRlSrxoNCr9T80NAkfzx0gHyVS p1Zow 1FzLMu9PiGwwFyN80HIB7GI/dIa0wC9K/2OrrzcHEhVH96DacTtWQqjfDVtZPjT7Xwv23dgoWcpbkRC86jMJot3dmX9xnn0KzoVc9gDOHSIkBLbkkr6Sp3LGXCCM4L0DJgxdFwaLr5WBzgC3y5x0/wwPIwN4PtIaK3BhH6njlksfnKwwIJ9iRT41V4BqbWu4mszO/7VJ3HJyw2DBpIc2grU9ZRRxrV3fRQG4wIDAQAB",
"scopes": [ "hXXps://VVV.googleapis.com/auth/googlenow" ]
"permissions": [ "alarms", "identity", "metricsPrivate", "notifications", "pushMessaging", "storage", "tabs", "webstorePrivate", "*://*.google.com/*", "*://*.gstatic.com/*", "hXXps://*.googleapis.com/chromenow/v1/*", "hXXps://*.googleusercontent.com/*" ],
"version": "1.2.0.1"
"path": "C:\\Documents and Settings\\Administrator\\Application Data\\Baidu\\BaiduBrowser\\plugin\\extends\\{C060303D-ECBF-4D67-9B86-C48DC33EC8F0}\\7.2.100.95\\resources\\google_now",
epblfibfaofhlnhdblkddcjabakcnbfn/1.0_0/js/status.js
epblfibfaofhlnhdblkddcjabakcnbfn/1.0_0/js/status1.js
epblfibfaofhlnhdblkddcjabakcnbfn/1.0_0/manifest.json]P
epblfibfaofhlnhdblkddcjabakcnbfn/1.0_0/manifest.json
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\web_store",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\bookmark_manager",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\settings_app",
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YXleS FPk0e6yz/a0w1u2cIonG1s1I1WwYz7PRMW3LpzI0ePSdFosKN2y1HBNPMyhhTfH/hi4q19XZUiIOdyPvNhuHcwJ4biA/BX/jP7CIVs P5rKbHXzyAAlOKk3kSy9bHTbkdk0XC9SToNeTgTQLApHc n6hK WW 0KJETaXQMImuYdN4MJpGrAQuTd0or BX6U/U82sU y6MXMtlciT/Cpt6e2bUfXzxFG2iBCjU/B3reDWUjRimqGEoe5grKXGKrOoD4u4i7P4H1KsNOjtsh3QMq24qZOFW6LlJwkfC9T0wCxLn2ZoR7z2Th702MbA 4PyJX705j8QRVa8rwQIDAQAB",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\feedback",
"scripts": [ "util.js", "b64.js", "sha256.js", "countdown.js", "countdowntimer.js", "devicestatuscodes.js", "approvedorigins.js", "errorcodes.js", "gnubbycodetypes.js", "webrequest.js", "gnubbymsgtypes.js", "messagetypes.js", "factoryregistry.js", "closeable.js", "requesthelper.js", "webrequestsender.js", "enroller.js", "requestqueue.js", "signer.js", "origincheck.js", "textfetcher.js", "appid.js", "watchdog.js", "gstaticorigincheck.js", "googleapprovedorigins.js", "gnubbydevice.js", "hidgnubbydevice.js", "usbgnubbydevice.js", "gnubbies.js", "gnubby.js", "gnubby-u2f.js", "gnubbyfactory.js", "singlesigner.js", "multiplesigner.js", "generichelper.js", "inherits.js", "individualattest.js", "devicefactoryregistry.js", "usbhelper.js", "usbenrollhandler.js", "usbsignhandler.js", "usbgnubbyfactory.js", "googlecorpindividualattest.js", "cryptotokenbackground.js" ]
"matches": [ "hXXps://login.corp.google.com/*", "hXXps://accounts.google.com/*", "hXXps://myaccount.google.com/*", "hXXps://security.google.com/*" ]
"permissions": [ "hid", "usb", "u2fDevices", "hXXps://VVV.gstatic.com/", {
"version": "0.9.6"
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\cryptotoken",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\cloud_print",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\chrome_app",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\network_speech_synthesis",
"api": [ "alarms", "desktopCapture", "processes", "webConnectable", "webrtcAudioPrivate", "webrtcLoggingPrivate", "system.cpu" ],
"permissions": [ "alarms", "desktopCapture", "processes", "system.cpu", "webrtcAudioPrivate", "webrtcLoggingPrivate" ],
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\hangout_services",
"keyword": "6E8402CE2A11423EB23F1D14E9D7F986A348CB1F34AAD410C0558B40790E9B05",
"search_url": "021C1E903093DB0BD710D92D2F8F73D8C1FBB469C22163C840AE259DEC9086E1"
"template_url_data": "C10413590C11CFDC2792F36C6A0003961EAF45BB5C24F675C935B102F9CFA77E"
"incident_report_sent": "AC1960240B4EE464E620DE981890DC943D13BB55ECC318A01F80AE95796B5761",
"startup_urls": "0FD9C552C5960BB1F4F791EC1CAD047D606FF1EDF481D1445FF6CCE4B1782399"
"software_reporter": {
.text
`.rdata
@.data
.rsrc
t.Ht4
Global\9179F83E-12C2-445A-AB2F-A9E9079C15FF
cmd == notonlyone
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
%s.dll
CCmdTarget
CNotSupportedException
res://%s/%s
res://%s/%d
COMCTL32.DLL
hhctrl.ocx
commctrl_DragListMsg
MSWHEEL_ROLLMSG
user32.dll
ole32.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
n%D,3
OLEACC.dll
y:\D\MTWork\
\MiniWeb\Release\MiniWeb.pdb
GetCPInfo
KERNEL32.dll
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
UnhookWindowsHookEx
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
oledlg.dll
OLEAUT32.dll
WINMM.dll
.?AVCCmdTarget@@
.PAVCMemoryException@@
.PAVCException@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCArchiveException@@
.PAVCFileException@@
.PAVCOleDispatchException@@
mV2.AHBC5D;<<(-
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<BODY ID=CMiniWebDlg BGCOLOR=LIGHTGREY>
@.reloc
_CorExeMain
.detour
pageUrl=
pageUrl=http://123.sogou.com/?
%Program Files%\Internet Explorer\inter.ini
C:\Windows\system32\inter.dat
Referer: hXXp://VVV.baidu.com/s?tn=
HttpSendRequestA
WinInet.dll
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
HttpEndRequestA
HttpEndRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
InternetOpenUrlA
InternetOpenUrlW
\HookWininet\Release\HookWininetDLL.pdb
GetProcessHeap
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
3&353]3<4
4080<0@0
7 7$7(7,7074787<7@7
.pdata
@.rsrc
r%f;A
..\..\SogouWatch\SogouWatch\Config.cpp
..\..\SogouWatch\SogouWatch\LogicHelper.cpp
C:\Windows\Syswow64\
C:\logDll.txt
Global\AD413FB1-CB3E-4819-90F2-AE73F93FD854
..\..\SogouWatch\SogouWatch\MainLogic.cpp
dodonew %d == %d
Global\39859E00-A5FB-4a88-AC5A-16A9424A0520
Global\0C897E67-0211-4CF0-BFF3-478BCEDC7098
explorer.exe
Global\173A31A8-DBFC-4709-A7B1-16E1195F65DC
RegFlushKey
RegEnumKeyExA
ShellExecuteA
WS2_32.dll
URLDownloadToFileA
urlmon.dll
PSAPI.DLL
VERSION.dll
CryptMsgGetParam
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CryptMsgClose
CertGetNameStringA
CRYPT32.dll
<?xml version="1.0" encoding="utf-8"?><main><Item homepagetype="3" homepage="hXXp://123.sogou.com/?71069-1000" openunclosedpagewhenstart="FALSE" opennewpage="TRUE" notshowpagewhenopenbyotherprograms="TRUE" showalertwhenclose="TRUE" autochechdefaultbrowsersetting="TRUE" multitaborapp="TRUE" appmodekeepmax="FALSE" newwindowfromoutside="0" shortcutdata="vQMAAAoLCglUaXBXbmRUYWIKEgoLQ3JlYXRlRnJhbWUSAwjNBAoVCglDcmVhdGVUYWISAwjUBBIDCM4EChkKEk5ld3BhZ2VGcm9tQ29weVVSTBIDCMMGChsKD0NhbmNlbENsb3NlcGFnZRIDCNoIEgMI1AYKEgoLQ2xvc2VBbGxUYWISAwjXBgoVCglDbG9zZXBhZ2USAwjzBBIDCNcEChkKDlNlbGVjdFJpZ2h0VGFiEgIIchIDCIkEChgKDVNlbGVjdExlZnRUYWISAghxEgMIiQYKFAoNU2VsZWN0VGFiQnlJRBIDCMAEChAKCkZ1bGxTY3JlZW4SAgh6CgsKBEV4aXQSAwjzCAoTChFUaXBCcm93c2VOYXZpZ2F0ZQoNCgdSZWZyZXNoEgIIdAoRCgpBbGxSZWZyZXNoEgMI9AIKEwoMRm9yY2VSZWZyZXNoEgMI9AQKCgoEU3RvcBICCBsKDgoHQWxsU3RvcBIDCJsCCgsKBEJhY2sSAwilCAoOCgdGb3J3YXJkEgMIpwgKCwoESG9tZRIDCKQICgwKClRpcEJyb3dzZXIKDAoFVmlkZW8SAwjRBAoUCg1Tb3VuZEJsb2NraW5nEgMIzQgKEQoKU2VjcmV0TW9kZRIDCMEICgwKBUNsZWFuEgMI2AgKCwoEQm9zcxIDCMAFChYKD1NlbGVjdFNlYXJjaGJhchIDCMUECg4KB1NldHRpbmcSAwjTBgoQCglGaW5kSW5UYWISAwjGBAoMCgZSZXBhaXISAghwChIKC1NraW5tYW5hZ2VyEgMI0AgKDwoIQXV0b0Zvcm0SAwjRCAoTCgxBdXRvRm9ybVNhdmUSAwixCAoWCg9PcGVuT2ZmZW5BY2Nlc3MSAwjHBAoaChNPcGVuRmF2b3JpdGVTZXR0aW5nEgMIwgQKFQoTQWRkQWxsVGFiVG9GYXZvcml0ZQoTCgxPcGVuRmF2b3JpdGUSAwjJBAoVCg5PcGVuVVJMSGlzdG9yeRIDCMgEChgKEUFkZFBhZ2VUb0Zhdm9yaXRlEgMIxAQKHAoQU2VsZWN0QWRkcmVzc2JhchIDCMwEEgMIxAgKGgoUU2VsZWN0QWRkcmVzc2Jhckxpc3QSAghzCg8KCERvd25sb2FkEgMIygQKCAoGVGlwV2ViCgwKBVByaW50EgMI0AQKDwoIT3BlbkZpbGUSAwjPBAoPCghTYXZlRmlsZRIDCNMECg0KBlpvb21ObxIDCLAECg0KBlpvb21JbhIDCLsFCg4KB1pvb21PdXQSAwi9BQ==" disableshortcut="FALSE" usefastaccess="FALSE" opentabpagetype="1" activenewtabposition="0" activetabwhenclosetab="0" foregroundopennewtab="TRUE" supportsearchbymouse="TRUE" foregroundopensearch="FALSE" opennewtabwheninputurltoolbar="FALSE" opennewtabwhenfromfavorbar="TRUE" tabmousewheel="1" tabrightclickclose="FALSE" tabhover="-400" tabdoubleclickleftmouse="2" tabminwidth="5" tabmaxwidth="200" tabclosebutton="0" tabfavicon="TRUE" tabcompress="1" enablemousegesture="TRUE" showmousetrack="TRUE" showmouseactioninfo="TRUE" down="14" downup="6" downleft="2" downright="1" up="13" updown="6" upleft="4" upright="5" Left="9" LeftDown="0" LeftUp="4" LeftRight="3" right="8" rightdown="0" rightup="5" rightleft1="12" rightleftright="0" cleanhistoryrecord="TRUE" cleanrecentaccesslist="TRUE" cleanaddrbarlist="TRUE" cleandownloadlist="TRUE" cleanautoform="TRUE" cleaninternettempfile="TRUE" cleancookies="TRUE" cleanbeforeclosebrowser="FALSE" notifybeforeclean="FALSE" dnt="FALSE" urlautoassist="TRUE" ShowSogouSearchResult="TRUE" autoopenurl="TRUE" addressbarstyplevertical="TRUE" SearchEngineForSina="0" addrbarsearchengine="0" hilightsearchbar2="FALSE" dragsearchtextmax="50" selectfaceplatedir="0" favormenumaxcolumn="100" favormenushowinsert="TRUE" favorbarshowheadtext="TRUE" favorbarshowicon="TRUE" favorbarshowtitle="TRUE" favorbarshowdropdown="FALSE" favorbartextwidth="58" favorbarusedot="FALSE" oftenbarshowheadtext="TRUE" oftenbarshowicon="TRUE" oftenbarshowtitle="TRUE" oftenbartextwidth="58" extuishowheadtext="TRUE" extuishowicon="TRUE" extuishowdesc="TRUE" extuishowbadge="TRUE" extuishowdrop="TRUE" extuidevmode="FALSE" ProxyAllItemsNew="AgAAABIA" ProxyPassByLocal="FALSE" flashacc="FALSE" securitylevel="1" usesecureinput="TRUE" videofload="TRUE" floatbar="TRUE" videofloatbarintab="TRUE" floatbarinaddressbar="TRUE" inheritscaling="TRUE" syncinput="FALSE" openerrorpageballon="TRUE" switchcorewarning="TRUE" disablehttpswarning="TRUE" corefont="" preconnect="TRUE" prefetch2="TRUE" popupadvblocking="TRUE" activexblocking="TRUE" blockingballoon="TRUE" AutoFormAutoFill="TRUE" AutoFormShowSaveTip="TRUE" AutoFormCrossDomain="TRUE" DownloadAutoRestartTasks="TRUE" DownloadMethod="0" DownloadTools="-1" DownloadFileSavePath="D:\
" DownloadFileSavePathType="0" DownloadDelDownloadingFile="FALSE" DownloadDelFile="FALSE" DownloadDisableMultiThread="FALSE" DownloadPicQSaveEnable="TRUE" upgrade="1" multicorestrategy="2" accopenballoon="TRUE" sogourank="TRUE" useaeropeek="FALSE" alwaysshowtray="FALSE" mintotray="FALSE" closetotray="FALSE" ckwndforqq="TRUE" ckweibotail="TRUE" passportsynchronizesetting="-1" passportsynshowalarmwhenlogout="TRUE" cleanaccountdata="TRUE" DynamarkEnable="TRUE" DynamarkBubble="TRUE" DynamarkFavOfen="FALSE" DynamarkStartPage="TRUE" DynamarkUseRss="TRUE" DynamarkYellow="TRUE" DynamarkAllowRunBackground="TRUE" StartPageFavoriteGridCount="12" UserInstruct="000100000000000000000000300300" showtime="TRUE" user_exp="TRUE" cc="2109237207" configversion="23" revision="0"></Item></main>PSQLite format 3
CtableMultiCorePatternUrlMultiCorePatternUrl
CREATE TABLE MultiCorePatternUrl (url VARCHAR(1024) default 0,client_id INTEGER default -1)
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)-
indexsqlite_autoindex_db_info_1db_info
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INT
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INTEGER)-
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)
CREATE TABLE MultiCorePatternUrl (url VARCHAR(1024) default 0,client_id INTEGER default -1)}
1indexMultiCorePatternUrl_client_id_indexMultiCorePatternUrl
CREATE INDEX MultiCorePatternUrl_client_id_index ON MultiCorePatternUrl(client_id)MZ
h.rdata
H.data
.reloc
c:\win7-64\emunhanldulockfile\objfre_win7_x86\i386\UnlockFile.pdb
ntoskrnl.exe
HAL.dll
dwKSDT:%x
ntkrnlpa.exe
c:\drivercode\procnotify\objfre_win7_x86\i386\ProcNotify.pdb
KeDelayExecutionThread
ZwConnectPort
ZwRequestWaitReplyPort
ZwRequestPort
ZwReplyWaitReceivePortEx
status:0xx
c:\drivercode\win7-64\wfp\redirectorwpfex2.0\objfre_win7_amd64\amd64\DoRedirect.pdb
fwpkclnt.sys
$hXXp://crls1.wosign.com/ca1g2-ts.crl0m
hXXp://ocsp1.wosign.com/ca1g2/ts0/
#hXXp://aia1.wosign.com/ca1g2.ts.cer0
hXXp://VVV.wosign.com/policy/0
'hXXp://ocsp1.wosign.com/class3/code/ca106
*hXXp://aia1.wosign.com/class3.code.ca1.cer07
&hXXp://crls1.wosign.com/ca1-code-3.crl0O
!Certification Authority of WoSign0
hXXp://crls1.wosign.com/ca1.crl0h
hXXp://ocsp1.wosign.com/ca10/
#hXXp://aia1.wosign.com/ca1g2-ts.cer0
Þe3F
hXXp://crls1.wosign.com/ca1.crl0o
hXXp://ocsp1.wosign.com/ca106
*hXXp://aia1.wosign.com/ca1-class3-code.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
"Secure Digital Certificate Signing1)0'
StartCom Certification Authority0
hXXp://ocsp.startssl.com/ca00
$hXXp://aia.startssl.com/certs/ca.crt02
!hXXp://crl.startssl.com/sfsca.crl0
&hXXp://cert.startcom.org/sfsca-crl.crl0 
%hXXp://crl.startcom.org/sfsca-crl.crl0
#hXXp://cert.startcom.org/policy.pdf05
)hXXp://cert.startcom.org/intermediate.pdf0
Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at hXXp://cert.startcom.org/policy.pdf0
)StartCom Free SSL Certification Authority0
CMdE
-AD3}
c:\win7-64\emunhanldulockfile\objfre_win7_amd64\amd64\UnlockFile.pdb
&hXXp://crls1.wosign.com/ca1-code-3.crl0Q
hXXp://VVV.usertrust.com1
6hXXp://crl.trust-provider.com/UTN-USERFirst-Object.crl0:
hXXp://ocsp.trust-provider.com0
hXXp://crls1.wosign.com/ca1.crl0g
hXXp://ocsp1.wosign.com/ca10.
"hXXp://aia1.wosign.com/ca1-tsa.cer0
!Certification Authority of WoSign
csrss.exe
OB_OPERATION_HANDLE_CREATE::::::::PROCESS_CREATE_PROCESS
OB_OPERATION_HANDLE_CREATE::::::::PROCESS_DUP_HANDLE
OB_OPERATION_HANDLE_CREATE::::::::PROCESS_VM_WRITE
OB_OPERATION_HANDLE_CREATE::::::::PROCESS_VM_OPERATION
OB_OPERATION_HANDLE_DUPLICATE::::::::PROCESS_CREATE_PROCESS
OB_OPERATION_HANDLE_DUPLICATE::::::::PROCESS_DUP_HANDLE
OB_OPERATION_HANDLE_DUPLICATE::::::::PROCESS_VM_WRITE
OB_OPERATION_HANDLE_DUPLICATE::::::::PROCESS_VM_OPERATION
vmtoolsd.exe
taskmgr.exe
c:\drivercode\procnotify\objfre_win7_amd64\amd64\ProcNotify.pdb
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0a
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://sv.symcb.com/sv.crl0a
hXXp://sv.symcd.com0&
hXXp://sv.symcb.com/sv.crt0
hXXp://s2.symcb.com0
hXXp://VVV.symauth.com/cps0(
hXXp://VVV.symauth.com/rpa00
hXXp://s1.symcb.com/pca3-g5.crl0
M.xI4
/VeriSign Universal Root Certification Authority0
hXXps://d.symcb.com/rpa0.
hXXp://s.symcd.com06
%hXXp://s.symcb.com/universal-root.crl0
hXXps://d.symcb.com/rpa0@
/hXXp://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
hXXp://ts-ocsp.ws.symantec.com0;
/hXXp://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
/1(0&0$0"
WinExec
ProcessPath: %s
\WINDOWS\Explorer.EXE
c:\drivercode\win7-64\minifilter3\objfre_win7_amd64\amd64\MiniFilter.pdb
\Windows\12366.exe
\Windows\System32\csrss.exe
\Windows\System32\svchost.exe
[MiniFilter][DriverEntry]status:%x
FltCloseClientPort
FltCreateCommunicationPort
FltCloseCommunicationPort
FLTMGR.SYS
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
USER32.DLL
Export
system32\drivers\WCW.sys
SYSTEM\CurrentControlSet\Services\%s
\\.\Global\%s
c:\winpcap\winpcap\packetNtx\Dll\Project\Release\x86\WcwPacket.pdb
NPPTools.dll
iphlpapi.dll
RegEnumKeyW
RegOpenKeyExW
GetConsoleOutputCP
WCWPacket.dll
132:2`2|2
; ;<;@;`;
< <<<@<\<`<
L$.Qf
@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.110.2.2 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.10 2008-10-06 15:38:39 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.112.2.12 2008-09-22 20:16:01 guy Exp $ (LBL)
4.1.3
WinPcap version %s, based on %s
WinPcap version %s (packet.dll version %s), based on %s
@(#) $Header: /tcpdump/master/libpcap/pcap-win32.c,v 1.34.2.8 2008-05-21 22:11:26 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/optimize.c,v 1.90.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/nametoaddr.c,v 1.82.2.1 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/inet.c,v 1.75.2.4 2008-04-20 18:19:24 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.99.2.2 2007/11/18 02:04:55 guy Exp $ (LBL)
$$$88$$$8
"#-./0123
@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/fad-win32.c,v 1.15 2007/09/25 20:34:36 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/etherent.c,v 1.23 2006/10/04 18:09:22 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_image.c,v 1.27.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf/net/bpf_filter.c,v 1.45.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_dump.c,v 1.14.4.1 2008/01/02 04:22:16 guy Exp $ (LBL)
%u %u %u %u
{ 0x%x, %d, %d, 0xx },
[x   %d]
#0x%x
4*([%d]&0xf)
M[%d]
(d) %-8s %-16s jt %d
jf %d
(d) %-8s %s
malloc: %s
PacketGetAdapterNames: %s
pcap_compile cannot generate filters for a TurboCap port when the PPI linktype is used.
unknown data link type %d
unsupported protocol over mpls
IEEE 802.15.4 link-layer type filtering not implemented
'tcp' modifier applied to %s
'sctp' modifier applied to %s
'udp' modifier applied to %s
'icmp' modifier applied to %s
'igmp' modifier applied to %s
'igrp' modifier applied to %s
'pim' modifier applied to %s
'vrrp' modifier applied to %s
'icmp6' modifier applied to %s
'ah' modifier applied to %s
'esp' modifier applied to %s
'esis' modifier applied to %s
'isis' modifier applied to %s
'clnp' modifier applied to %s
'stp' modifier applied to %s
'netbeui' modifier applied to %s
'radio' modifier applied to %s
'ip' modifier applied to ip6 %s
'rarp' modifier applied to ip6 %s
'arp' modifier applied to ip6 %s
'decnet' modifier applied to ip6 %s
unknown ip proto '%s'
unknown ether proto '%s'
unknown osi proto '%s'
'protochain' not supported with 802.11
unsupported proto to gen_protochain
'udp proto' is bogus
'tcp proto' is bogus
unknown network '%s'
unknown ether host '%s'
unknown FDDI host '%s'
unknown token ring host '%s'
unknown 802.11 host '%s'
unknown Fibre Channel host '%s'
only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name
unknown host '%s'
unknown host '%s'%s
illegal qualifier of 'port'
unknown port '%s'
port '%s' is tcp
port '%s' is sctp
port '%s' is udp
illegal qualifier of 'portrange'
unknown port in range '%s'
port in range '%s' is tcp
port in range '%s' is sctp
port in range '%s' is udp
'gateway' not supported in this configuration
unknown protocol: %s
non-network bits set in "%s mask %s"
non-network bits set in "%s/%d"
invalid ip6 address %s
%s resolved to multiple address
mask length must be <= %u
ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
unsupported index operation
IPv6 upper-layer protocol is not supported by proto[x]
only link-layer/IP broadcast filters supported
link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel
inbound/outbound not supported on linktype %d
libpcap was compiled without pf support
libpcap was compiled on a machine without pf support
802.11 link-layer types supported only on 802.11
frame direction supported only with 802.11 headers
aid supported only on ARCnet
no VLAN support for data link type %d
no MPLS support for data link type %d
'vpi' supported only on raw ATM
'vci' supported only on raw ATM
'callref' supported only on raw ATM
'metac' supported only on raw ATM
'bcc' supported only on raw ATM
'oam4sc' supported only on raw ATM
'oam4ec' supported only on raw ATM
'sc' supported only on raw ATM
'ilmic' supported only on raw ATM
'lane' supported only on raw ATM
'llc' supported only on raw ATM
'fisu' supported only on MTP2
'lssu' supported only on MTP2
'msu' supported only on MTP2
'sio' supported only on SS7
sio value %u too big; max value = 255
'opc' supported only on SS7
opc value %u too big; max value = 16383
'dpc' supported only on SS7
dpc value %u too big; max value = 16383
'sls' supported only on SS7
sls value %u too big; max value = 15
'oam' supported only on raw ATM
'oamf4' supported only on raw ATM
'connectmsg' supported only on raw ATM
'metaconnect' supported only on raw ATM
'port' modifier applied to ip host
'portrange' modifier applied to ip host
%d-%d
%d.%d
malformed decnet address '%s'
decnet name support not included, '%s' cannot be translated
%s for block-local relative jump: off=%d
malloc() failed: %s
%s '%s' %s
Error when listing files: does folder '%s' exist?
%s '%s' %s %s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]/%s
%[^/:]:%[^/]/%s
%[^/]/%s
Source type not supported
getaddrinfo() %s
(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
TcApi.dll
TcQueryPortList
TcFreePortList
TcPortGetName
TcPortGetDescription
TcPacketsBufferCreate
TcPacketsBufferDestroy
TcPacketsBufferQueryNextPacket
TcPacketsBufferCommitNextPacket
Error opening TurboCap adapter: %s
Error enabling reception on a TurboCap instance: %s
Error setting the read timeout a TurboCap instance: %s
Getting the non blocking status is not available for TurboCap ports
Setting the non blocking status is not available for TurboCap ports
send error: the TurboCap API does not support packets larger than 64k
send error: TcPacketsBufferCreate failure: %s (x)
send error: TcInstanceTransmitPackets failure: %s (x)
send error: TcPacketsBufferCommitNextPacket failure: %s (x)
read error, TcInstanceReceivePackets failure: %s (x)
read error, TcPacketsBufferQueryNextPacket failure: %s (x)
TurboCap error setting the mintocopy: %s (x)
Mode %u not supported by TurboCap devices. TurboCap only supports capture.
TurboCap error in TcInstanceQueryStatistics: %s (x)
TurboCap error in TcStatisticsQueryValue: %s (x)
setfilter, unable to install the filter: %s
PacketGetStats error: %s
Error opening adapter: %s
Cannot determine the network type: %s
Error calling PacketSetMinToCopy: %s
Driver error: cannot set bpf filter: %s
PacketSetReadTimeout: %s
IEEE 802.15.4 with non-ASK PHY data
Bluetooth HCI UART transport layer plus pseudo-header
IEEE 802.15.4
IEEE 802.15.4 with Linux padding
Bluetooth HCI UART transport layer
Juniper Passive Monitor PIC
can't perform operation on activated capture
%s: %s
%s is not one of the DLTs supported by this device
DLT %d is not one of the DLTs supported by this device
That device doesn't support promiscuous mode
That device doesn't support monitor mode
That operation is supported only in monitor mode
Unknown error: %d
Sending packets isn't supported on savefiles
Setting direction is not supported on savefiles
error reading dump file: %s
truncated dump file; tried to read %u captured bytes, only got %lu
Can't write to %s: %s
%s: link-layer type %d isn't supported in savefiles
bogus IPv6 address %s
bogus ethernet address %s
illegal token: %s
illegal char '%c'
%sUnable to get the exact error message
%s%s (code %d)
%s (code %d)
Is the server properly installed on %s? connect() failed: %s
getaddrinfo(): socket type not supported
getaddrinfo(): multicast addresses are not valid when using TCP streams
Cannot retrieve the extended statistics from a file or a TurboCap port
PacketGetStatsEx error: %s
Cannot transmit a queue to an offline capture or to a TurboCap port
Impossible to set user buffer while reading from a file or on a TurboCap port
Error: invalid size %d
live dump needs a physical interface supported by the NPF driver
wrong interface type. A physical interface supported by the NPF driver is needed
c:\winpcap\winpcap\wpcap\PRJ\Release No AirPcap\x86\Wcwpcap.pdb
1$1(1,10141
; ;$;(;,;
2 2$2(2_2
8*9094989<9
1$1@1\1`1
HTTP/1.1 302 Moved Temporarily
HTTP://
Http://
HTTPS://
Https://
HTTP/1.1 200 OK
C:\Windows\System32\filter.dat
C:\js.dat
%d. %s
192.168.
192.168.1.128
HTTP/1.
HTTP/1.
"CU":"hXXp://
hXXp://downfile.duapp.com/2017021616.flv
.html
baidu.com
hXXp://%s
%s?js=%s&slot=%s
stat.php
www1.baidu.com
.baidu.com
VVV.hao123.com
hXXp://VVV.hao123.com/?tn=
VVV.sogou.com
/index.php?pid=
123.sogou.com
Create socket as a server error: %d
Bind %d error: %d
Bind %d success: %d
Listen %d error: %d
connect to real server %s:%d error
0.0.0.1
domain=%d&netid=%d&ius=%s&iusser=%s&a0=%d&a1=%d&a2=%s&a3=%s&a4=%s&a5=%s
hXXp://api.52wba.com/mp/IusService
\Filter\Release\Filter.pdb
RegQueryInfoKeyA
InternetCrackUrlA
WININET.dll
MiddleGetMediaUrl
3"31373<3
4 4(40484
`.data
MFC42u.DLL
msvcrt.dll
NTDLL.DLL
%%%d.%ds----------
%%%d.%ds(%%8.8X)
%%%d.%ds%%%d.%ds|%%8.8X|
%%%d.%ds%%%d.%ds|%%8.8X| ->"
pCategoryTable[%d]
pTagTable[%d]
pValue[%d]
p?????[%d]
pName[%d]
XXXXXX
{X-X-X-XX-XXXXXX}
XXXX.XXXXXX
%s,%s
LtZx
xxxxxxxxxxxxxxxx
,%d,%d,
,X
,X
GetSystemWindowsDirectoryW
TypesSupported
*.dll
npptools.pdb
ReportEventA
GetWindowsDirectoryW
RegCreateBlobKey
RegOpenBlobKey
SubkeyExists
recursiveDeleteKey
setKeyAndValue
6"6@6^6|6
00K0~0
6 6l6o6
B.reloc
g_CatchDataCount:%d
\winpcap\winpcap\packetntx\driver\bin\i386\npf.pdb
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
NDIS.SYS
\winpcap\winpcap\packetntx\driver\bin\amd64\npf.pdb
sÿf
c:\winpcap\winpcap\packetNtx\Dll\Project\Release\x64\WcwPacket.pdb
tÙaDu
tu.ff
fu.ff
t.fff
c:\winpcap\winpcap\wpcap\prj\release no airpcap\x64\Wcwpcap.pdb
RegNotifyChangeKeyValue
EnumChildWindows
8#5#1# 5
n%F/%
!2:.8000036'(10
(( '( 10
NETAPI32.dll
nKERNEL32.DLL
- floating point support not loaded
WUSER32.DLL
accKeyboardShortcut
MiniWeb
MiniWeb Version 1.0
MiniWeb
1.0.0.2
MiniWeb.exe
MiniWeb(&A)...
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.
dbghelp.dll
MSCOREE.DLL
2014-7-31 11:46:19
1.0.0.4
6.2.2637.21016
InjectPr.dll
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\ntkrnlpa.exe
TCP redirector sub-layer
sub-layer for use by tcp redirector proxy callouts
TCP Redirector Callout
Streamwise redirector for TCP traffic
TCP Redirector Filter
Doredirect for TCP traffic
127.0.0.1
\SystemRoot\system32\ntdll.dll
\WINDOWS\system32\csrss.exe
\WINDOWS\explorer.exe
\WINDOWS\system32\svchost.exe
\WINDOWS\system32\taskmgr.exe
\WINDOWS\syswow64\checkudo.exe
\WINDOWS\system32\winlogon.exe
%WinDir%\Explorer.EXE
\$RECYCLE.BIN\
\QCXMiniPort
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
TcpIp
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
drivers\WCW.sys
\StringFileInfo\xx\FileVersion
snpp\ndisnpp.dll
PACKET.DLL
packet.dll (NT5) Dynamic Link Library
4.1.0.2980
packet.dll
5755555555
5555555
577777555555
0000001111111
11111122222222
6666668
88888888
,-./0123456789
$567$$=>
.pqrst
$%&'()* ,
wpcap.dll Dynamic Link Library - based on libpcap 1.0rel0b branch (20091008)
wpcap.dll
2017-9-30 10:32:23
1.0.4.5
szUrl
\\.\root
%S_%d
\kernel32.dll
HHCTRL.OCX
NETMON2.CHM
!"#$%&'()* ,-./0123456789:;
5.1.2600.5512 (xpsp.080413-0852)
NPPTools.DLL
Microsoft(R) Windows(R) Operating System
5.1.2600.5512
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Linkage
npf.sys (NT5/6 x86) Kernel Driver
npf.sys
npf.sys (NT5/6 AMD64) Kernel Driver
npp\ndisnpp.dll
2018-1-15 13:52:08
1.1.5.3

%original file name%.exe_4000_rwx_008A1000_002F4000:

QSSShl
RSSShl
RWSShl
PWSShl
xSSSh
FTPjKS
FtPj;S
C.PjRV
diu2.iuH)iu2
Visual C   CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
GetProcessWindowStation
Global\{21896A5C-BAA6-4BF6-9399-F0987AEBB145}
%Program Files%\Windows Joumal\
udo.exe
svchost.exe
iexplore.exe
d.ini
CHROME
\Google\Chrome\User Data\Default\preferences
ChromeConfig.cpp
C:\Windows\System32\prefer
"startup_urls"
hXXp://
"startup_urls_migration_time"
"startup_urls": [ "
hXXp://113.106.48.74/new/interface/processInfo.jsp?domainId=%d&netBarId=%d&idCard=%s&processName=%s&qq=&startTime=%s&endTime=%s
d-d-d d:d:d
QQ.exe
Global\11B1387C-0BA2-4D05-9EF4-39E71850F4DE
Global\1096A7DC-F14E-4B7D-B922-F4BAFEC6E933
hXXp://113.106.48.74/new/interface/processInfo.jsp?domainId=%d&netBarId=%d&idCard=%s&processName=&qq=%s&startTime=%s&endTime=%s
%d%d%s%s
domainId=%d&netBarId=%d&IDNum=%s&a=%s
hXXp://info.dodonew.com/collect/interface/processLove.jsp
C:\Windows\System32\
FILTER%d
DESTURL%d
JSURL
UDOJUMPURL
media.52wba.com;
SLOT%d
C:\Windows\
SRC%d
SRCNOTHOST%d
LNKNAME%d
ICON%d
FOLDER%d
EXENAME%d
NSEXENAME
BaiduWeb
\Baidu\BaiduBrowser\7.6.504.3052\baidubrowser.exe
baie.exe
SRC%s%d
DEST%d
RAND%d
SPAN%d
KEEPTIME%d
2KEEPTIME%d
v.youku.com/v_show/*
valf.atm.youku.com/vf?*
OPEN%s
MINI%s
CTRLSHOW%d
CTRLSHOWTEST%d
PROC%d
PATH%d
OPEN%s%d
RANDNUM%d
ReportGame
TYPE%d
INJECT%d
TARGET%d
QMA.dll
QMASetup.exe
Config.cpp
EXCLUDE%d
REPLACECODE%d
SRCRAND%d
RANDPERCENT%d
FILENAME%d
FILEINFO%d
WNDNAME%d
CLASSNAME%d
FILEDESC%d
PROPERTY%d
SIGNNAME%d
SIGNMAIL%d
MINSIZE%d
MAXSIZE%d
URLPOPUP
http:\
DesktopShortCut.cpp
hXXps://
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\\.\DoFile
\\.\Procnt2
\\.\Procnt1
C:\Windows\newverlog.dat
-360se.exe
360chrome.exe
chrome.exe
baidubrowser.exe
liebao.exe
0.0.0.0
\\.\doRedir
\\.\LI0000012
BarClientView.exe
eyuscore.exe
EyooMenu.exe
ST_Desktop.exe
111YIYOU=--------------error exe
HintClient.exe
nxprun.exe
hxdrun.exe
MZDRunClient.exe
MZDClient.EXE
knbclient.exe
ebClnt.exe
nmenu_client.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SYSTEM\ControlSet001\Services\ebClnt.svc
SYSTEM\ControlSet002\Services\ebClnt.svc
%s\%s
\\.\%s
NTDLL.dll
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\Ftp\UserChoice\
X-X-X-X-X-X
%d.%d.%d.%d
HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/15.0.849.0 Safari/535.1
Content-Type: application/x-www-form-urlencoded
VVV.baidu.com
Global\0A80C80A-6BC6-4497-98D0-BD4EAADDF27C
hXXp://*
hXXps://*
Global\DC4C7E77-92AB-4ACE-B095-298C5FF4B27D
%d=%s
{WND-B868-43CC-A0A5-825EA574C4DD}
{CLASS-1400-4B06-90E7-7A283B1D3061}
ckurl.exe
C:\Windows\System32\ckurl.ini
C:\Windows\System32\ckurl.dat
OLEACC.DLL
InsertJs2Web.cpp
dsp:GetDspClickUrl begin
dsp:GetDspClickUrl error
,x
hXXp://shuttable
gasc.dat
\mygasc.ini
d:\mtwork\
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/ghfot.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/PSvr.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/dseb.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/gajp.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/mulone1.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/mulone2.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/mtbill.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/upopup.dat
hXXp://res.duduniu.cn:8088/iprotectinit/bak/%d/psip.dat
LogicHelper.cpp
ghfot.ini
ghfot.dat
PSvr.ini
PSvr.dat
dseb.ini
dseb.dat
gajp.ini
gajp.dat
mulone1.ini
mulone1.dat
mulone2.ini
mulone2.dat
mtbill.ini
mtbill.dat
upopup.ini
upopup.dat
psip.ini
psip.dat
%s;%s
Global\5252FC07-911D-4A27-8FC1-840181A8F6DD
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
ReportBusiness
ReportComputerInfo
Global\{B6701EE0-FD83-4862-B4E7-9E13C8882D86}
Global\{FB43A492-E501-4D86-9817-212F66686DA5}
hXXp://mp.api.duduniu.cn/mp/common/ReportNetbar/reportTipInfo?domainId=%d&netbarId=%d&tipsId=%d&type=click&terminal=%s
%d%s%d
hXXp://dp.adhei.com:8888/?opt=put&mq=dp_wca_plugins&data=gid=%d&mac=%s&pcname=%s&bootid=%s&opt_type=1&opt_status=1001&key_words=&key_words_match=&browser_info=%s&os_info=%s&plugin_version=1.0.1.0&time_stamp=%d
Filter.dll
AddUrlPopup
LockUrlJump
Wcwpcap.dll
WcwPacket.dll
npptools.dll
wcw.sys
\StringFileInfo\XX\
ddd
CheckFile.exe
DspDriver.exe
DtiDriver.exe
iprotect.exe
iprot.exe
UDO.exe
hXXp://mp.api.duduniu.cn/mp/
%d*%d|%d*%d
domain=%d&netid=%d&pname=%s&sysver=%s&game=%s
&a0=%s&a1=%s&a2=%s&a3=%s&a4=%s&a5=%s&a6=%s&a7=%s&a8=%s
&a9=%s&a10=%s&a11=%s&a12=%s&a13=%s
Result_Baidu.jsp
?domain=%d&netid=%d&tn=%s&ip=%s
&a0=%s&a1=%s&a2=%s&a3=%s&a4=%s&a5=%s
Result_HomePage.jsp
?domain=%d&netid=%d&home=%s
Result_Shortcut.jsp
domain=%d&netid=%d
&a%d=%s
&a%d=
Global\A7490CA7-93EF-442f-9497-DCCEDA4FBF3E
Result_ShortcutExe.jsp
?domain=%d&netid=%d
&a0=%s&a1=%s&a2=%s&a3=%s&a4=%s&a5=%s&a6=%s&a7=%s
Global\B41870E2-0237-4210-AF73-5B8C6E98A545
C:\Windows\SysWOW64\
CWatchExe2
CheckUDO.exe
Global\632F17C9-DCC0-40da-AAFA-22EE1D24A538
632F17C9-DCC0-40da-AAFA-22EE1D24A538
Global\18D28D76-FE53-5ED3-327D-46348C661039
18D28D76-FE53-5ED3-327D-46348C661039
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
checkudo.exe
DoFile.sys
winlogon.exe
C:\Windows\mysavepro2.dat
C:\Windows\syswow64\
.dsunke
RegNotify.cpp
hXXp://mp.api.duduniu.cn/mp/common/ReportNetbar/reportBrower?domainId=%d&netBarId=%d&syncsize=100&brower=%s
hXXp://mp.api.duduniu.cn/mp/report/NetbarMachine/doReport?domainId=%d&netBarId=%d&terminal=%s&a1=%s&a2=%s&a3=&a4=&a5=&a6=&syncsize=100
%d%d%s
hXXp://mp.api.duduniu.cn/mp/gameReport2?netBarId=%d&domainId=%d&gameName=%s&pcName=%s&checkCode=%s&games=%s&qq=%s&idCard=%s
\images\system.img -data
\images\userdata.img -ramdisk
\images\ramdisk.img -kernel
\adb.exe
shell input keyevent 82
shell am start -n com.example.webdemo/com.example.webdemo.MainActivity
SOFTWARE\360\360se6\Chrome
SOFTWARE\360Chrome\chrome
Windows
360se.exe
hXXp://mp.api.duduniu.cn/mp/common/ReportNetbar/reportGameTt?domainId=%d&netBarId=%d&games=%s&gameName=%s&pcName=%s&idCard=%s&qq=%s&syncsize=100
CryptQueryObject failed with %x
CryptMsgGetParam failed with %x
CertFindCertificateInStore failed with %x
Signer Certificate:
CertGetNameString failed.
Subject Name: %s
C:\log.txt
39859E00-A5FB-4a88-AC5A-16A9424A0520
SogouWatch.cpp
bgopie.exe
ntdll.dll
D:\MTWork\
\SogouWatch\Release\SogouWatch.pdb
zcÁ
.?AVCWatchExeHelp@@
.?AVCBaiduWeb@@
.?AVChromeConfig@@
.?AVHttpSocketDemo@@
.?AVCIEWebBase@@
.?AVInsertJs2Web@@
.?AVCWatchExe2@@
.?AVCReportBusiness@@
.?AVCReportComputerInfo@@
.?AVCReportGame@@
.?AVCSetWebIEVersion@@
.?AVCWaitQQLogin@@
c:\%original file name%.exe
192.168.11.134
00239999
c:\windows\
"alternate_urls": [ "{google:baseURL}#q={searchTerms}", "{google:baseURL}search#q={searchTerms}", "{google:baseURL}webhp#q={searchTerms}" ],
"icon_url": "hXXp://VVV.google.com/favicon.ico",
"image_url": "{google:baseURL}searchbyimage/upload",
"image_url_post_params": "encoded_image={google:imageThumbnail},image_url={google:imageURL},sbisrc={google:imageSearchSource},original_width={google:imageOriginalWidth},original_height={google:imageOriginalHeight}",
"instant_url": "{google:baseURL}webhp?sourceid=chrome-instant&{google:RLZ}{google:forceInstantResults}{google:instantExtendedEnabledParameter}{google:ntpIsThemedParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}",
"instant_url_post_params": "",
"keyword": "google.com",
"new_tab_url": "{google:baseURL}_/chrome/newtab?{google:RLZ}{google:instantExtendedEnabledParameter}{google:ntpIsThemedParameter}ie={inputEncoding}",
"search_terms_replacement_key": "espv",
"search_url": "{google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}",
"search_url_post_params": "",
"suggest_url": "{google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter}",
"suggest_url_post_params": ""
"host_referral_list": [ 2, [ "hXXp://VVV.hao123.com/", [ "hXXp://img1.hao123.com/", 1.4768250359221144, "hXXp://img2.hao123.com/", 2.832696840169498, "hXXp://nsclick.baidu.com/", 1.4768250359221144, "hXXp://passport.baidu.com/", 1.4768250359221144, "hXXp://s0.hao123img.com/", 16.60321943202129, "hXXp://s1.hao123img.com/", 13.679671274148566, "hXXp://VVV.hao123.com/", 12.32379946990118 ] ] ],
"startup_list": [ 1, "hXXp://img1.hao123.com/", "hXXp://img2.hao123.com/", "hXXp://nsclick.baidu.com/", "hXXp://passport.baidu.com/", "hXXp://s0.hao123img.com/", "hXXp://s1.hao123img.com/", "hXXp://VVV.hao123.com/" ]
"chrome_url_overrides": {
"bookmarks": [ "chrome-extension://eemcgdkfndhakfknompkggombfjjjeno/main.html" ]
"last_chrome_version": "34.0.1847.131",
"api": [ "management", "webstorePrivate" ],
"from_webstore": false,
"web_url": "hXXps://chrome.google.com/webstore"
"urls": [ "hXXps://chrome.google.com/webstore" ]
"description": "Chrome Web Store",
"128": "webstore_icon_128.png",
"16": "webstore_icon_16.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCtl3tO0osjuzRsf6xtD2SKxPlTfuoy7AWoObysitBPvH5fE1NaAA1/2JkPWkVDhdLBWLaIBPYeXbzlHp3y4Vv/4XG aN5qFE3z 1RU/NqkzVYHtIpVScf3DjTYtKVL66mzVGijSoAIwbFCC3LpGdaoe6Q1rSRDp76wR6jjFzsYwQIDAQAB",
"permissions": [ "webstorePrivate", "management" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\web_store",
"explicit_host": [ "chrome://favicon/*", "chrome://resources/*" ],
"initial_keybindings_set": true,
"chrome_url_overrides": {
"bookmarks": "main.html"
"content_security_policy": "object-src 'none'; script-src chrome://resources 'self'",
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDQcByy eN9jzazWF/DPn7NW47sW7lgmpk6eKc0BQM18q8hvEM3zNm2n7HkJv/R6fU X5mtqkDuKvq5skF6qqUF4oEyaleWDFhd1xFwV7JV /DU7bZ00w2 6gzqsabkerFpoP33ZRIw7OviJenP0c0uWqDWF8EGSyMhB3txqhOtiQIDAQAB",
"permissions": [ "bookmarks", "bookmarkManagerPrivate", "metricsPrivate", "systemPrivate", "tabs", "chrome://favicon/", "chrome://resources/" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\bookmark_manager",
"scriptable_host": [ "hXXp://*/*" ]
"path": "C:\\Program Files\\Chromes\\ChromePuls",
"explicit_host": [ "chrome://settings-frame/*" ],
"events": [ "app.runtime.onLaunched" ],
"scripts": [ "settings_app.js" ]
"128": "settings_app_icon_128.png",
"16": "settings_app_icon_16.png",
"32": "settings_app_icon_32.png",
"48": "settings_app_icon_48.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoVDPGX6fvKPVVgc gnkYlGqHuuapgFDyKhsy4z7UzRLO/95zXPv8h8e5EacqbAQJLUbP6DERH5jowyNEYVxq9GJyntJMwP1ejvoz/52hnY3CCGGCmttmKzzpp5zwLuq3iZf8bslwywfflNUYtaCFSDa0TtrBZz0aOPrAAd/AhNwIDAQAB",
"permissions": [ "chrome://settings-frame/" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\settings_app",
"explicit_host": [ "chrome://resources/*" ],
"events": [ "feedbackPrivate.onFeedbackRequested" ],
"scripts": [ "js/event_handler.js" ]
"content_security_policy": "default-src 'none'; script-src 'self' chrome://resources; style-src 'unsafe-inline' *; img-src *; media-src 'self'"
"32": "images/icon32.png",
"64": "images/icon64.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMZElzFX2J1g1nRQ/8S3rg/1CjFyDltWOxQg 9M8aVgNVxbutEWFQz oQzIP9BB67mJifULgiv12ToFKsae4NpEUR8sPZjiKDIHumc6pUdixOm8SJ5Rs16SMR6 VYxFUjlVW 5CA3IILptmNBxgpfyqoK0qRpBDIhGk1KDEZ4zqQIDAQAB",
"permissions": [ "feedbackPrivate", "chrome://resources/" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\feedback",
"api": [ "cloudPrintPrivate" ],
"web_url": "hXXps://VVV.google.com/cloudprint"
"urls": [ "hXXps://VVV.google.com/cloudprint/enable_chrome_connector" ]
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDqOhnwk4 HXVfGyaNsAQdU/js1Na56diW08oF1MhZiwzSnJsEaeuMN9od9q9N4ZdK3o1xXOSARrYdE syV7Dl31nf6qz3A6K D5NHe6sSB9yvYlIiN37jdWdrfxxE0pRYEVYZNTe3bzq3NkcYJlOdt1UPcpJB isXpAGUKUvt7EQIDAQAB",
"permissions": [ "cloudPrintPrivate" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\cloud_print",
"web_url": "hXXp://THIS-WILL-BE-REPLACED"
"description": "Chrome as an app",
"128": "product_logo_128.png",
"16": "product_logo_16.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDNuYLEQ1QPMcc5HfWI/9jiEf6FdJWqEtgRmIeI7qtjPLBM5oje Ny2E2mTAhou5qdJiO2CHWdU1DQXY2F7Zu2gZaKZgHLfK4WimHxUT5Xd9/aro/R9PCzjguM1BLusiWYc9xlj1IsZpyiN1hcjU7SCnBhv1feQlv2WSB5KRiXwhQIDAQAB",
"name": "Chrome",
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\chrome_app",
"explicit_host": [ "hXXps://VVV.google.com/*" ],
"events": [ "ttsEngine.onPause", "ttsEngine.onResume", "ttsEngine.onSpeak", "ttsEngine.onStop" ],
"scripts": [ "tts_extension.js" ]
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8GSbNUMGygqQTNDMFGIjZNcwXsHLzkNkHjWbuY37PbNdSDZ4VqlVjzbWqODSe MjELdv5Keb51IdytnoGYXBMyqKmWpUrg RnKvQ5ibWr4MW9pyIceOIdp9GrzC1WZGgTmZismYR3AjaIpufZ7xDdQQv XrghPWCkdVqLN qZDA1HU DURznkMICiDDSH2sU0egm9UbWfS218bZqzKeQDiC3OnTPlaxcbJtKUuupIm5knjze3Wo9Ae9poTDMzKgchg0VlFCv3uqox wlD8sjXBoyBCCK9HpImdVAF1a7jpdgiUHpPeV/26oYzM9/grltwNR3bzECQgSpyXp0eyoegwIDAQAB",
"permissions": [ "systemPrivate", "ttsEngine", "hXXps://VVV.google.com/" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\network_speech_synthesis",
"api": [ "alarms", "desktopCapture", "webConnectable", "webrtcAudioPrivate", "webrtcLoggingPrivate", "system.cpu" ],
"page": "background.html",
"matches": [ "hXXps://*.google.com/hangouts*", "*://localhost/*" ]
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAQt2ZDdPfoSe/JI6ID5bgLHRCnCu9T36aYczmhw/tnv6QZB2I6WnOCMZXJZlRdqWc7w9jo4BWhYS50Vb4weMfh/I0On7VcRwJUgfAxW2cHB EkmtI1v4v/OU24OqIa1Nmv9uRVeX0GjhQukdLNhAE6ACWooaf5kqKlCeK 1GOkQIDAQAB",
"permissions": [ "alarms", "desktopCapture", "system.cpu", "webrtcAudioPrivate", "webrtcLoggingPrivate" ],
"path": "C:\\Users\\WEN\\AppData\\Local\\Google\\Chrome\\Application\\34.0.1847.131\\resources\\hangout_services",
"api": [ "identity", "webRequestInternal", "webview" ],
"explicit_host": [ "hXXps://checkout.google.com/*", "hXXps://sandbox.google.com/*", "hXXps://VVV.google.com/*", "hXXps://VVV.googleapis.com/*" ],
"from_webstore": true,
"scripts": [ "craw_background.js" ]
"128": "images/icon_128.png",
"16": "images/icon_16.png"
"key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrKfMnLqViEyokd1wk57FxJtW2XXpGXzIHBzv9vQI/01UsuP0IV5/lj0wx7zJ/xcibUgDeIxobvv9XD zO1MdjMWuqJFcKuSS4Suqkje6u pMrTSGOSHq1bmBVh0kpToN8YoJs/P/yrRd7FEtAXTaFTGxQL4C385MeXSjaQfiRiQIDAQAB",
"minimum_chrome_version": "29",
"client_id": "203784468217.apps.googleusercontent.com",
"scopes": [ "hXXps://VVV.googleapis.com/auth/sierra", "hXXps://VVV.googleapis.com/auth/sierrasandbox", "hXXps://VVV.googleapis.com/auth/chromewebstore", "hXXps://VVV.googleapis.com/auth/chromewebstore.readonly" ]
"permissions": [ "identity", "webview", "hXXps://checkout.google.com/", "hXXps://sandbox.google.com/checkout/", "hXXps://VVV.google.com/", "hXXps://VVV.googleapis.com/*" ],
"update_url": "hXXps://clients2.google.com/service/update2/crx",
"version": "0.0.6.1"
"path": "nmmhkkegccagdldgiimedpiccmgmieda\\0.0.6.1_0",
"http_server_properties": {
"clients2.google.com:443": {
"port": 443,
"4": 100
"supports_spdy": true
"clients2.googleusercontent.com:443": {
"created_by_version": "34.0.1847.131",
"startup_urls": [ "hXXp://VVV.hao123.com/?tn=99202075_hao_pg" ],
"startup_urls_migration_time": "13043309417314841"
ChromePuls/PK
ChromePuls/js/PK
ChromePuls/js/status.js
F2nt-b}
ChromePuls/js/status1.js
ChromePuls/manifest.json]P
ChromePuls/
ChromePuls/js/
ChromePuls/manifest.json
khdnkkdpnikidnhfjcpgnenmjokpooob/1.0_0/js/status.js
khdnkkdpnikidnhfjcpgnenmjokpooob/1.0_0/js/status1.js
khdnkkdpnikidnhfjcpgnenmjokpooob/1.0_0/manifest.json]P
khdnkkdpnikidnhfjcpgnenmjokpooob/1.0_0/manifest.json
"last_chrome_version": "7.2.100.95",
"api": [ "management", "system.display", "system.storage", "webstorePrivate", "system.cpu", "system.memory", "system.network" ],
Google Chrome
"name": "Chrome
"permissions": [ "webstorePrivate", "management", "system.cpu", "system.display", "system.memory", "system.network", "system.storage" ],
"path": "C:\\Documents and Settings\\Administrator\\Application Data\\Baidu\\BaiduBrowser\\plugin\\extends\\{C060303D-ECBF-4D67-9B86-C48DC33EC8F0}\\7.2.100.95\\resources\\web_store",
"api": [ "contextMenus", "notifications", "tabs", "unlimitedStorage", "webNavigation", "webRequest", "webRequestBlocking", "bidu" ],
"explicit_host": [ "hXXp://*/*", "hXXps://*/*" ],
"scriptable_host": [ "hXXp://*/*", "hXXps://*/*" ]
"scripts": [ "lib/compat.js", "lib/info.js", "lib/io.js", "lib/adblockplus.js", "lib/punycode.js", "lib/publicSuffixList.js", "lib/basedomain.js", "lib/sha1.js", "lib/jsbn.js", "lib/rsa.js", "webrequest.js", "popupBlocker.js", "background.js", "bd.js" ]
"js": [ "include.preload.js" ],
"matches": [ "hXXp://*/*", "hXXps://*/*" ],
"js": [ "include.postload.js" ],
Chrome
"128": "icons/abp-128.png",
"16": "icons/abp-16.png",
"19": "icons/abp-19.png",
"32": "icons/abp-32.png",
"48": "icons/abp-48.png"
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxqwnot8LhWinlkXoH/2e 50iJ7o3fPByPlecnuCr5PvOekTGk9Zl7KZ07O9FIyRKR9X5CpQFyoydo2C7fTmjS1aEj5iNMA3VF02LSbR5uxVGToXHiEKOd8QbUyorM2RJQnxYXDts9lBcO3EIsiROu058IwMZRxyvgo6HJsCvozOoss6oqFVIpoC8ZWT8ppdkM5L2dX5inKeGFiZ0d8vMKcFQb2mLH3uFTR/qffl5eCD/ZuvrSIwf0vM2bycYViEKpyVphNBi65dyBHZ3eGABd24ZPbzHKlbv30DfT9YLiqYy76lv34B4jn8cCu1wxp2t4MatZtBTQS9Dk8OGPsMAKwIDAQAB",
"minimum_chrome_version": "18.0",
"options_page": "options.html",
"permissions": [ "bidu", "tabs", "hXXp://*/*", "hXXps://*/*", "contextMenus", "webRequest", "webRequestBlocking", "webNavigation", "unlimitedStorage", "notifications" ],
"version": "1.6.3"
"path": "fiomnmjeoicmfpndbdliigppeobhhmgp\\1.6.3_0",
"scriptable_host": [ "file:///*", "hXXp://*/*", "hXXps://*/*" ]
"scripts": [ "js/zepto.js", "js/base.js", "js/background.js" ]
"css": [ "css/content-script.css" ],
"js": [ "js/data-report.js", "js/content-script.js" ],
"matches": [ "hXXp://*/*", "hXXps://*/*", "file://*/*" ],
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LXnBOh0UC5AldSyEb3k9PaZjgjvHarLZUq7tzHWrjsHTymmaHa2XHzl6AHYNUeRt1LuNU4b8misgXLY 2TQTxPmo6TCrQ6KwGBSJujMPRP k0kSx1y70J0w4x2qvoFywt5lD8D EEcvLXTMsLo1sW7iwh5PPMlSz6kidr0ax66qWzGvcWS7JkFcC 7SBl wNy4x4x8t9rO0S4OwdJcluiWPOMm956AF2 iBYPNjGxbFPBYpx7i8IgUzeUtW3dwF17Vdb7LO8dB/4g1/C5OHvf5rTaw4qT0uqs9U4ZkbilWGtzmu3HNhMleK5v0Fa5DzJBi 0qK3RYhk/h6Phr0sSwIDAQAB",
"permissions": [ "hXXp://*/*", "hXXps://*/*", "clipboardWrite", "tabs", "bidu" ],
"version": "1.0.8",
"web_accessible_resources": [ "css/**/*.png" ]
"path": "jgecdcpcbljcijjgceonmpjopjmeelfp\\1.0.8_0",
"js": [ "js/status.js" ],
"matches": [ "hXXp://*/*" ]
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoMfRZ3sVk EOwoZKCp2q8O92qyQxIYnExTEmFq/39KIz65UWjFU3D 5kwFY1dOd/bBCJv0aDe8 V7AfT/Sd0o/HNKdnchrdNErONqO9tTPuESlyKpy5Q6xXGlPLaL6RASJzwffsMQ38m2vYrTcLgJRSWbsUdHYGO886erG6H0jIdR67YTZyL0WBQ7afnniRVmVOINSxR00vQIvPdA7YLFwZNS2NdU3MTblKQxVmMizl7KtQcbj210VzmQohl4EGZC8KQ31pkJ2PPx3Jsa1SMrZ6hwBF W0p DvwSLKhkSm8aTeTwZ32ipPvNc0xYylvet35tgxLiO9pOSmX6RoEMOQIDAQAB",
}, "webConnectable" ],
"explicit_host": [ "hXXps://VVV.gstatic.com/*" ],
"scripts": [ "util.js", "b64.js", "sha256.js", "countdown.js", "countdowntimer.js", "devicestatuscodes.js", "errorcodes.js", "gnubbycodetypes.js", "webrequest.js", "gnubbymsgtypes.js", "messagetypes.js", "factoryregistry.js", "closeable.js", "requesthelper.js", "enroller.js", "requestqueue.js", "signer.js", "origincheck.js", "textfetcher.js", "appid.js", "gstaticorigincheck.js", "gnubbydevice.js", "hidgnubbydevice.js", "usbgnubbydevice.js", "gnubbies.js", "gnubby.js", "gnubby-u2f.js", "gnubbyfactory.js", "singlesigner.js", "multiplesigner.js", "generichelper.js", "inherits.js", "devicefactoryregistry.js", "usbhelper.js", "usbenrollhandler.js", "usbsignhandler.js", "usbgnubbyfactory.js", "cryptotokenbackground.js" ]
"matches": [ "hXXps://accounts.google.com/*", "hXXps://security.google.com/*", "hXXps://login.corp.google.com/*" ]
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq7zRobvA AVlvNqkHSSVhh1sEWsHSqz4oR/XptkDe/Cz3 gW9ZGumZ20NCHjaac8j1iiesdigp8B1LJsd/2WWv2Dbnto4f8GrQ5MVphKyQ9WJHwejEHN2K4vzrTcwaXqv5BSTXwxlxS/mXCmXskTfryKTLuYrcHEWK8fCHb 0gvr8b/kvsi75A1aMmb6nUnFJvETmCkOCPNX5CHTdy634Ts/x0fLhRuPlahk63rdf7agxQv5viVjQFk tbgv6aa9kdSd11Js/RZ9yZjrFgHOBWgP4jTBqud4 HUglrzu8qynFipyNRLCZsaxhm NItTyNgesxLdxZcwOz56KD1Q4IQIDAQAB",
"permissions": [ "usb", "hid", "hXXps://VVV.gstatic.com/", {
"version": "0.8.59"
"path": "C:\\Documents and Settings\\Administrator\\Application Data\\Baidu\\BaiduBrowser\\plugin\\extends\\{C060303D-ECBF-4D67-9B86-C48DC33EC8F0}\\7.2.100.95\\resources\\cryptotoken",
"api": [ "alarms", "identity", "metricsPrivate", "notifications", "pushMessaging", "storage", "tabs", "webstorePrivate" ],
"explicit_host": [ "*://*.google.com/*", "*://*.gstatic.com/*", "hXXps://*.googleapis.com/*", "hXXps://*.googleusercontent.com/*" ],
"events": [ "alarms.onAlarm", "identity.onSignInChanged", "notifications.onButtonClicked", "notifications.onClicked", "notifications.onClosed", "notifications.onPermissionLevelChanged", "notifications.onShowSettings", "pushMessaging.onMessage", "runtime.onInstalled", "runtime.onStartup", "runtime.onSuspend", "storage.onChanged" ],
"scripts": [ "utility.js", "cards.js", "background.js" ]
"description": "Integrates Google Now into Chrome.",
"128": "images/icon128.png",
"16": "images/icon16.png",
"48": "images/icon48.png"
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkhqJr32OFD/bMXW4Md7jMfd7LbwHXVc6x5bBQG5U dloofoxrICDR20yur/40mQ8O//0sS1b8srvbab1CRlSrxoNCr9T80NAkfzx0gHyVS p1Zow 1FzLMu9PiGwwFyN80HIB7GI/dIa0wC9K/2OrrzcHEhVH96DacTtWQqjfDVtZPjT7Xwv23dgoWcpbkRC86jMJot3dmX9xnn0KzoVc9gDOHSIkBLbkkr6Sp3LGXCCM4L0DJgxdFwaLr5WBzgC3y5x0/wwPIwN4PtIaK3BhH6njlksfnKwwIJ9iRT41V4BqbWu4mszO/7VJ3HJyw2DBpIc2grU9ZRRxrV3fRQG4wIDAQAB",
"scopes": [ "hXXps://VVV.googleapis.com/auth/googlenow" ]
"permissions": [ "alarms", "identity", "metricsPrivate", "notifications", "pushMessaging", "storage", "tabs", "webstorePrivate", "*://*.google.com/*", "*://*.gstatic.com/*", "hXXps://*.googleapis.com/chromenow/v1/*", "hXXps://*.googleusercontent.com/*" ],
"version": "1.2.0.1"
"path": "C:\\Documents and Settings\\Administrator\\Application Data\\Baidu\\BaiduBrowser\\plugin\\extends\\{C060303D-ECBF-4D67-9B86-C48DC33EC8F0}\\7.2.100.95\\resources\\google_now",
epblfibfaofhlnhdblkddcjabakcnbfn/1.0_0/js/status.js
epblfibfaofhlnhdblkddcjabakcnbfn/1.0_0/js/status1.js
epblfibfaofhlnhdblkddcjabakcnbfn/1.0_0/manifest.json]P
epblfibfaofhlnhdblkddcjabakcnbfn/1.0_0/manifest.json
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\web_store",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\bookmark_manager",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\settings_app",
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YXleS FPk0e6yz/a0w1u2cIonG1s1I1WwYz7PRMW3LpzI0ePSdFosKN2y1HBNPMyhhTfH/hi4q19XZUiIOdyPvNhuHcwJ4biA/BX/jP7CIVs P5rKbHXzyAAlOKk3kSy9bHTbkdk0XC9SToNeTgTQLApHc n6hK WW 0KJETaXQMImuYdN4MJpGrAQuTd0or BX6U/U82sU y6MXMtlciT/Cpt6e2bUfXzxFG2iBCjU/B3reDWUjRimqGEoe5grKXGKrOoD4u4i7P4H1KsNOjtsh3QMq24qZOFW6LlJwkfC9T0wCxLn2ZoR7z2Th702MbA 4PyJX705j8QRVa8rwQIDAQAB",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\feedback",
"scripts": [ "util.js", "b64.js", "sha256.js", "countdown.js", "countdowntimer.js", "devicestatuscodes.js", "approvedorigins.js", "errorcodes.js", "gnubbycodetypes.js", "webrequest.js", "gnubbymsgtypes.js", "messagetypes.js", "factoryregistry.js", "closeable.js", "requesthelper.js", "webrequestsender.js", "enroller.js", "requestqueue.js", "signer.js", "origincheck.js", "textfetcher.js", "appid.js", "watchdog.js", "gstaticorigincheck.js", "googleapprovedorigins.js", "gnubbydevice.js", "hidgnubbydevice.js", "usbgnubbydevice.js", "gnubbies.js", "gnubby.js", "gnubby-u2f.js", "gnubbyfactory.js", "singlesigner.js", "multiplesigner.js", "generichelper.js", "inherits.js", "individualattest.js", "devicefactoryregistry.js", "usbhelper.js", "usbenrollhandler.js", "usbsignhandler.js", "usbgnubbyfactory.js", "googlecorpindividualattest.js", "cryptotokenbackground.js" ]
"matches": [ "hXXps://login.corp.google.com/*", "hXXps://accounts.google.com/*", "hXXps://myaccount.google.com/*", "hXXps://security.google.com/*" ]
"permissions": [ "hid", "usb", "u2fDevices", "hXXps://VVV.gstatic.com/", {
"version": "0.9.6"
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\cryptotoken",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\cloud_print",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\chrome_app",
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\network_speech_synthesis",
"api": [ "alarms", "desktopCapture", "processes", "webConnectable", "webrtcAudioPrivate", "webrtcLoggingPrivate", "system.cpu" ],
"permissions": [ "alarms", "desktopCapture", "processes", "system.cpu", "webrtcAudioPrivate", "webrtcLoggingPrivate" ],
"path": "C:\\Program Files\\Google\\Chrome\\Application\\40.0.2214.115\\resources\\hangout_services",
"keyword": "6E8402CE2A11423EB23F1D14E9D7F986A348CB1F34AAD410C0558B40790E9B05",
"search_url": "021C1E903093DB0BD710D92D2F8F73D8C1FBB469C22163C840AE259DEC9086E1"
"template_url_data": "C10413590C11CFDC2792F36C6A0003961EAF45BB5C24F675C935B102F9CFA77E"
"incident_report_sent": "AC1960240B4EE464E620DE981890DC943D13BB55ECC318A01F80AE95796B5761",
"startup_urls": "0FD9C552C5960BB1F4F791EC1CAD047D606FF1EDF481D1445FF6CCE4B1782399"
"software_reporter": {
.text
`.rdata
@.data
.rsrc
t.Ht4
Global\9179F83E-12C2-445A-AB2F-A9E9079C15FF
cmd == notonlyone
kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
%s.dll
CCmdTarget
CNotSupportedException
res://%s/%s
res://%s/%d
COMCTL32.DLL
hhctrl.ocx
commctrl_DragListMsg
MSWHEEL_ROLLMSG
user32.dll
ole32.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
n%D,3
OLEACC.dll
y:\D\MTWork\
\MiniWeb\Release\MiniWeb.pdb
GetCPInfo
KERNEL32.dll
GetKeyState
SetWindowsHookExA
CreateDialogIndirectParamA
UnhookWindowsHookEx
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
comdlg32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
oledlg.dll
OLEAUT32.dll
WINMM.dll
.?AVCCmdTarget@@
.PAVCMemoryException@@
.PAVCException@@
.?AVCCmdUI@@
.PAVCObject@@
.PAVCOleException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCArchiveException@@
.PAVCFileException@@
.PAVCOleDispatchException@@
mV2.AHBC5D;<<(-
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=gb2312">
<BODY ID=CMiniWebDlg BGCOLOR=LIGHTGREY>
@.reloc
_CorExeMain
.detour
pageUrl=
pageUrl=http://123.sogou.com/?
%Program Files%\Internet Explorer\inter.ini
C:\Windows\system32\inter.dat
Referer: hXXp://VVV.baidu.com/s?tn=
HttpSendRequestA
WinInet.dll
HttpSendRequestW
HttpSendRequestExA
HttpSendRequestExW
HttpEndRequestA
HttpEndRequestW
HttpOpenRequestA
HttpOpenRequestW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
InternetOpenUrlA
InternetOpenUrlW
\HookWininet\Release\HookWininetDLL.pdb
GetProcessHeap
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
3&353]3<4
4080<0@0
7 7$7(7,7074787<7@7
.pdata
@.rsrc
r%f;A
..\..\SogouWatch\SogouWatch\Config.cpp
..\..\SogouWatch\SogouWatch\LogicHelper.cpp
C:\Windows\Syswow64\
C:\logDll.txt
Global\AD413FB1-CB3E-4819-90F2-AE73F93FD854
..\..\SogouWatch\SogouWatch\MainLogic.cpp
dodonew %d == %d
Global\39859E00-A5FB-4a88-AC5A-16A9424A0520
Global\0C897E67-0211-4CF0-BFF3-478BCEDC7098
explorer.exe
Global\173A31A8-DBFC-4709-A7B1-16E1195F65DC
RegFlushKey
RegEnumKeyExA
ShellExecuteA
WS2_32.dll
URLDownloadToFileA
urlmon.dll
PSAPI.DLL
VERSION.dll
CryptMsgGetParam
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CryptMsgClose
CertGetNameStringA
CRYPT32.dll
<?xml version="1.0" encoding="utf-8"?><main><Item homepagetype="3" homepage="hXXp://123.sogou.com/?71069-1000" openunclosedpagewhenstart="FALSE" opennewpage="TRUE" notshowpagewhenopenbyotherprograms="TRUE" showalertwhenclose="TRUE" autochechdefaultbrowsersetting="TRUE" multitaborapp="TRUE" appmodekeepmax="FALSE" newwindowfromoutside="0" shortcutdata="vQMAAAoLCglUaXBXbmRUYWIKEgoLQ3JlYXRlRnJhbWUSAwjNBAoVCglDcmVhdGVUYWISAwjUBBIDCM4EChkKEk5ld3BhZ2VGcm9tQ29weVVSTBIDCMMGChsKD0NhbmNlbENsb3NlcGFnZRIDCNoIEgMI1AYKEgoLQ2xvc2VBbGxUYWISAwjXBgoVCglDbG9zZXBhZ2USAwjzBBIDCNcEChkKDlNlbGVjdFJpZ2h0VGFiEgIIchIDCIkEChgKDVNlbGVjdExlZnRUYWISAghxEgMIiQYKFAoNU2VsZWN0VGFiQnlJRBIDCMAEChAKCkZ1bGxTY3JlZW4SAgh6CgsKBEV4aXQSAwjzCAoTChFUaXBCcm93c2VOYXZpZ2F0ZQoNCgdSZWZyZXNoEgIIdAoRCgpBbGxSZWZyZXNoEgMI9AIKEwoMRm9yY2VSZWZyZXNoEgMI9AQKCgoEU3RvcBICCBsKDgoHQWxsU3RvcBIDCJsCCgsKBEJhY2sSAwilCAoOCgdGb3J3YXJkEgMIpwgKCwoESG9tZRIDCKQICgwKClRpcEJyb3dzZXIKDAoFVmlkZW8SAwjRBAoUCg1Tb3VuZEJsb2NraW5nEgMIzQgKEQoKU2VjcmV0TW9kZRIDCMEICgwKBUNsZWFuEgMI2AgKCwoEQm9zcxIDCMAFChYKD1NlbGVjdFNlYXJjaGJhchIDCMUECg4KB1NldHRpbmcSAwjTBgoQCglGaW5kSW5UYWISAwjGBAoMCgZSZXBhaXISAghwChIKC1NraW5tYW5hZ2VyEgMI0AgKDwoIQXV0b0Zvcm0SAwjRCAoTCgxBdXRvRm9ybVNhdmUSAwixCAoWCg9PcGVuT2ZmZW5BY2Nlc3MSAwjHBAoaChNPcGVuRmF2b3JpdGVTZXR0aW5nEgMIwgQKFQoTQWRkQWxsVGFiVG9GYXZvcml0ZQoTCgxPcGVuRmF2b3JpdGUSAwjJBAoVCg5PcGVuVVJMSGlzdG9yeRIDCMgEChgKEUFkZFBhZ2VUb0Zhdm9yaXRlEgMIxAQKHAoQU2VsZWN0QWRkcmVzc2JhchIDCMwEEgMIxAgKGgoUU2VsZWN0QWRkcmVzc2Jhckxpc3QSAghzCg8KCERvd25sb2FkEgMIygQKCAoGVGlwV2ViCgwKBVByaW50EgMI0AQKDwoIT3BlbkZpbGUSAwjPBAoPCghTYXZlRmlsZRIDCNMECg0KBlpvb21ObxIDCLAECg0KBlpvb21JbhIDCLsFCg4KB1pvb21PdXQSAwi9BQ==" disableshortcut="FALSE" usefastaccess="FALSE" opentabpagetype="1" activenewtabposition="0" activetabwhenclosetab="0" foregroundopennewtab="TRUE" supportsearchbymouse="TRUE" foregroundopensearch="FALSE" opennewtabwheninputurltoolbar="FALSE" opennewtabwhenfromfavorbar="TRUE" tabmousewheel="1" tabrightclickclose="FALSE" tabhover="-400" tabdoubleclickleftmouse="2" tabminwidth="5" tabmaxwidth="200" tabclosebutton="0" tabfavicon="TRUE" tabcompress="1" enablemousegesture="TRUE" showmousetrack="TRUE" showmouseactioninfo="TRUE" down="14" downup="6" downleft="2" downright="1" up="13" updown="6" upleft="4" upright="5" Left="9" LeftDown="0" LeftUp="4" LeftRight="3" right="8" rightdown="0" rightup="5" rightleft1="12" rightleftright="0" cleanhistoryrecord="TRUE" cleanrecentaccesslist="TRUE" cleanaddrbarlist="TRUE" cleandownloadlist="TRUE" cleanautoform="TRUE" cleaninternettempfile="TRUE" cleancookies="TRUE" cleanbeforeclosebrowser="FALSE" notifybeforeclean="FALSE" dnt="FALSE" urlautoassist="TRUE" ShowSogouSearchResult="TRUE" autoopenurl="TRUE" addressbarstyplevertical="TRUE" SearchEngineForSina="0" addrbarsearchengine="0" hilightsearchbar2="FALSE" dragsearchtextmax="50" selectfaceplatedir="0" favormenumaxcolumn="100" favormenushowinsert="TRUE" favorbarshowheadtext="TRUE" favorbarshowicon="TRUE" favorbarshowtitle="TRUE" favorbarshowdropdown="FALSE" favorbartextwidth="58" favorbarusedot="FALSE" oftenbarshowheadtext="TRUE" oftenbarshowicon="TRUE" oftenbarshowtitle="TRUE" oftenbartextwidth="58" extuishowheadtext="TRUE" extuishowicon="TRUE" extuishowdesc="TRUE" extuishowbadge="TRUE" extuishowdrop="TRUE" extuidevmode="FALSE" ProxyAllItemsNew="AgAAABIA" ProxyPassByLocal="FALSE" flashacc="FALSE" securitylevel="1" usesecureinput="TRUE" videofload="TRUE" floatbar="TRUE" videofloatbarintab="TRUE" floatbarinaddressbar="TRUE" inheritscaling="TRUE" syncinput="FALSE" openerrorpageballon="TRUE" switchcorewarning="TRUE" disablehttpswarning="TRUE" corefont="" preconnect="TRUE" prefetch2="TRUE" popupadvblocking="TRUE" activexblocking="TRUE" blockingballoon="TRUE" AutoFormAutoFill="TRUE" AutoFormShowSaveTip="TRUE" AutoFormCrossDomain="TRUE" DownloadAutoRestartTasks="TRUE" DownloadMethod="0" DownloadTools="-1" DownloadFileSavePath="D:\
" DownloadFileSavePathType="0" DownloadDelDownloadingFile="FALSE" DownloadDelFile="FALSE" DownloadDisableMultiThread="FALSE" DownloadPicQSaveEnable="TRUE" upgrade="1" multicorestrategy="2" accopenballoon="TRUE" sogourank="TRUE" useaeropeek="FALSE" alwaysshowtray="FALSE" mintotray="FALSE" closetotray="FALSE" ckwndforqq="TRUE" ckweibotail="TRUE" passportsynchronizesetting="-1" passportsynshowalarmwhenlogout="TRUE" cleanaccountdata="TRUE" DynamarkEnable="TRUE" DynamarkBubble="TRUE" DynamarkFavOfen="FALSE" DynamarkStartPage="TRUE" DynamarkUseRss="TRUE" DynamarkYellow="TRUE" DynamarkAllowRunBackground="TRUE" StartPageFavoriteGridCount="12" UserInstruct="000100000000000000000000300300" showtime="TRUE" user_exp="TRUE" cc="2109237207" configversion="23" revision="0"></Item></main>PSQLite format 3
CtableMultiCorePatternUrlMultiCorePatternUrl
CREATE TABLE MultiCorePatternUrl (url VARCHAR(1024) default 0,client_id INTEGER default -1)
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)-
indexsqlite_autoindex_db_info_1db_info
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INT
CREATE TABLE db_info (id VARCHAR(1024) PRIMARY KEY,value VARCHAR(1024),reserved INTEGER)-
CREATE TABLE MultiCorePattern (dirty INTEGER default 1,server_id VARCHAR(1024),client_id INTEGER PRIMARY KEY,coretype INTEGER default 0)
CREATE TABLE MultiCorePatternUrl (url VARCHAR(1024) default 0,client_id INTEGER default -1)}
1indexMultiCorePatternUrl_client_id_indexMultiCorePatternUrl
CREATE INDEX MultiCorePatternUrl_client_id_index ON MultiCorePatternUrl(client_id)MZ
h.rdata
H.data
.reloc
c:\win7-64\emunhanldulockfile\objfre_win7_x86\i386\UnlockFile.pdb
ntoskrnl.exe
HAL.dll
dwKSDT:%x
ntkrnlpa.exe
c:\drivercode\procnotify\objfre_win7_x86\i386\ProcNotify.pdb
KeDelayExecutionThread
ZwConnectPort
ZwRequestWaitReplyPort
ZwRequestPort
ZwReplyWaitReceivePortEx
status:0xx
c:\drivercode\win7-64\wfp\redirectorwpfex2.0\objfre_win7_amd64\amd64\DoRedirect.pdb
fwpkclnt.sys
$hXXp://crls1.wosign.com/ca1g2-ts.crl0m
hXXp://ocsp1.wosign.com/ca1g2/ts0/
#hXXp://aia1.wosign.com/ca1g2.ts.cer0
hXXp://VVV.wosign.com/policy/0
'hXXp://ocsp1.wosign.com/class3/code/ca106
*hXXp://aia1.wosign.com/class3.code.ca1.cer07
&hXXp://crls1.wosign.com/ca1-code-3.crl0O
!Certification Authority of WoSign0
hXXp://crls1.wosign.com/ca1.crl0h
hXXp://ocsp1.wosign.com/ca10/
#hXXp://aia1.wosign.com/ca1g2-ts.cer0
Þe3F
hXXp://crls1.wosign.com/ca1.crl0o
hXXp://ocsp1.wosign.com/ca106
*hXXp://aia1.wosign.com/ca1-class3-code.cer0
DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
"Secure Digital Certificate Signing1)0'
StartCom Certification Authority0
hXXp://ocsp.startssl.com/ca00
$hXXp://aia.startssl.com/certs/ca.crt02
!hXXp://crl.startssl.com/sfsca.crl0
&hXXp://cert.startcom.org/sfsca-crl.crl0 
%hXXp://crl.startcom.org/sfsca-crl.crl0
#hXXp://cert.startcom.org/policy.pdf05
)hXXp://cert.startcom.org/intermediate.pdf0
Limited Liability, read the section *Legal Limitations* of the StartCom Certification Authority Policy available at hXXp://cert.startcom.org/policy.pdf0
)StartCom Free SSL Certification Authority0
CMdE
-AD3}
c:\win7-64\emunhanldulockfile\objfre_win7_amd64\amd64\UnlockFile.pdb
&hXXp://crls1.wosign.com/ca1-code-3.crl0Q
hXXp://VVV.usertrust.com1
6hXXp://crl.trust-provider.com/UTN-USERFirst-Object.crl0:
hXXp://ocsp.trust-provider.com0
hXXp://crls1.wosign.com/ca1.crl0g
hXXp://ocsp1.wosign.com/ca10.
"hXXp://aia1.wosign.com/ca1-tsa.cer0
!Certification Authority of WoSign
csrss.exe
OB_OPERATION_HANDLE_CREATE::::::::PROCESS_CREATE_PROCESS
OB_OPERATION_HANDLE_CREATE::::::::PROCESS_DUP_HANDLE
OB_OPERATION_HANDLE_CREATE::::::::PROCESS_VM_WRITE
OB_OPERATION_HANDLE_CREATE::::::::PROCESS_VM_OPERATION
OB_OPERATION_HANDLE_DUPLICATE::::::::PROCESS_CREATE_PROCESS
OB_OPERATION_HANDLE_DUPLICATE::::::::PROCESS_DUP_HANDLE
OB_OPERATION_HANDLE_DUPLICATE::::::::PROCESS_VM_WRITE
OB_OPERATION_HANDLE_DUPLICATE::::::::PROCESS_VM_OPERATION
vmtoolsd.exe
taskmgr.exe
c:\drivercode\procnotify\objfre_win7_amd64\amd64\ProcNotify.pdb
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
hXXp://sf.symcb.com/sf.crl0a
hXXps://d.symcb.com/cps0%
hXXps://d.symcb.com/rpa0
hXXp://sf.symcd.com0&
hXXp://sf.symcb.com/sf.crt0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
hXXps://VVV.verisign.com/rpa0
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
hXXp://sv.symcb.com/sv.crl0a
hXXp://sv.symcd.com0&
hXXp://sv.symcb.com/sv.crt0
hXXp://s2.symcb.com0
hXXp://VVV.symauth.com/cps0(
hXXp://VVV.symauth.com/rpa00
hXXp://s1.symcb.com/pca3-g5.crl0
M.xI4
/VeriSign Universal Root Certification Authority0
hXXps://d.symcb.com/rpa0.
hXXp://s.symcd.com06
%hXXp://s.symcb.com/universal-root.crl0
hXXps://d.symcb.com/rpa0@
/hXXp://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
hXXp://ts-ocsp.ws.symantec.com0;
/hXXp://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
/1(0&0$0"
WinExec
ProcessPath: %s
\WINDOWS\Explorer.EXE
c:\drivercode\win7-64\minifilter3\objfre_win7_amd64\amd64\MiniFilter.pdb
\Windows\12366.exe
\Windows\System32\csrss.exe
\Windows\System32\svchost.exe
[MiniFilter][DriverEntry]status:%x
FltCloseClientPort
FltCreateCommunicationPort
FltCloseCommunicationPort
FLTMGR.SYS
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
USER32.DLL
Export
system32\drivers\WCW.sys
SYSTEM\CurrentControlSet\Services\%s
\\.\Global\%s
c:\winpcap\winpcap\packetNtx\Dll\Project\Release\x86\WcwPacket.pdb
NPPTools.dll
iphlpapi.dll
RegEnumKeyW
RegOpenKeyExW
GetConsoleOutputCP
WCWPacket.dll
132:2`2|2
; ;<;@;`;
< <<<@<\<`<
L$.Qf
@(#) $Header: /tcpdump/master/libpcap/scanner.l,v 1.110.2.2 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/savefile.c,v 1.168.2.10 2008-10-06 15:38:39 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/pcap.c,v 1.112.2.12 2008-09-22 20:16:01 guy Exp $ (LBL)
4.1.3
WinPcap version %s, based on %s
WinPcap version %s (packet.dll version %s), based on %s
@(#) $Header: /tcpdump/master/libpcap/pcap-win32.c,v 1.34.2.8 2008-05-21 22:11:26 gianluca Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/optimize.c,v 1.90.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/nametoaddr.c,v 1.82.2.1 2008/02/06 10:21:47 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/inet.c,v 1.75.2.4 2008-04-20 18:19:24 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/grammar.y,v 1.99.2.2 2007/11/18 02:04:55 guy Exp $ (LBL)
$$$88$$$8
"#-./0123
@(#) $Header: /tcpdump/master/libpcap/gencode.c,v 1.290.2.16 2008-09-22 20:16:01 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/fad-win32.c,v 1.15 2007/09/25 20:34:36 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/etherent.c,v 1.23 2006/10/04 18:09:22 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_image.c,v 1.27.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf/net/bpf_filter.c,v 1.45.2.1 2008/01/02 04:22:16 guy Exp $ (LBL)
@(#) $Header: /tcpdump/master/libpcap/bpf_dump.c,v 1.14.4.1 2008/01/02 04:22:16 guy Exp $ (LBL)
%u %u %u %u
{ 0x%x, %d, %d, 0xx },
[x   %d]
#0x%x
4*([%d]&0xf)
M[%d]
(d) %-8s %-16s jt %d
jf %d
(d) %-8s %s
malloc: %s
PacketGetAdapterNames: %s
pcap_compile cannot generate filters for a TurboCap port when the PPI linktype is used.
unknown data link type %d
unsupported protocol over mpls
IEEE 802.15.4 link-layer type filtering not implemented
'tcp' modifier applied to %s
'sctp' modifier applied to %s
'udp' modifier applied to %s
'icmp' modifier applied to %s
'igmp' modifier applied to %s
'igrp' modifier applied to %s
'pim' modifier applied to %s
'vrrp' modifier applied to %s
'icmp6' modifier applied to %s
'ah' modifier applied to %s
'esp' modifier applied to %s
'esis' modifier applied to %s
'isis' modifier applied to %s
'clnp' modifier applied to %s
'stp' modifier applied to %s
'netbeui' modifier applied to %s
'radio' modifier applied to %s
'ip' modifier applied to ip6 %s
'rarp' modifier applied to ip6 %s
'arp' modifier applied to ip6 %s
'decnet' modifier applied to ip6 %s
unknown ip proto '%s'
unknown ether proto '%s'
unknown osi proto '%s'
'protochain' not supported with 802.11
unsupported proto to gen_protochain
'udp proto' is bogus
'tcp proto' is bogus
unknown network '%s'
unknown ether host '%s'
unknown FDDI host '%s'
unknown token ring host '%s'
unknown 802.11 host '%s'
unknown Fibre Channel host '%s'
only ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel supports link-level host name
unknown host '%s'
unknown host '%s'%s
illegal qualifier of 'port'
unknown port '%s'
port '%s' is tcp
port '%s' is sctp
port '%s' is udp
illegal qualifier of 'portrange'
unknown port in range '%s'
port in range '%s' is tcp
port in range '%s' is sctp
port in range '%s' is udp
'gateway' not supported in this configuration
unknown protocol: %s
non-network bits set in "%s mask %s"
non-network bits set in "%s/%d"
invalid ip6 address %s
%s resolved to multiple address
mask length must be <= %u
ethernet addresses supported only on ethernet/FDDI/token ring/802.11/ATM LANE/Fibre Channel
unsupported index operation
IPv6 upper-layer protocol is not supported by proto[x]
only link-layer/IP broadcast filters supported
link-layer multicast filters supported only on ethernet/FDDI/token ring/ARCNET/802.11/ATM LANE/Fibre Channel
inbound/outbound not supported on linktype %d
libpcap was compiled without pf support
libpcap was compiled on a machine without pf support
802.11 link-layer types supported only on 802.11
frame direction supported only with 802.11 headers
aid supported only on ARCnet
no VLAN support for data link type %d
no MPLS support for data link type %d
'vpi' supported only on raw ATM
'vci' supported only on raw ATM
'callref' supported only on raw ATM
'metac' supported only on raw ATM
'bcc' supported only on raw ATM
'oam4sc' supported only on raw ATM
'oam4ec' supported only on raw ATM
'sc' supported only on raw ATM
'ilmic' supported only on raw ATM
'lane' supported only on raw ATM
'llc' supported only on raw ATM
'fisu' supported only on MTP2
'lssu' supported only on MTP2
'msu' supported only on MTP2
'sio' supported only on SS7
sio value %u too big; max value = 255
'opc' supported only on SS7
opc value %u too big; max value = 16383
'dpc' supported only on SS7
dpc value %u too big; max value = 16383
'sls' supported only on SS7
sls value %u too big; max value = 15
'oam' supported only on raw ATM
'oamf4' supported only on raw ATM
'connectmsg' supported only on raw ATM
'metaconnect' supported only on raw ATM
'port' modifier applied to ip host
'portrange' modifier applied to ip host
%d-%d
%d.%d
malformed decnet address '%s'
decnet name support not included, '%s' cannot be translated
%s for block-local relative jump: off=%d
malloc() failed: %s
%s '%s' %s
Error when listing files: does folder '%s' exist?
%s '%s' %s %s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]/%s
%[^/:]:%[^/]/%s
%[^/]/%s
Source type not supported
getaddrinfo() %s
(%s) and not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
not (host %s and host %s and port %s and port %s) and not (host %s and host %s and port %s)
TcApi.dll
TcQueryPortList
TcFreePortList
TcPortGetName
TcPortGetDescription
TcPacketsBufferCreate
TcPacketsBufferDestroy
TcPacketsBufferQueryNextPacket
TcPacketsBufferCommitNextPacket
Error opening TurboCap adapter: %s
Error enabling reception on a TurboCap instance: %s
Error setting the read timeout a TurboCap instance: %s
Getting the non blocking status is not available for TurboCap ports
Setting the non blocking status is not available for TurboCap ports
send error: the TurboCap API does not support packets larger than 64k
send error: TcPacketsBufferCreate failure: %s (x)
send error: TcInstanceTransmitPackets failure: %s (x)
send error: TcPacketsBufferCommitNextPacket failure: %s (x)
read error, TcInstanceReceivePackets failure: %s (x)
read error, TcPacketsBufferQueryNextPacket failure: %s (x)
TurboCap error setting the mintocopy: %s (x)
Mode %u not supported by TurboCap devices. TurboCap only supports capture.
TurboCap error in TcInstanceQueryStatistics: %s (x)
TurboCap error in TcStatisticsQueryValue: %s (x)
setfilter, unable to install the filter: %s
PacketGetStats error: %s
Error opening adapter: %s
Cannot determine the network type: %s
Error calling PacketSetMinToCopy: %s
Driver error: cannot set bpf filter: %s
PacketSetReadTimeout: %s
IEEE 802.15.4 with non-ASK PHY data
Bluetooth HCI UART transport layer plus pseudo-header
IEEE 802.15.4
IEEE 802.15.4 with Linux padding
Bluetooth HCI UART transport layer
Juniper Passive Monitor PIC
can't perform operation on activated capture
%s: %s
%s is not one of the DLTs supported by this device
DLT %d is not one of the DLTs supported by this device
That device doesn't support promiscuous mode
That device doesn't support monitor mode
That operation is supported only in monitor mode
Unknown error: %d
Sending packets isn't supported on savefiles
Setting direction is not supported on savefiles
error reading dump file: %s
truncated dump file; tried to read %u captured bytes, only got %lu
Can't write to %s: %s
%s: link-layer type %d isn't supported in savefiles
bogus IPv6 address %s
bogus ethernet address %s
illegal token: %s
illegal char '%c'
%sUnable to get the exact error message
%s%s (code %d)
%s (code %d)
Is the server properly installed on %s? connect() failed: %s
getaddrinfo(): socket type not supported
getaddrinfo(): multicast addresses are not valid when using TCP streams
Cannot retrieve the extended statistics from a file or a TurboCap port
PacketGetStatsEx error: %s
Cannot transmit a queue to an offline capture or to a TurboCap port
Impossible to set user buffer while reading from a file or on a TurboCap port
Error: invalid size %d
live dump needs a physical interface supported by the NPF driver
wrong interface type. A physical interface supported by the NPF driver is needed
c:\winpcap\winpcap\wpcap\PRJ\Release No AirPcap\x86\Wcwpcap.pdb
1$1(1,10141
; ;$;(;,;
2 2$2(2_2
8*9094989<9
1$1@1\1`1
HTTP/1.1 302 Moved Temporarily
HTTP://
Http://
HTTPS://
Https://
HTTP/1.1 200 OK
C:\Windows\System32\filter.dat
C:\js.dat
%d. %s
192.168.
192.168.1.128
HTTP/1.
HTTP/1.
"CU":"hXXp://
hXXp://downfile.duapp.com/2017021616.flv
.html
baidu.com
hXXp://%s
%s?js=%s&slot=%s
stat.php
www1.baidu.com
.baidu.com
VVV.hao123.com
hXXp://VVV.hao123.com/?tn=
VVV.sogou.com
/index.php?pid=
123.sogou.com
Create socket as a server error: %d
Bind %d error: %d
Bind %d success: %d
Listen %d error: %d
connect to real server %s:%d error
0.0.0.1
domain=%d&netid=%d&ius=%s&iusser=%s&a0=%d&a1=%d&a2=%s&a3=%s&a4=%s&a5=%s
hXXp://api.52wba.com/mp/IusService
\Filter\Release\Filter.pdb
RegQueryInfoKeyA
InternetCrackUrlA
WININET.dll
MiddleGetMediaUrl
3"31373<3
4 4(40484
`.data
MFC42u.DLL
msvcrt.dll
NTDLL.DLL
%%%d.%ds----------
%%%d.%ds(%%8.8X)
%%%d.%ds%%%d.%ds|%%8.8X|
%%%d.%ds%%%d.%ds|%%8.8X| ->"
pCategoryTable[%d]
pTagTable[%d]
pValue[%d]
p?????[%d]
pName[%d]
XXXXXX
{X-X-X-XX-XXXXXX}
XXXX.XXXXXX
%s,%s
LtZx
xxxxxxxxxxxxxxxx
,%d,%d,
,X
,X
GetSystemWindowsDirectoryW
TypesSupported
*.dll
npptools.pdb
ReportEventA
GetWindowsDirectoryW
RegCreateBlobKey
RegOpenBlobKey
SubkeyExists
recursiveDeleteKey
setKeyAndValue
6"6@6^6|6
00K0~0
6 6l6o6
B.reloc
g_CatchDataCount:%d
\winpcap\winpcap\packetntx\driver\bin\i386\npf.pdb
ZwQueryValueKey
ZwEnumerateKey
ZwOpenKey
NDIS.SYS
\winpcap\winpcap\packetntx\driver\bin\amd64\npf.pdb
sÿf
c:\winpcap\winpcap\packetNtx\Dll\Project\Release\x64\WcwPacket.pdb
tÙaDu
tu.ff
fu.ff
t.fff
c:\winpcap\winpcap\wpcap\prj\release no airpcap\x64\Wcwpcap.pdb
RegNotifyChangeKeyValue
EnumChildWindows
8#5#1# 5
n%F/%
!2:.8000036'(10
(( '( 10
nKERNEL32.DLL
- floating point support not loaded
WUSER32.DLL
accKeyboardShortcut
MiniWeb
MiniWeb Version 1.0
MiniWeb
1.0.0.2
MiniWeb.exe
MiniWeb(&A)...
All Files (*.*)
No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.
Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.
Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.
Disk full while accessing %1..An attempt was made to access %1 past its end.
No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.
#Unable to load mail system support.
dbghelp.dll
MSCOREE.DLL
2014-7-31 11:46:19
1.0.0.4
6.2.2637.21016
InjectPr.dll
\SystemRoot\system32\ntoskrnl.exe
\SystemRoot\system32\ntkrnlpa.exe
TCP redirector sub-layer
sub-layer for use by tcp redirector proxy callouts
TCP Redirector Callout
Streamwise redirector for TCP traffic
TCP Redirector Filter
Doredirect for TCP traffic
127.0.0.1
\SystemRoot\system32\ntdll.dll
\WINDOWS\system32\csrss.exe
\WINDOWS\explorer.exe
\WINDOWS\system32\svchost.exe
\WINDOWS\system32\taskmgr.exe
\WINDOWS\syswow64\checkudo.exe
\WINDOWS\system32\winlogon.exe
%WinDir%\Explorer.EXE
\$RECYCLE.BIN\
\QCXMiniPort
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
TcpIp
SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
drivers\WCW.sys
\StringFileInfo\xx\FileVersion
snpp\ndisnpp.dll
PACKET.DLL
packet.dll (NT5) Dynamic Link Library
4.1.0.2980
packet.dll
5755555555
5555555
577777555555
0000001111111
11111122222222
6666668
88888888
,-./0123456789
$567$$=>
.pqrst
$%&'()* ,
wpcap.dll Dynamic Link Library - based on libpcap 1.0rel0b branch (20091008)
wpcap.dll
2017-9-30 10:32:23
1.0.4.5
szUrl
\\.\root
%S_%d
\kernel32.dll
HHCTRL.OCX
NETMON2.CHM
!"#$%&'()* ,-./0123456789:;
5.1.2600.5512 (xpsp.080413-0852)
NPPTools.DLL
Microsoft(R) Windows(R) Operating System
5.1.2600.5512
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\
\Registry\Machine\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Linkage
npf.sys (NT5/6 x86) Kernel Driver
npf.sys
npf.sys (NT5/6 AMD64) Kernel Driver
npp\ndisnpp.dll

taskhost.exe_2688:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
ole32.dll
OLEAUT32.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
USER32.dll
RPCRT4.dll
d:\w7rtm\admin\wmi\jobs\ubpmlibs\comtaskhost\comtaskapi.cpp
The likely culprit task is stuck on the same stack with %S.
d:\w7rtm\admin\wmi\jobs\ubpmlibs\closewinapp\closewinapp.cpp
Invalid parameter passed to C runtime function.
taskhost.pdb
_wcmdln
_amsg_exit
InitOnceExecuteOnce
SetProcessShutdownParameters
MsgWaitForMultipleObjects
EnumThreadWindows
EnumWindows
ntdll.dll
GetProcessHeap
CATCH_KNOWN: %S ==> hr=0x%x [%S(),%d,%S]
bStartComTask() --> h=0x%x ret=%d
StopComTask(0x%x) --> ret=%d
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule
ComTaskMgrWnd(0x%x)::ShutdownTasksWorker()
ComTaskMgrWnd(0x%x)::Shutdown(%ws)
gCleanupSet()::Remove(0x%x)
ComTaskHost(0x%x)::WaitForTaskStartCompletion() --> 0x%x
ComTaskHost(0x%x)::WaitForTaskStartCompletion()
ComTaskHost(0x%x)::%ws() --> ReleaseLifetimeRef(this)
ComTaskHost(0x%x)::StopTaskWorker() --> 0x%x
ComTaskHost(0x%x)::StopTaskWorker()
ComTaskHost(0x%x)::Shutdown()
ComTaskHost(0x%x)::HandleReportingState(0x%x) --> 0x%x
ComTaskHost(0x%x): UbpmReportTaskStatus(0x%x) --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> 0x%x
ITaskHandler::Start(0x%x,"%ws") --> 0x%x
ComTaskHost(0x%x)::StartTaskWorker() --> ITaskHandler(0x%x)::Start(0x%x,"%ws")
ComTaskHost(0x%x)::StartTaskWorker()
ComTaskHost(0x%x)::Stop --> 0x%x
ComTaskHost(0x%x)::Stop - CreateThread failed with 0x%x
StartTaskThread(0x%x) bailed out because of shutdown
ComTaskHost(0x%x)::~ComTaskHost()
ComTaskHost(0x%x)::Start --> 0x%x
ComTaskHost(0x%x)::TaskCompleted() skipped because of shutdown
ComTaskHost(0x%x)::TaskCompleted(0x%x)
ComTaskHost(0x%x)::AddRef -> m_cRef = %d
ComTaskHost(0x%x)::Release -> m_cRef = %d
WinAppTerminator: found wnd 0x%x for pid %d.
WinAppTerminator: forced WM_CLOSE sent to top wnd 0x%x.
WinAppTerminator: EnumThreadWindows failed err=%d.
Host Process for Windows Tasks
6.1.7601.17514 (win7sp1_rtm.101119-1850)
taskhost.exe
Windows
Operating System
6.1.7601.17514


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\dseb[1].dat (46 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (1837 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\gajp[1].dat (54 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mtbill[1].dat (1069 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ghfot[1].dat (1243 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\upopup[1].dat (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\psip[1].dat (48 bytes)
    C:\Windows\System32\psip.dat (48 bytes)
    C:\Windows\System32\PSvr.ini (118 bytes)
    C:\Windows\System32\psip.ini (53 bytes)
    C:\Windows\System32\mulone1.ini (192 bytes)
    C:\Windows\System32\gajp.dat (54 bytes)
    C:\Windows\System32\ghfot.dat (1 bytes)
    C:\Windows\System32\dseb.dat (46 bytes)
    C:\Windows\System32\prefer (27 bytes)
    C:\$Directory (2304 bytes)
    C:\Windows\System32\mulone1.dat (139 bytes)
    C:\Windows\Procnt2.sys (37 bytes)
    C:\Windows\System32\PSvr.dat (107 bytes)
    C:\Windows\System32\config\SYSTEM.LOG1 (4334 bytes)
    C:\Windows\System32\upopup.dat (4 bytes)
    C:\Windows\System32\ghfot.ini (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\mulone1[1].dat (139 bytes)
    C:\Windows\System32\dseb.ini (50 bytes)
    C:\Windows\System32\mtbill.dat (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\PSvr[1].dat (107 bytes)
    C:\Windows\System32\gajp.ini (50 bytes)
    C:\Windows\System32\mulone2.ini (178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mulone2[1].dat (126 bytes)
    C:\Windows\System32\mulone2.dat (126 bytes)
    C:\Windows\System32\mtbill.ini (2 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now