MD5: 2f66caa17a0593efb1a256375a3498f0
SHA1: 43b4be4a346d7f36924c23169972461b16920310
SHA256: 45c78ff131caf4f7c3a314bf30682e0315a92d1b6445cc260c6378cef61d7c18
SSDeep: 24576:VcP21rCcC ePtSidsAMg1wiokaRa2Nd5mDHk/I0 JLu /fq x0 Q 2 Zib8y:VcE3wPcg1yk72NdqS
Size: 1150976 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2017-03-05 06:40:58
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:2948

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2948 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\json2[1].js (7098 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\TCapIframe[1].js (3389 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\53P3XZXY.txt (521 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\TCapIframeApi[1].js (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pt_fetch_dev_uin[1].js (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ptlogin_report[1].bmp (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptqrshow[1].png (443 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\TCapMsg[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ptui_ver[1].js (227 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xlogin[1].htm (4057 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SWUMN0R8.txt (141 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\xver[1].htm (99 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SWUMN0R8.txt (0 bytes)

Registry activity

The process %original file name%.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASMANCS]
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1488688858"

[HKLM\SOFTWARE\Microsoft\Tracing\2f66caa17a0593efb1a256375a3498f0_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=312326273372QQ277325274344&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html
hxxp://p21.tcdn.qq.com/ptlogin/v4/style/40/images/icon_3_tiny.png
hxxp://p21.tcdn.qq.com/ptlogin/ver/10202/js/c_login_2.js?max_age=604800&ptui_identifier=000D23D5992EA4F87FE009A76A8597E442DFB25655F76190B41C7DFE
hxxp://p21.tcdn.qq.com/ptlogin/v4/style/0/images/load.gif
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/xver?t=0.490436319051
hxxp://p21.tcdn.qq.com/ptlogin/v4/style/20/images/shouQ_v2/small_8.png
hxxp://a1574.b.akamai.net/ptqrshow?appid=549000912&e=2&l=M&s=3&d=72&v=4&t=0.6017620177549429&daid=5
hxxp://a1574.b.akamai.net/pt_fetch_dev_uin?r=0.1144178000241039&pt_guid_token=1251078382
hxxp://captcha.qq.com/template/TCapIframeApi.js?aid=549000912&rand=0.2165467144450235&clientype=2&lang=2052&apptype=2	112.90.83.73
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/report?id=455847
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/report?id=492804
hxxp://xui.ptlogin2.tencent-cloud.com/ptui_ver.js?v=0.3508854457222641&ptui_identifier=000E0129A00FE67B9531D473EAF1292E75EDCF49FD44439FCA2ADCB556
hxxp://xui.ptlogin2.tencent-cloud.com/cgi-bin/report?id=358342&t=0.046202841897111435
hxxp://log.ptlogin2.tencent-cloud.com/cgi-bin/ptlogin_report?id=462348&msg=gzip探测异常，返回内容：var _gz=!0,img=new Image;img.src=location.protocol+"//ui.ptlogin2.qq.com/cgi-bin/report?id=455848";返回码：200uin=|_|http://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http%3A//qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http%3A%2F%2Fqzs.qq.com%2Fqzone%2Fv5%2Floginsucc.html%3Fpara%3Dizone&pt_qr_app=ÊÖ»úQQ¿Õ¼ä&pt_qr_link=http%3A//z.qzone.com/download.html&self_regurl=http%3A//qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http%3A//z.qzone.com/download.html|_|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)&v=0.35947195415446303
hxxp://p21.tcdn.qq.com/1/TCapMsg.js
hxxp://p21.tcdn.qq.com/1/json2.js
hxxp://p21.tcdn.qq.com/1/TCapIframe.js?v=1.0
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796263979&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796266990&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796270000&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796273012&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796276022&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796279035&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796282044&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796285054&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796288065&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796291076&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://a1574.b.akamai.net/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796294087&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&
hxxp://imgcache.qq.com/ptlogin/v4/style/40/images/icon_3_tiny.png	203.205.158.37
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796276022&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796285054&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=....QQ....&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html	203.205.142.186
hxxp://ptlogin2.qq.com/ptqrshow?appid=549000912&e=2&l=M&s=3&d=72&v=4&t=0.6017620177549429&daid=5	2.21.89.43
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796270000&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://imgcache.qq.com/ptlogin/ver/10202/js/c_login_2.js?max_age=604800&ptui_identifier=000D23D5992EA4F87FE009A76A8597E442DFB25655F76190B41C7DFE	203.205.158.37
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=492804	203.205.142.186
hxxp://imgcache.qq.com/ptlogin/v4/style/20/images/shouQ_v2/small_8.png	203.205.158.37
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796273012&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/load.gif	203.205.158.37
hxxp://xui.ptlogin2.qq.com/cgi-bin/xver?t=0.490436319051	203.205.142.186
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796263979&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796282044&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796288065&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://captcha.gtimg.com/1/TCapIframe.js?v=1.0	203.205.158.38
hxxp://xui.ptlogin2.qq.com/ptui_ver.js?v=0.3508854457222641&ptui_identifier=000E0129A00FE67B9531D473EAF1292E75EDCF49FD44439FCA2ADCB556	203.205.142.186
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796266990&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=455847	203.205.142.186
hxxp://captcha.gtimg.com/1/json2.js	203.205.158.38
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796294087&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://ptlogin2.qq.com/pt_fetch_dev_uin?r=0.1144178000241039&pt_guid_token=1251078382	2.21.89.43
hxxp://ui.ptlogin2.qq.com/cgi-bin/report?id=358342&t=0.046202841897111435	203.205.142.186
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796291076&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
hxxp://captcha.gtimg.com/1/TCapMsg.js	203.205.158.38
hxxp://ptlogin2.qq.com/ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796279035&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5&	2.21.89.43
www.xiaoqianyl.com	170.159.173.53
log.wtlogin.qq.com	183.61.38.241

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /template/TCapIframeApi.js?aid=549000912&rand=0.2165467144450235&clientype=2&lang=2052&apptype=2 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: captcha.qq.com

Connection: Keep-Alive

Cookie: _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP=CAO PSA OUR

Content-Length: 2743

Connection: close

Content-Type: application/x-javascript
!function(t,e){var n=e(t);"undefined"!=typeof define&&(define.cmd||def
ine.amd)&&define(function(){return n})}(window,function(t){function e(
e){var n=0;j=!1;for(var c=0;c<e.length;c  ){var o=t.document.create
Element("script");o.type="text/javascript",o.async=!0,o.src=e[c],o.onl
oad=o.onreadystatechange=function(){"undefined"!=typeof this.readyStat
e&&"loaded"!==this.readyState&&"complete"!==this.readyState||(j=  n>
;=e.length,j&&(E(),E=function(){}))},t.document.getElementsByTagName("
head").item(0).appendChild(o)}}function n(){if("undefined"==typeof JSO
N.stringify||"undefined"==typeof Messenger||"undefined"==typeof AqSCod
e)return void(t.console&&t.console.log("script onload not ready"));S&&
S.lang&&("2052"==S.lang||"1033"==S.lang)&&($=S.lang);var e=p({ele:_,sr
c:b[0],domain:y,s_type:b[1],slide_src:b[2],s_type_suffix:m,uin:g,lang:
$},S||{});q=new AqSCode(e),q.listen(k),q.start(w),q.end(C)}function c(
){return q.getTicket()}function o(t,e,c){"function"==typeof e?(k=e,S=c
):(S=e,S.callback&&"function"==typeof S.callback?k=S.callback:"functio
n"==typeof c&&(k=c)),S&&S.start&&"[object Function]"==Object.prototype
.toString.call(S.start)&&(w=function(){S.start&&S.start(),s.start()}),
S&&S.end&&"[object Function]"==Object.prototype.toString.call(S.end)&&
(C=function(){S.end&&S.end(),s.end()}),_=t,j?n():E=n}function a(t){q&&
q.refresh&&q.refresh(t)}function i(){q&&q.destroy&&q.destroy()}functio
n r(t){var e=new AqSCode({ele:t,src:b[0]});return e}var d={add:functio
n(e,n,c){t.document.addEventListener?e.addEventListener(n,c,!1):t.
<<< skipped >>>

GET /pt_fetch_dev_uin?r=0.1144178000241039&pt_guid_token=1251078382 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

P3P: CP="CAO PSA OUR"

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 53

Date: Sat, 18 Mar 2017 00:17:41 GMT

Connection: keep-alive

Set-Cookie: pt_recent_uins=e75ea3177331630f090d49f30908786aa22763ff34ebc51bb1364959fa5ed026a3f9102a1e6b288c0e7f1b7de6848b7b27b7add7f3c99c30; EXPIRES=Mon, 17-Apr-2017 00:17:40 GMT; PATH=/; DOMAIN=ptlogin2.qq.com; HttpOnly
ptui_fetch_dev_uin_CB({"errcode":22027,"data":[]});..HTTP/1.1 200 OK..
Server: Tencent Login Server/2.0.0..Pragma: no-cache..P3P: CP="CAO PSA
 OUR"..Content-Type: application/x-javascript; charset=utf-8..Content-
Length: 53..Date: Sat, 18 Mar 2017 00:17:41 GMT..Connection: keep-aliv
e..Set-Cookie: pt_recent_uins=e75ea3177331630f090d49f30908786aa22763ff
34ebc51bb1364959fa5ed026a3f9102a1e6b288c0e7f1b7de6848b7b27b7add7f3c99c
30; EXPIRES=Mon, 17-Apr-2017 00:17:40 GMT; PATH=/; DOMAIN=ptlogin2.qq.
com; HttpOnly..ptui_fetch_dev_uin_CB({"errcode":22027,"data":[]});..font>....


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796266990&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:47 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(1758464724)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:17:47 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(1758464724)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796273012&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:53 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(2489323120)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:17:53 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(2489323120)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796279035&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:59 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(1045447828)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:17:59 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(1045447828)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796285054&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 65

Date: Sat, 18 Mar 2017 00:18:05 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(136340752)', '');..HTTP/
1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cach
e-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appli
cation/x-javascript; charset=utf-8..Content-Length: 65..Date: Sat, 18 
Mar 2017 00:18:05 GMT..Connection: keep-alive..ptuiCB('66','0','','0',
'.....................(136340752)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796291076&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:18:11 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(2356178916)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:18:11 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(2356178916)', '');....

GET /cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=....QQ....&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:15 GMT

Content-Type: text/html

Content-Length: 10177

Connection: keep-alive

Server: QZHTTP-2.38.41

P3P: CP="CAO PSA OUR"

Cache-Control: max-age=86400

Set-Cookie: pt_user_id=5155553559719578009; EXPIRES=Tue, 16-Mar-2027 00:17:15 GMT; PATH=/; DOMAIN=ui.ptlogin2.qq.com;

Set-Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_clientip=9ca9c2f260dae245; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_serverip=a80a0ab19b5d9f37; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_local_token=-2070306734; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; PATH=/; DOMAIN=ptlogin2.qq.com;

Set-Cookie: pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; EXPIRES=Mon, 17-Apr-2017 00:17:15 GMT; PATH=/; DOMAIN=ptlogin2.qq.com;

Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT

Content-Encoding: gzip
...........}y........wHRa.=..zoU..Z=..m023...".*.;...T...MGH.......`.{
..f.. ./...>.{_`T.._...;..ys....v.QCw.w9........x.;................
....|....S....U...;....r.d..;...=........-{3.{K....va.Z......-.P[e.,/.
.Q......q.o......V.....2.u......:.2.....o.f.......gw{.m5.].....H./[.M.
..am......u<h..^.b=..t.4....m.....~....~M.....;.....P..,..Z.o8T....
.....2............).....u.../......w{~?|.^RcF...(........~c...........
KwS.....s^..6......9.wz...u.......... ..aw.-o...~a......2.\/..F-<f{
.Zyq.2.x..l..c.1.(0..[N.Y.M.~gjz..jz...Qo4..g.z.......^X.._... ....~}.
u......|........t..../.fx....O.r...C..v3.......EUh...U....zp..*.u.D..W
?.}.>...._.....N..lP..^yu...Q...y.k...y}.....[...^.7......y........
O.......>...._...OG.ra..o...&Uv..............?........v..7.~..]...7
.....7..f......I.=W=.^..D..D.........}P...7...?.K..Xd;. d.....^P....y.
.TO.........$..;..]l..o.=.4...JT[.9}..W..P..A.vv...9j.D.A.....y;.....:
.w)C.lHI.[w.z#...h.-g...G.j. .......=C.VB#.}..F.....x....R....~.8P.&D.
Z....ct..Q}..xMj..N..6..[.......>.*....-x.....dkg........r.^k.:&j..
>[..........}..qz=...b.TZ,W.i.........F......D|*...,..~........9...
<.TJ....3...r._....._.....'.....:....1H<.....\.<q.iz._....}.)
..... P.Y..(/L]T.Va......|.m.._...dX.z.m.[7..T...k(~"1_.".u[. .r.T--.K
...(.....e.V.T)U.......%h...........Nc.UvN...."sHq.d.`Q.H[V.....V..<
;E<e.%..E.~.....Nb....vV1,J..72.UJ.4F.6..F..J.2.P......x..w. t..%P.
.:..h!.Kv.....!........v.=..Y....C..T...?.J.:....*..G....$ ...id. .v..
.o.G.z&..w..g...'v'....q.A....y..as].*....6.....R.4Xw.D..vzn...l..
<<< skipped >>>

GET /cgi-bin/xver?t=0.490436319051 HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:40 GMT

Content-Type: text/html

Content-Length: 114

Connection: keep-alive

Server: QZHTTP-2.38.41

P3P: CP="CAO PSA OUR"

Content-Encoding: gzip
............Q..0.......TF.A...B...@..X7....{...N?...'r9|.-y...p*.(. K.
.R.%..1.C.Q.....P.A.....PD..og.i.s...3..c...HTTP/1.1 200 OK..Date: Sat
, 18 Mar 2017 00:17:40 GMT..Content-Type: text/html..Content-Length: 1
14..Connection: keep-alive..Server: QZHTTP-2.38.41..P3P: CP="CAO PSA O
UR"..Content-Encoding: gzip..............Q..0.......TF.A...B...@..X7..
..{...N?...'r9|.-y...p*.(. K..R.%..1.C.Q.....P.A.....PD..og.i.s...3..c
.......


GET /ptui_ver.js?v=0.3508854457222641&ptui_identifier=000E0129A00FE67B9531D473EAF1292E75EDCF49FD44439FCA2ADCB556 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: xui.ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:41 GMT

Content-Type: application/x-javascript

Content-Length: 177

Connection: keep-alive

Server: QZHTTP-2.38.41

Last-Modified: Mon, 13 Mar 2017 08:20:18 GMT

Content-Encoding: gzip

Cache-Control: public; max-age=86400

Expires: Sun, 19 Mar 2017 00:17:41 GMT
..........U....0.._%v....,.ex.E....C...9.....aW....|...g.X....]e..7.W.
{...WR."#.bX."..%...!....}7.|...i.K...0...<S..........D.. ...>.=
.R.$N4J?...v ".~..N...b.D%....)Y....'V/....HTTP/1.1 200 OK..Date: Sat,
 18 Mar 2017 00:17:41 GMT..Content-Type: application/x-javascript..Con
tent-Length: 177..Connection: keep-alive..Server: QZHTTP-2.38.41..Last
-Modified: Mon, 13 Mar 2017 08:20:18 GMT..Content-Encoding: gzip..Cach
e-Control: public; max-age=86400..Expires: Sun, 19 Mar 2017 00:17:41 G
MT............U....0.._%v....,.ex.E....C...9.....aW....|...g.X....]e..
7.W.{...WR."#.bX."..%...!....}7.|...i.K...0...<S..........D.. ...&g
t;.=.R.$N4J?...v ".~..N...b.D%....)Y....'V/......

GET /cgi-bin/report?id=492804 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:41 GMT

Content-Type: image/bmp;

Content-Length: 66

Connection: keep-alive

Server: QZHTTP-2.38.41

Pragma: no-cache

Cache-Control: no-cache; must-revalidate
BMB.......>...(...................................................H
TTP/1.1 200 OK..Date: Sat, 18 Mar 2017 00:17:41 GMT..Content-Type: ima
ge/bmp;..Content-Length: 66..Connection: keep-alive..Server: QZHTTP-2.
38.41..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..BMB
.......>...(.....................................................

GET /cgi-bin/report?id=455847 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:41 GMT

Content-Type: image/bmp;

Content-Length: 66

Connection: keep-alive

Server: QZHTTP-2.38.41

Pragma: no-cache

Cache-Control: no-cache; must-revalidate
BMB.......>...(...................................................H
TTP/1.1 200 OK..Date: Sat, 18 Mar 2017 00:17:41 GMT..Content-Type: ima
ge/bmp;..Content-Length: 66..Connection: keep-alive..Server: QZHTTP-2.
38.41..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..BMB
.......>...(...................................................nt>....


GET /cgi-bin/report?id=358342&t=0.046202841897111435 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ui.ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea3177331630f090d49f30908786aa22763ff34ebc51bb1364959fa5ed026a3f9102a1e6b288c0e7f1b7de6848b7b27b7add7f3c99c30; _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Date: Sat, 18 Mar 2017 00:17:42 GMT

Content-Type: image/bmp;

Content-Length: 66

Connection: keep-alive

Server: QZHTTP-2.38.41

Pragma: no-cache

Cache-Control: no-cache; must-revalidate
BMB.......>...(...................................................H
TTP/1.1 200 OK..Date: Sat, 18 Mar 2017 00:17:42 GMT..Content-Type: ima
ge/bmp;..Content-Length: 66..Connection: keep-alive..Server: QZHTTP-2.
38.41..Pragma: no-cache..Cache-Control: no-cache; must-revalidate..BMB
.......>...(.....................................................

GET /cgi-bin/ptlogin_report?id=462348&msg=gzip探测异常，返回内容：var _gz=!0,img=new Image;img.src=location.protocol+"//ui.ptlogin2.qq.com/cgi-bin/report?id=455848";返回码：200uin=|_|http://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http%3A//qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http%3A%2F%2Fqzs.qq.com%2Fqzone%2Fv5%2Floginsucc.html%3Fpara%3Dizone&pt_qr_app=ÊÖ»úQQ¿Õ¼ä&pt_qr_link=http%3A//z.qzone.com/download.html&self_regurl=http%3A//qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http%3A//z.qzone.com/download.html|_|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)&v=0.35947195415446303 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/
HTTP/1.1 200 OK

Connection: close

Server: QZHTTP-2.38.20

Date: Sat, 18 Mar 2017 00:17:41 GMT

Content-Type: image/bmp;

Content-Length: 66
BMB.......>...(....................................................
.

GET /ptlogin/v4/style/20/images/shouQ_v2/small_8.png HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

Cookie: _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:40 GMT

Cache-Control: max-age=259200

Expires: Tue, 21 Mar 2017 00:17:40 GMT

Last-Modified: Mon, 06 Jun 2016 09:14:56 GMT

Content-Type: image/png

Content-Length: 8566

X-NWS-LOG-UUID: 55c232d7-04c3-4f94-82a3-6e2dfabdc148

Keep-Alive: timeout=60 

Vary:  Accept

X-Cache-Lookup: Hit From Disktank
.PNG........IHDR.............b.{X....gAMA......a.....sRGB.........PLTE
Liq....................................^^^............................
................................zzzccc................................
......................................................................
................................................fff......7............
......................................................................
..........{yx...............ONP.........bba>>>&..$$(stsYXZ...
...mml...U..[.................ppp...v.....D.....z........k....K`>,.
.....p[Q...Q. ...2........C.....Q..}..A........r....u.~...?......qr.l.
.=&......~eP>......=..,...ka....a@...[....q.......b.......<{...w
.............~^...&m......O......,..O....`..H...ck{....|*.kZ......>
...q9.PY.....B......*h~.Bq.J'yJC|...BY.kk...3....Gu.V...&...%.Y.....x.
..z...l[.&...8.......6....0tRNS..%....0.. I7U>..z.e....U.....\...xI
.............?-.....IDATx...mL......1..(I.4.M.Vj.I~sv...g|G.........1.
.cc.Mx.v0.......b..4.....R..i...:.......)..-...E.v.....c'.a.ot._...>
;....p...m.J.r)..;.[..).y.HI^nV...G..wI.O..*."...Rp..e".......e...2..]
Y;3.{..e...2,...rA..k.%..0. ..lr.r3Y...P.s  /..de...d.).....%s...$..gg
..........w.I..wd....-....Z...B.......-.....F..p......C....~..`(...B..
....;.......lW......q.b0......CC...p(..W...&..-...D<..`4..x...C.^..
....F.....p....c.cC..1...p.......#....b...P..k>|h...b...%...E{4@.P.
....'h.D...#j.2R..t.5.{.6.....&. ..@`)...I. .D....]......x..uW,..J.~p.
x=.$.^.D...U{=.E/.........]....I.......c5.......c$..=..v........v4
<<< skipped >>>

GET /ptqrshow?appid=549000912&e=2&l=M&s=3&d=72&v=4&t=0.6017620177549429&daid=5 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Server: tencent http server

Accept-Ranges: bytes

Pragma: No-cache

P3P: CP="CAO PSA OUR"

Content-Type: image/png

Content-Length: 443

Date: Sat, 18 Mar 2017 00:17:40 GMT

Connection: keep-alive

Set-Cookie: qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; PATH=/; DOMAIN=ptlogin2.qq.com;
.PNG........IHDR...o...o.............pHYs................mIDAT8...An. 
...1,...@.5.y%.......q...Pw,&..^.&].y.....D...$.....D.,............`..
.{..........$.W......&..86......X.....)....Vd......`..k.....z`...5....
...........g........5......v.....FN.F.......T..h.*9e..W......z.c...K.[
)....3.[.P8..g..s.;...X.'#.i.%.W.Q..4.,.(f.F.A.........zK....v ....7..
0...#.......d.X.2..Km.T.J9...^. KIg...\.K...YFx6.-..Y..A..4.z.Hb......
M|.....,Z>)....IEND.B`.HTTP/1.1 200 OK..Server: tencent http server
..Accept-Ranges: bytes..Pragma: No-cache..P3P: CP="CAO PSA OUR"..Conte
nt-Type: image/png..Content-Length: 443..Date: Sat, 18 Mar 2017 00:17:
40 GMT..Connection: keep-alive..Set-Cookie: qrsig=jqHBPEQ2a7KgGonxrGbX
kZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; PATH=/; DOMAIN=ptlogin2.
qq.com;...PNG........IHDR...o...o.............pHYs................mIDA
T8...An. ...1,...@.5.y%.......q...Pw,&..^.&].y.....D...$.....D.,......
......`...{..........$.W......&..86......X.....)....Vd......`..k.....z
`...5...............g........5......v.....FN.F.......T..h.*9e..W......
z.c...K.[)....3.[.P8..g..s.;...X.'#.i.%.W.Q..4.,.(f.F.A.........zK....
v ....7..0...#.......d.X.2..Km.T.J9...^. KIg...\.K...YFx6.-..Y..A..4.z
.Hb......M|.....,Z>)....IEND.B`.....
<<< skipped >>>

GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796263979&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:44 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(3484442688)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:17:44 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(3484442688)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796270000&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:50 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(3165664804)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:17:50 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(3165664804)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796276022&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:17:56 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(3046127756)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:17:56 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(3046127756)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796282044&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:18:02 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(4017122992)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:18:02 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(4017122992)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796288065&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 66

Date: Sat, 18 Mar 2017 00:18:08 GMT

Connection: keep-alive
ptuiCB('66','0','','0','.....................(1108371936)', '');..HTTP
/1.1 200 OK..Server: Tencent Login Server/2.0.0..Pragma: no-cache..Cac
he-Control: no-cache; must-revalidate..Expires: -1..Content-Type: appl
ication/x-javascript; charset=utf-8..Content-Length: 66..Date: Sat, 18
 Mar 2017 00:18:08 GMT..Connection: keep-alive..ptuiCB('66','0','','0'
,'.....................(1108371936)', '');......


GET /ptqrlogin?u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptqrtoken=42636011&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=0-0-1489796294087&js_ver=10202&js_type=1&login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01&pt_uistyle=40&aid=549000912&daid=5& HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: ptlogin2.qq.com

Connection: Keep-Alive

Cookie: pt_login_sig=zBBxaCFtt95L1ahNFypcOlv3rnTdn8E84k6cUnNZ4IqTHZM8EYg0T56W9naWzo01; pt_clientip=9ca9c2f260dae245; pt_serverip=a80a0ab19b5d9f37; pt_local_token=-2070306734; uikey=02a81fe40b7da8cd61c75daf56af648abb60d2bc9329cf7acbd7ac106ec70bbb; pt_guid_sig=112eca44eda395e82b6646427f13e7ac3357d3c58a0534a179b6ef8e0d0612ef; qrsig=jqHBPEQ2a7KgGonxrGbXkZDy4r*5yYKoC2B1jckcYdJe3eRN5na*dWElmiwXp7B3; pt_recent_uins=e75ea317
HTTP/1.1 200 OK

Server: Tencent Login Server/2.0.0

Pragma: no-cache

Cache-Control: no-cache; must-revalidate

Expires: -1

Content-Type: application/x-javascript; charset=utf-8

Content-Length: 65

Date: Sat, 18 Mar 2017 00:18:14 GMT

Connection: keep-alive
ptuiCB('66','0','','0','..........

GET /1/json2.js HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: captcha.gtimg.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:41 GMT

Cache-Control: max-age=600

Expires: Sat, 18 Mar 2017 00:27:41 GMT

Last-Modified: Tue, 28 Feb 2017 02:22:34 GMT

Content-Type: application/x-javascript

Content-Length: 5426

Content-Encoding: gzip

X-NWS-LOG-UUID: e2cfa8f9-83e0-41fc-b99b-8653572b7836

Keep-Alive: timeout=60 

p3p: CP="CAO PSA OUR"

X-Cache-Lookup: Hit From Disktank Gz
...........<ks.8... 0..PJdY.e27..|.....$N........@..Ej...........l'
;u....D.h4...fv.o....$~9.....h............fQ..w.J.....t,.....~:.&.....
....;q|">|.....wC...H...o._N...O........J.E.......f.....a.^.^f.E...
x..".......I...L.U..A..{..J..:JnV*..u...Jf~.....&.....~..U..^.. ......
....3....uvr....o.....`.........zw$......G'.?:9..........tvr....I.FJ..
......Q2.....dv......@.0...&. ./.y6.Y..oapC.d<.k.fJ../......Q.."..H
_......o..Ec.w.....\.D....Y!.......T.4.7..x.u..H.y...7.R.&.A..9.....a.
.d.aV.5..B.......E=3.6..`A....'(b..!.c._$.....B..T..J.V>.....a<.
..8...X.6...`....T.......#Y.9<...\].b.FQ'4.1 ..h......LI..,B.....[.
.X.@.:.......!.s.R..v.... .....\..TTA..-zY./...7.=d..,.e.}.. nZ/....X.
.'2.P @.-.|.....Pb.&..'%$.#r.i...jZP..u.bG.X.P..".....XUg\'Op..(F....~
l.#V..}.>. .;B..)..<.Jm. CqX.7O`.q.B..PF...1.5U .L....*...U..j..
....k..E...B.Wy.\.....~...L.(.m3..'UE...Pf-3b=.^*0PY.....:....1..Cmd.!
.P...*.....Z....h(..EX.cc...8..(x..!.]..7k5..|S...l./n[....zq...vw...0
%..]......J.fDJf9..yx.27....!b..bo$..7......x.u.}s......B._.../....i..
._.o..w...u.~.]Z...b...S...~......O.[R....S...p.. .<....*...r.?.&..
..D.....A..B..\.e.3k....&U..V.n.... ..R.F...>T4.._....!.6.#...YB...
...b.L`..9f.\.;..2kh.....#.t..yu.G.........k..!.fXS.....5#..C.n....T..
.....f..a.=.. =AV..zV"l.C.f`......B.>........N.R...9,...!.B&.,...D?
......H..8c...S...6..0t4....n..i.^..>.....n...]k7..9.Z...T`..F...g.
..7.....3.U.Z..-..M.m. .._.IKqs...'_r..t.s.r F.......$$.....cq. ......
...1.F:.:.ZA..r...;j..o4.VA1....MCIK0.wp.>..........[. .V..q.[.
<<< skipped >>>

GET /ptlogin/v4/style/40/images/icon_3_tiny.png HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:38 GMT

Cache-Control: max-age=259200

Expires: Tue, 21 Mar 2017 00:17:38 GMT

Last-Modified: Wed, 18 May 2016 07:00:15 GMT

Content-Type: image/png

Content-Length: 10711

X-NWS-LOG-UUID: 6e820b82-af6e-42dc-b0d9-faf76fda3cb5

Keep-Alive: timeout=60 

Vary:  Accept

X-Cache-Lookup: Hit From Disktank
.PNG........IHDR.............D.Q.....PLTE.....................r..q..r.
...................342JOE.......-..*..*..&..$.....%..&.|.........Y....
....$..$.. .. .....%..%..'.................$..........................
............................W..........................e..............
/n.%...../l.$.......................}../..}../...<..u.)u.)......[..
B...................................t.(...x.)}. ......!.(.............
....-.. ../..................r....#n.....k...........A.....Z....#..!u.
.w..{..~....%...................................}../........%.......*.
..B%"-........"z....0.....A.#..........**6....&....9:I......12AN....%.
................................BDW.....b.....z.....Njlp..............
3...= ....TV`..........;5......R3 .=...S.qri.....wP.z|........C,.tr...
..9....J*....g..s.....:'.|..TH....i.sEJ..........ltRNS.n2I..,.2.....&.
......)....}..C.'#..WA<l`6..iO.L..v.=RV.....^....3........3......SV
X.dqT.~..........H.............&.IDATx....j"Q....0.h5..4..$w.:..$..I#.
H!.$..n`....*..^Q..6{...h>.k....8.../........C.9...92.G..y.......3,
.HB....$.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I.I...0k.
0.}F.J..mA{.C0i....$i.I.<.A.E.fp..h.(.H......j..51W...Dps..X..^....
.....U..JZ..Kk.a.....d5IfY.$K.:IHB.....$.$.$.$.$.$.$.$.$.$.$.$.$.$.$.$
.$.$.$.$.$.$.$.$b.I.S.....Nn.V..*Y.*.|..Z%....kR...4,.S`..A..'.'......
.....T.<7.sq.....K......gD...p......l..[......../Q.;..gf....b..}...
>$.v..^mU.)2..[d.I..t.nw.8...$....?&I.#.I.GV%q.gc5..z......y..$."[$
.....H....&....}dSw.sdSI..c#....$...M....z.A..N2...#...&..,$.j.$.w
<<< skipped >>>

GET /ptlogin/ver/10202/js/c_login_2.js?max_age=604800&ptui_identifier=000D23D5992EA4F87FE009A76A8597E442DFB25655F76190B41C7DFE HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:39 GMT

Cache-Control: max-age=604800

Expires: Sat, 25 Mar 2017 00:17:39 GMT

Last-Modified: Mon, 13 Mar 2017 08:35:13 GMT

Content-Type: application/x-javascript

Content-Length: 34017

Content-Encoding: gzip

X-NWS-LOG-UUID: 0676e8a0-3cd0-49ed-939a-3e2342a409cf

Keep-Alive: timeout=60 

Vary:  Origin

X-Cache-Lookup: Hit From Disktank Gz
...........}ks.Hr......... ..z...~.L...Z....8..,R.M.h..Z#.....].}..[..
....../..8G.............*...T..^.L.P.....|.C..7........{.....7|....G..
.....?.&,fF.^..........#j..........Y,7q.-.N=d......'.c.#.{.~.....h..M.
.i........U}..S>e.a.W...W..s.Y..$..j.......uk.X...4..t...._O|.x....
...Mt.q0.....a.g..E.z...E...?xe.y@..;..!..(2p#.YZ....m..<d...-....4
...........,kGm6.......K.N.......0...n%@.l..&..@.,p..{~.y'1..~D.......
.....e.&)G..W*....s...m....7..~..k.2.n.....L......O.7./.^.j.`-.a]....`
.].7.....;e-..8..........8...._q...kA.....V..c>..../...@...kY&V.. !
.Ak".)B.......]....c.e.....<.uN..E.3>.~...g.c..:..P.R...GO\>.
.Q.W...........Q6U.q5..|.3.^. ...).G.....CFld.3>...0.. N..'..9q...L
.~........`...X.ZQ,.w......a..7b..:. .1..FH..)=..r...)..RD..>hb....
.......h.m...{.m........,b..1.........;8;..F......hnom#.~?.......Dm...
...n..... ......2.....@...RQ....b6.5....Z..!..H..7W.....Z.....N.G..)..
.'.......6.......7...&....]/.....v...;[..!cbX`.fA..M4.0.q.R...........
;g......Z5kS..4.Md.,.......d....vQ.A...H..$.%.W.r.$.=.hf..r...#...>
.....3.c_..G1..........._..Oy...y.....*0..&..r2...b..;A._. ..d.f6.~0Z.
.Q..............y..^In]G].....]yG...0.......P..(......:B......da.R..\.
..,.u.aE........8...d.<#....w.......Xmi=)S].A.i..h.n..K$a...`.[QX.&
..ls|..c......I...V...F....AD.-_J....@..l.X.....).w. ...*.#4y..,.K...?
SF.P.94.E.....V{f..V..f*.)........H....lJ.u.3}.1."].T<.O......t^u.J
._O........V.B..u..N...I...G...|.2C=.f...#!..B6....0T1....x..d.....G3.
.Y....n..V.|.....3FVYZ!...#.p... .\..vQ*........D)q..A......4._X.'
<<< skipped >>>

GET /ptlogin/v4/style/0/images/load.gif HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: imgcache.qq.com

Connection: Keep-Alive

Cookie: _qpsvr_localtk=0.3517042217588793

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:39 GMT

Cache-Control: max-age=2592000

Expires: Mon, 17 Apr 2017 00:17:39 GMT

Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT

Content-Type: image/gif

Content-Length: 817

X-NWS-LOG-UUID: 083e3276-b515-49ca-8bb6-92d19b60fcbd

Keep-Alive: timeout=60 

Vary:  Origin

X-Cache-Lookup: Hit From Disktank
GIF89a.....................................wul..y............!..NETSCA
PE2.0.....!.......,..........O.......{....Y..`....I.D8.. S.....(......
.D..(.I~.. .H`....Z.f....k.N..q...;'.L..!.......,..........N.......{..
@.1....Q]AiN.:..)S.T...,........b....$?...Q(0.).j.f....{....n.-~N....!
.......,..........M.........,Eeu......%5..E...f3. ......g(..<...L..
.D".X`.RJ.J.N..........9...=..!.......,..........N...J..Z.'B. ..q`....
.P)8./,S&.$.$.......y....D...."..`.R.ak.b.........m..^S....!.......,..
........M......Z.gJ.....}.H..I...b$.(.t..}.......~9..@Y,2..........i00
......|......t;..!.......,..........M...R..Z..R.. ..}.H..I.l....t.P0..
..B....v>.CG1.2...i.P....J.0.R-.....J....t;..!.......,..........M..
....Z..Z..$..}.H..I.l...at..0..........8..B d..L.I.B)...q80...&..t....
...3..;/*  |xGv00|a0977a7e1f04529fe4ad7ac9aebd6177 */..

GET /1/TCapMsg.js HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: captcha.gtimg.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:41 GMT

Cache-Control: max-age=600

Expires: Sat, 18 Mar 2017 00:27:41 GMT

Last-Modified: Tue, 28 Feb 2017 02:22:34 GMT

Content-Type: application/x-javascript

Content-Length: 636

Content-Encoding: gzip

X-NWS-LOG-UUID: 285d82b6-58a2-486a-b054-3462a4ebfc41

Keep-Alive: timeout=60 

p3p: CP="CAO PSA OUR"

X-Cache-Lookup: Hit From Disktank Gz
..........}S]o.0.. ..*X......-.L..i.&MQ49`.7bg......^0.N.....s|.......
!."..j#....*..*...nPF...>c...o.._ ..P........I..#.9B.]T$..s.1.u..f.
......\s.1.....pH...z..%W.R| .7...k............B....F...z.G...A(..m..{
..ZL...wN...:#..-...#.......=p.q....(q@l..V..iSO@.2......M...;...xR.HE
.i..o...."..w8.}..3.~ ........N.ev5W."....#..`Q.xh..:..(T..v...h...Hi.
*QK.3.Z....hO.....mr..J....F. .Q.....f.4.ZF.....2.d.J..#....2....G2k..
w.....5....=.y^..g!...%^..l...[................y.tA?..:....D.. 0kp.,V.
B...,.bh.=@.}.....t9.3.&_....v.z......91.;..f.......k.B5.`.y....S..3..
.....m........s..T.........Hr2.&..g..,m..?..F..q..:..2_.t..M.#.....8..
3I.RL........


GET /1/TCapIframe.js?v=1.0 HTTP/1.1

Accept: */*

Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=........QQ........&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: captcha.gtimg.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: X2S_Platform

Connection: keep-alive

Date: Sat, 18 Mar 2017 00:17:41 GMT

Cache-Control: max-age=600

Expires: Sat, 18 Mar 2017 00:27:41 GMT

Last-Modified: Tue, 28 Feb 2017 02:22:34 GMT

Content-Type: application/x-javascript

Content-Length: 3252

Content-Encoding: gzip

X-NWS-LOG-UUID: ac2ee52e-92be-4cf2-8065-93dfde8457da

Keep-Alive: timeout=60 

p3p: CP="CAO PSA OUR"

X-Cache-Lookup: Hit From Disktank Gz
...........Zms.6.. 2.N% D'...RE=.....i<..z3..CQ..3M....H.....$..$..
}.....b.,...e.V.4V\...v.....0..._.j..%{z...s/8./...C..$M...g...).=.._.
.Co.F^@....|..3E.X1.@....,K....x.:......yf....H6P....q.3....*..q..lm%r
_.c...(.7..b......q......A....M..H...K.../..p.:.x..f..Sc.....b..E..w.Q
.,.a..`............d...S....4.&I-9..T.P..H..6....NS..&..Q5.N..~....%..
.....m.WHx.{.&....a,..d.....V..7."_.4R8.8.51..].."....=......p........
X..n.....E.......w.$..].....Y~)x.B.9..d.6.....C..y.Y...]=...o.J='..9..
....[E.D......)4..bK.."...`/HF]...T.zas.q..%.s..J\....q.%.0R...f.x#...
.(...W..^@...`e.x.:#..ph.. .v.....0T}N~C.Oi....K-..]5N...-....l..u....
t)V ...6.z1F'...L...yL..u......d .._..D.I.p(.H.=y.7/.. K.h..d.RRW...J!
)M...#BR#........3....~F.....G......M...O...`...u...qw.fS..=.0...MZ..[
.\.9.A.s..u(.|.?:..=..Y.....<..MofpiN|..U .5..W/.*....SX....<...
.....:Z...3..q.38.|rCdgN.3..vZ.LRP1.."...{.|.HN....[o..R..*....../.0.@
....D...9.i,.q.....C......o.....*...pg.HEp.1}.c;.y......"..|Nc...A...a
.......2`......p/q.:....O%..w...S#. y.;.{..B......W..1........dR..r]..
.Y.z...d....:d.DW....W. ........g.Y.....YALV(Y.g.Gdc).j.I5.dzx.g#rC!'/
'...tw..7....._...P..-..N\.]Vt\..8..Wt.!.2.I4..XY.B,...B.yd.S...,^....
u.M'/...T.....a.,].H.L.I...a.=.E...).&{E =..@.%&y.!..-).R.........\k..
.\...C!0j...1?.y......QA...#hVP....##.}.&.....*S.4....R..X.....N....{)
...U.!.b.rW<..!.F..|... .oSh..@..3.v..QPi..|.*...L....H2k(.....X...
..w3.....G.G...).$kwr...n..a......m.....s..8....0tA.I.....$..c b.....Z
.....#./..QU...n.v..O..%.A5.<@...Xw..N...K............[.U......
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

t%SVh

t$(SSh

~%UVW

u$SShe

Bv.SCv=kAv

wininet.dll

ole32.dll

kernel32.dll

user32.dll

ShellExecuteA

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

EnumWindows

CreateIoCompletionPort

{B6F7542F-B8FE-46a8-9605-98856A687097}

hXXp://VVV.xiaoqianyl.com/txzshc20170305.txt

hXXp://VVV.xiaoqianyl.com/

qzone.qq.com

hXXp://xui.ptlogin2.qq.com/cgi-bin/xlogin?proxy_url=http://qzs.qq.com/qzone/v6/portal/proxy.html&daid=5&&hide_title_bar=1&low_login=0&qlogin_auto_login=1&no_verifyimg=1&link_target=blank&appid=549000912&style=22&target=self&s_url=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&pt_qr_app=

&pt_qr_link=http://z.qzone.com/download.html&self_regurl=http://qzs.qq.com/qzone/v6/reg/index.html&pt_qr_help_link=http://z.qzone.com/download.html

hXXp://

hXXps://

user.qzone.qq.com/

p_skey=(.*?);

(*.txt)|*.txt|

(*.*)|*.*

social.show.qq.com/cgi-bin/qqshow_camera_noname?g_tk=

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)

http=

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

https

QQ.exe

hXXp://r.cnc.qzone.qq.com/cgi-bin/tfriend/friend_mngfrd_get.cgi?uin=

tencent://ContactInfo/?subcmd=ViewInfo&puin=0&uin=

VBScript.RegExp

z>wininet.dll

%d&&'

123456789

00003333

deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly

inflate 1.1.3 Copyright 1995-1998 Mark Adler

%*.*f

CNotSupportedException

commctrl_DragListMsg

Afx:%x:%x:%x:%x:%x

Afx:%x:%x

COMCTL32.DLL

CCmdTarget

__MSVCRT_HEAP_SELECT

Broken pipe

Inappropriate I/O control operation

Operation not permitted

RASAPI32.dll

GetProcessHeap

WinExec

KERNEL32.dll

GetKeyState

SetWindowsHookExA

UnhookWindowsHookEx

EnumChildWindows

USER32.dll

GetViewportOrgEx

GDI32.dll

WINMM.dll

MSIMG32.dll

WINSPOOL.DRV

RegCloseKey

RegOpenKeyExA

ADVAPI32.dll

SHELL32.dll

OLEAUT32.dll

COMCTL32.dll

oledlg.dll

WS2_32.dll

InternetCrackUrlA

InternetCanonicalizeUrlA

WININET.dll

GetCPInfo

CreateDialogIndirectParamA

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportExtEx

comdlg32.dll

RegCreateKeyExA

.PAVCException@@

Shell32.dll

Mpr.dll

Advapi32.dll

User32.dll

Gdi32.dll

Kernel32.dll

(&07-034/)7 '

?? / %d]

%d / %d]

.PAVCFileException@@

: %d]

(*.*)|*.*||

(*.WAV;*.MID)|*.WAV;*.MID|WAV

(*.WAV)|*.WAV|MIDI

(*.MID)|*.MID|

(*.txt)|*.txt|

(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG

(*.JPG)|*.JPG|PNG

(*.PNG)|*.PNG|BMP

(*.BMP)|*.BMP|GIF

(*.GIF)|*.GIF|

(*.ICO)|*.ICO|

(*.CUR)|*.CUR|

%s:%d

windows

.PAVCNotSupportedException@@

out.prn

(*.prn)|*.prn|

%d.%d

%d/%d

1.6.9

unsupported zlib version

png_read_image: unsupported transformation

%d / %d

Bogus message code %d

libpng error: %s

libpng warning: %s

1.1.3

bad keyword

libpng does not support gamma background rgb_to_gray

Palette is NULL in indexed image

(%d-%d):

%ld%c

(*.htm;*.html)|*.htm;*.html

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

HTTP/1.0

%s <%s>

Reply-To: %s

From: %s

To: %s

Subject: %s

Date: %s

Cc: %s

%a, %d %b %Y %H:%M:%S

SMTP

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdTarget@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCOleDispatchException@@

.PAVCArchiveException@@

zcÁ

c:\%original file name%.exe

#include "l.chs\afxres.rc" // Standard components

w7D666D666D888D

(*.*)

1.0.0.0

(hXXp://VVV.eyuyan.com)

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\json2[1].js (7098 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\TCapIframe[1].js (3389 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\53P3XZXY.txt (521 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\TCapIframeApi[1].js (73 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pt_fetch_dev_uin[1].js (53 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ptlogin_report[1].bmp (66 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ptqrshow[1].png (443 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\TCapMsg[1].js (25 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ptui_ver[1].js (227 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\xlogin[1].htm (4057 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\SWUMN0R8.txt (141 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\xver[1].htm (99 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.