Trojan.Win32.FlyStudio_a83b936adf

Trojan.Siggen6.63994 (DrWeb), Artemis!A83B936ADF09 (McAfee), ML.Attribute.HighConfidence (Symantec), Win32/Heur (AVG), Win32:Malware-gen (Avast), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudi...
Blog rating:5 out of5 with1 ratings

Trojan.Win32.FlyStudio_a83b936adf

by malwarelabrobot on April 23rd, 2017 in Malware Descriptions.

Trojan.Siggen6.63994 (DrWeb), Artemis!A83B936ADF09 (McAfee), ML.Attribute.HighConfidence (Symantec), Win32/Heur (AVG), Win32:Malware-gen (Avast), Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a83b936adf0926317eaed50bb3c54eda
SHA1: 7005e85315d65ef8607db35fb170fb28032c0cfb
SHA256: 50d255bd1c60163f6d2e70ab23951795d41c0d6690e360397a75403b6ba72596
SSDeep: 12288:gLgJDlAIji8y5cqlgT7Jr AeDXS0iImtImo6RsWcjZZ8sMoYUB:HD6o11TNIDfirtIDoszlqqD
Size: 642997 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: ASPackv212, UPolyXv05_v6
Company:
Created at: 2014-08-25 11:32:44
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

%original file name%.exe:1976

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Ó¦ÓÃÅäÖÃ.ini (1273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3WIYROR0.txt (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WZUK671P.txt (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stat[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\yzmrxgj2_0_new[1].htm (691 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJ1SY4A9.txt (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\core[1].js (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stat[2].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LOTCKZQQ.txt (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\core[1].js (763 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\D09L9HMD.txt (379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\V9Q5P1VU.txt (447 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N44KR7LG.txt (92 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IJI2X89X.txt (92 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5E0Y784H.txt (133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\core[1].js (762 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5IQPOJ12.txt (94 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IN7QKBDK.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TU5QSY09.txt (92 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].js (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9FJS561V.txt (643 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\D09L9HMD.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3WIYROR0.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WZUK671P.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5IQPOJ12.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IN7QKBDK.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N44KR7LG.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJ1SY4A9.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IJI2X89X.txt (0 bytes)

Registry activity

The process %original file name%.exe:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\a83b936adf0926317eaed50bb3c54eda_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\a83b936adf0926317eaed50bb3c54eda_RASMANCS]
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\a83b936adf0926317eaed50bb3c54eda_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\a83b936adf0926317eaed50bb3c54eda_RASAPI32]
"FileTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\a83b936adf0926317eaed50bb3c54eda_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"EnableConsoleTracing" = "0"

"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ????http://www.yzrja.com
Product Name: ???????
Product Version: 2.0.0.0
Legal Copyright: ???????(C)http://www.yzrja.com
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.0.0.0
File Description: ??????
Comments: ???????????????????????,??????,?????!
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 958464 515072 5.54325 d901e883a9fbd0a994600ed343b79b18
.rdata 962560 237568 57856 5.54091 75855344d3e9fd835aad9bf471eef667
.data 1200128 524288 40960 5.53602 7f37c83ba790175f3ea18a4b330ef22b
.rsrc 1724416 32768 12800 4.98219 b948c4e2129a3a35bd35b540c6e38d18
.text 1757184 4096 4096 1.77359 3fc6f3472110095a7f37022719288f9e
.aspack 1761280 12288 10240 3.29745 0867fa32a5005be5504ca2e086babd7c
.adata 1773568 4096 0 0 d41d8cd98f00b204e9800998ecf8427e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://www.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html 218.95.37.242
hxxp://www.a.shifen.com/
hxxp://www.yzrja.com/yzsoft/advert/yzmrxgj/title01.txt 218.95.37.242
hxxp://www.yzrja.com/yzsoft/advert/yzmrxgj/link01.txt 218.95.37.242
hxxp://www.yzrja.com/yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browser.txt 218.95.37.242
hxxp://www.yzrja.com/yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345daohang2.txt 218.95.37.242
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=1253133024
hxxp://www.yzrja.com/yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browserURL.txt 218.95.37.242
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=4755173&web_id=4755173
hxxp://all.cnzz.com.danuoyi.tbcache.com/stat.php?id=4702665&web_id=4702665
hxxp://www.yzrja.com/yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browserName.txt 218.95.37.242
hxxp://z.gds.cnzz.com/stat.htm?id=1253133024&r=&lg=en-us&ntime=none&cnzz_eid=113380915-1492823061-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=277086771
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=1253133024&t=z
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=4755173&t=z
hxxp://all.cnzz.com.danuoyi.tbcache.com/core.php?web_id=4702665&t=z
hxxp://gm.gds.mmstat.com/9.gif?abc=1&rnd=1300376752
hxxp://gm.gds.mmstat.com/9.gif?abc=1&rnd=533210884
hxxp://z.gds.cnzz.com/stat.htm?id=4702665&r=&lg=en-us&ntime=none&cnzz_eid=168756798-1492825623-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=970127262
hxxp://z.gds.cnzz.com/stat.htm?id=4755173&r=&lg=en-us&ntime=none&cnzz_eid=1166190261-1492823520-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=1516340663
hxxp://gm.gds.mmstat.com/9.gif?abc=1&rnd=1755385211
hxxp://pcookie.gds.taobao.com/app.gif?&cna=MKuBEcuMvlMCAcLyYNqgonMO
hxxp://pcookie.gds.taobao.com/app.gif?&cna=MKuBEeIFe1MCAcLyYNqtIjRO
hxxp://pcookie.gds.taobao.com/app.gif?&cna=MauBEQI1LBMCAcLyYNq7RNhO
hxxp://www.baidu.com/
hxxp://pcookie.cnzz.com/app.gif?&cna=MKuBEeIFe1MCAcLyYNqtIjRO 106.11.92.14
hxxp://c.cnzz.com/core.php?web_id=4702665&t=z 222.186.49.224
hxxp://gzs20.cnzz.com/stat.htm?id=4702665&r=&lg=en-us&ntime=none&cnzz_eid=168756798-1492825623-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=970127262 1.122.192.18
hxxp://c.cnzz.com/core.php?web_id=1253133024&t=z 222.186.49.224
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1755385211 106.11.94.30
hxxp://pcookie.cnzz.com/app.gif?&cna=MauBEQI1LBMCAcLyYNq7RNhO 106.11.92.14
hxxp://pcookie.cnzz.com/app.gif?&cna=MKuBEcuMvlMCAcLyYNqgonMO 106.11.92.14
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=533210884 106.11.94.30
hxxp://s13.cnzz.com/stat.php?id=1253133024 1.99.192.16
hxxp://s20.cnzz.com/stat.php?id=4702665&web_id=4702665 1.99.192.16
hxxp://hzs4.cnzz.com/stat.htm?id=4755173&r=&lg=en-us&ntime=none&cnzz_eid=1166190261-1492823520-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=1516340663 1.122.192.17
hxxp://s95.cnzz.com/stat.php?id=4755173&web_id=4755173 1.99.192.16
hxxp://z7.cnzz.com/stat.htm?id=1253133024&r=&lg=en-us&ntime=none&cnzz_eid=113380915-1492823061-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=277086771 1.122.192.15
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=1300376752 106.11.94.30
hxxp://c.cnzz.com/core.php?web_id=4755173&t=z 222.186.49.224


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0

Traffic

GET /stat.php?id=4702665&web_id=4702665 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s20.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10984
Connection: keep-alive
Date: Sat, 22 Apr 2017 01:47:03 GMT
Last-Modified: Sat, 22 Apr 2017 01:47:03 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache17.l2et2-1[0,200-0,H], cache20.l2et2-1[0,0], kunlun5.cn74[0,200-0,H], kunlun7.cn74[0,0]
Age: 1815
X-Cache: HIT TCP_MEM_HIT dirn:10:155752407
X-Swift-SaveTime: Sat, 22 Apr 2017 01:51:08 GMT
X-Swift-CacheTime: 5155
Timing-Allow-Origin: *
EagleId: deba31a014928274385853453e
(function(){function k(){this.c="4702665";this.ca="z";this.Z="";this.W
="";this.Y="";this.C="1492825623";this.aa="gzs20.cnzz.com";this.X="";t
his.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz_CV
" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";thi
s.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("sitei
d=4702665");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.pu
sh("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agen
t=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.fl
oor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/
log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURICo
mponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function(){try
{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.ua(),t
his.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.qa(),th
is.oa(),this.ra(),this.Ea(),e[this.F]=e[this.F]||{},this.pa("_cnzz_CV"
)}catch(a){g(a,"i failed")}},Ca:function(){try{var a=this;e._czc={push
:function(){return a.M.apply(a,arguments)}}}catch(b){g(b,"oP failed")}
},oa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.cal
l(a))for(var b=0;b<a.length;b  ){var c=a[b];switch(c[0]){case "_set
Account":e._cz_account="[object String]"==={}.toString.call(c[1])?.c[1
]:String(c[1]);break;case "_setAutoPageview":"boolean"===typeof c[1]&&
(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},Ea:function(){
try{if("undefined"===typeof e._cz_account||e._cz_account===this.c)
<<< skipped >>>


GET /9.gif?abc=1&rnd=533210884 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Sat, 22 Apr 2017 02:17:20 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=MKuBEeIFe1MCAcLyYNqtIjRO; expires=Tue, 20-Apr-27 02:17:20 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=0fb3ba96; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=a4140d2a50cb2e0ff3efa2c8_1492827440_1; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=MKuBEeIFe1MCAcLyYNqtIjRO
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browser.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yzrja.com
Cache-Control: no-cache
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 3
Content-Type: text/plain
Last-Modified: Sun, 26 Mar 2017 05:24:32 GMT
Accept-Ranges: bytes
ETag: "0289b3ff1a5d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: WAF/2.0
Date: Sat, 22 Apr 2017 02:17:05 GMT
yesHTTP/1.1 200 OK..Content-Length: 3..Content-Type: text/plain..Last-
Modified: Sun, 26 Mar 2017 05:24:32 GMT..Accept-Ranges: bytes..ETag: "
0289b3ff1a5d21:0"..Server: Microsoft-IIS/7.5..X-Powered-By: WAF/2.0..D
ate: Sat, 22 Apr 2017 02:17:05 GMT..yes....


GET /yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browserName.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yzrja.com
Cache-Control: no-cache
Cookie: safedog-flow-item=; UM_distinctid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c; CNZZDATA1253133024=113380915-1492823061-|1492823061


HTTP/1.1 200 OK
Content-Length: 19
Content-Type: text/plain
Last-Modified: Sun, 26 Mar 2017 05:24:47 GMT
Accept-Ranges: bytes
ETag: "80f98b48f1a5d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: WAF/2.0
Date: Sat, 22 Apr 2017 02:17:06 GMT
filedown_238858.exeHTTP/1.1 200 OK..Content-Length: 19..Content-Type: 
text/plain..Last-Modified: Sun, 26 Mar 2017 05:24:47 GMT..Accept-Range
s: bytes..ETag: "80f98b48f1a5d21:0"..Server: Microsoft-IIS/7.5..X-Powe
red-By: WAF/2.0..Date: Sat, 22 Apr 2017 02:17:06 GMT..filedown_238858.
exe..



GET /yzsoft/statistics/yzmrxgj2_0_new.html HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.yzrja.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 691
Content-Type: text/html
Last-Modified: Mon, 25 Aug 2014 08:25:28 GMT
Accept-Ranges: bytes
ETag: "04c55203ec0cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: WAF/2.0
Set-Cookie: safedog-flow-item=; expires=Sat, 22-Arp-2017 16:00:05 GMT; domain=yzrja.com; path=/
Date: Sat, 22 Apr 2017 02:17:05 GMT
<head>..<title>............</title>..</head>..
<body>..<script type="text/javascript">var cnzz_protocol =
 (("https:" == document.location.protocol) ? " hXXps://" : " hXXp://")
;document.write(unescape("<
/span>"));</script&g
t;..<p>..............v2.0......cnzz</p>..<script src="h
ttp://s95.cnzz.com/stat.php?id=4755173&web_id=4755173" language="JavaS
cript"></script>..<p>......................cnzz</p&g
t;..<script src="hXXp://s20.cnzz.com/stat.php?id=4702665&web_id=470
2665" language="JavaScript"></script>..<p>.............
.......cnzz</p>......


GET /yzsoft/advert/yzmrxgj/title01.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yzrja.com
Cache-Control: no-cache
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 44
Content-Type: text/plain
Last-Modified: Wed, 01 Mar 2017 07:10:20 GMT
Accept-Ranges: bytes
ETag: "26c580e35a92d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: WAF/2.0
Date: Sat, 22 Apr 2017 02:17:05 GMT
........................................>>>>....


GET /yzsoft/advert/yzmrxgj/link01.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yzrja.com
Cache-Control: no-cache
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 29
Content-Type: text/plain
Last-Modified: Wed, 01 Mar 2017 07:08:41 GMT
Accept-Ranges: bytes
ETag: "5cab83a85a92d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: WAF/2.0
Date: Sat, 22 Apr 2017 02:17:05 GMT
hXXp://kan.2345.com/?lm002523....


GET /yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browserURL.txt HTTP/1.1


User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yzrja.com
Cache-Control: no-cache
Cookie: safedog-flow-item=


HTTP/1.1 200 OK
Content-Length: 43
Content-Type: text/plain
Last-Modified: Sun, 26 Mar 2017 05:25:00 GMT
Accept-Ranges: bytes
ETag: "09e4b50f1a5d21:0"
Server: Microsoft-IIS/7.5
X-Powered-By: WAF/2.0
Date: Sat, 22 Apr 2017 02:17:06 GMT
hXXp://yzrja88.5d4d.net/filedown_238858.zipHTTP/1.1 200 OK..Content-Le
ngth: 43..Content-Type: text/plain..Last-Modified: Sun, 26 Mar 2017 05
:25:00 GMT..Accept-Ranges: bytes..ETag: "09e4b50f1a5d21:0"..Server: Mi
crosoft-IIS/7.5..X-Powered-By: WAF/2.0..Date: Sat, 22 Apr 2017 02:17:0
6 GMT..hXXp://yzrja88.5d4d.net/filedown_238858.zip..



GET /app.gif?&cna=MauBEQI1LBMCAcLyYNq7RNhO HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Date: Sat, 22 Apr 2017 02:17:22 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=MauBEQI1LBMCAcLyYNq7RNhO; expires=Tue, 20-Apr-27 02:17:22 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /core.php?web_id=1253133024&t=z HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 763
Connection: keep-alive
Date: Sat, 22 Apr 2017 02:17:19 GMT
Last-Modified: Sat, 22 Apr 2017 02:17:19 GMT
Expires: Sat, 22 Apr 2017 02:32:19 GMT
Via: cache18.l2et2-1[58,200-0,M], cache15.l2et2-1[58,0], kunlun5.cn74[67,200-0,M], kunlun5.cn74[67,0]
X-Cache: MISS TCP_MISS dirn:3:442692646
X-Swift-SaveTime: Sat, 22 Apr 2017 02:17:19 GMT
X-Swift-CacheTime: 900
Timing-Allow-Origin: *
EagleId: deba319e14928274395726895e
!function(){var p,q,r,a=encodeURIComponent,b="1253133024",c="",d="",e=
"online_v3.php",f="z7.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m
="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=
" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&
k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["cr
eateScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/websit
e.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnz
z.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'
><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="
<a href='" q "' target=_blank title='" j "'>" j "</a>",k["
createIcon"]([p])))}();....


GET /core.php?web_id=4755173&t=z HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 762
Connection: keep-alive
Date: Sat, 22 Apr 2017 02:17:20 GMT
Last-Modified: Sat, 22 Apr 2017 02:17:20 GMT
Expires: Sat, 22 Apr 2017 02:32:20 GMT
Via: cache15.l2et2-1[58,200-0,M], cache9.l2et2-1[59,0], kunlun5.cn74[67,200-0,M], kunlun5.cn74[67,0]
X-Cache: MISS TCP_REFRESH_MISS dirn:-2:-2
X-Swift-SaveTime: Sat, 22 Apr 2017 02:17:20 GMT
X-Swift-CacheTime: 900
Timing-Allow-Origin: *
EagleId: deba319e14928274400148657e
!function(){var p,q,r,a=encodeURIComponent,b="4755173",c="",d="",e="on
line_v3.php",f="hzs4.cnzz.com",g="1",h="text",i="z",j="站长
;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m=
"0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h="
 f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k
["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["cre
ateScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website
.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz
.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'&
gt;<img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="&
lt;a href='" q "' target=_blank title='" j "'>" j "</a>",k["c
reateIcon"]([p])))}();....


GET /core.php?web_id=4702665&t=z HTTP/1.1


Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 763
Connection: keep-alive
Date: Sat, 22 Apr 2017 02:08:26 GMT
Last-Modified: Sat, 22 Apr 2017 02:08:26 GMT
Expires: Sat, 22 Apr 2017 02:23:26 GMT
Via: cache7.l2et2-1[77,200-0,M], cache13.l2et2-1[78,0], kunlun8.cn74[0,200-0,H], kunlun5.cn74[1,0]
Age: 534
X-Cache: HIT TCP_MEM_HIT dirn:-2:-2
X-Swift-SaveTime: Sat, 22 Apr 2017 02:08:26 GMT
X-Swift-CacheTime: 900
Timing-Allow-Origin: *
EagleId: deba319e14928274404512462e
!function(){var p,q,r,a=encodeURIComponent,b="4702665",c="",d="",e="on
line_v3.php",f="gzs20.cnzz.com",g="1",h="text",i="z",j="站໳
1;统计",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m
="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=
" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&
k["callRequest"]([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k["cr
eateScriptIcon"](n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/websit
e.php?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnz
z.com/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'
><img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="
<a href='" q "' target=_blank title='" j "'>" j "</a>",k["
createIcon"]([p])))}();HTTP/1.1 200 OK..Server: Tengine..Content-Type:
 application/javascript..Content-Length: 763..Connection: keep-alive..
Date: Sat, 22 Apr 2017 02:08:26 GMT..Last-Modified: Sat, 22 Apr 2017 0
2:08:26 GMT..Expires: Sat, 22 Apr 2017 02:23:26 GMT..Via: cache7.l2et2
-1[77,200-0,M], cache13.l2et2-1[78,0], kunlun8.cn74[0,200-0,H], kunlun
5.cn74[1,0]..Age: 534..X-Cache: HIT TCP_MEM_HIT dirn:-2:-2..X-Swift-Sa
veTime: Sat, 22 Apr 2017 02:08:26 GMT..X-Swift-CacheTime: 900..Timing-
Allow-Origin: *..EagleId: deba319e14928274404512462e..!function(){var 
p,q,r,a=encodeURIComponent,b="4702665",c="",d="",e="online_v3.php",f="
gzs20.cnzz.com",g="1",h="text",i="z",j="站长统෶
5;",k=window["_CNZZDbridge_" b]["bobject"],l="http:",m="0",n=l "//
<<< skipped >>>


GET /app.gif?&cna=MKuBEcuMvlMCAcLyYNqgonMO HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Date: Sat, 22 Apr 2017 02:17:21 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=MKuBEcuMvlMCAcLyYNqgonMO; expires=Tue, 20-Apr-27 02:17:21 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /9.gif?abc=1&rnd=1300376752 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Sat, 22 Apr 2017 02:17:20 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=MKuBEcuMvlMCAcLyYNqgonMO; expires=Tue, 20-Apr-27 02:17:20 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=97efba05; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=67d90d914519f6d1a6bcdcf0_1492827440_1; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=MKuBEcuMvlMCAcLyYNqgonMO
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /stat.php?id=4755173&web_id=4755173 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s95.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10983
Connection: keep-alive
Date: Sat, 22 Apr 2017 01:12:00 GMT
Last-Modified: Sat, 22 Apr 2017 01:12:00 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache1.l2et15[0,200-0,H], cache20.l2et15[1,0], kunlun5.cn74[0,200-0,H], kunlun8.cn74[0,0]
Age: 3918
X-Cache: HIT TCP_MEM_HIT dirn:10:154446066
X-Swift-SaveTime: Sat, 22 Apr 2017 01:18:37 GMT
X-Swift-CacheTime: 5003
Timing-Allow-Origin: *
EagleId: deba31a114928274384401463e
(function(){function k(){this.c="4755173";this.ca="z";this.Z="";this.W
="";this.Y="";this.C="1492823520";this.aa="hzs4.cnzz.com";this.X="";th
is.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz_CV"
 this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";this
.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("siteid
=4755173");c.push("name=" f(a.name));c.push("msg=" f(a.message));c.pus
h("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("agent
=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math.flo
or(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.com/l
og.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeURICom
ponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function(){try{
this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.ua(),th
is.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.qa(),thi
s.oa(),this.ra(),this.Ea(),e[this.F]=e[this.F]||{},this.pa("_cnzz_CV")
}catch(a){g(a,"i failed")}},Ca:function(){try{var a=this;e._czc={push:
function(){return a.M.apply(a,arguments)}}}catch(b){g(b,"oP failed")}}
,oa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.call
(a))for(var b=0;b<a.length;b  ){var c=a[b];switch(c[0]){case "_setA
ccount":e._cz_account="[object String]"==={}.toString.call(c[1])?.c[1]
:String(c[1]);break;case "_setAutoPageview":"boolean"===typeof c[1]&&(
e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},Ea:function(){t
ry{if("undefined"===typeof e._cz_account||e._cz_account===this.c){
<<< skipped >>>


GET /yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345daohang2.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: VVV.yzrja.com
Cache-Control: no-cache
Cookie: safedog-flow-item=


HTTP/1.1 200 
Cache-Control: no-store
Pragma: no-cache
Content-Length: 3368
Content-Type: text/html; Charset=gb2312
Server: Microsoft-IIS/7.5
X-Powered-By: WAF/2.0
Date: Sat, 22 Apr 2017 02:17:05 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml">.<head>.<meta http-equiv
="Content-Type" content="text/html; charset=gbk2312" />.<title&g
t;</title>.</head>..<body style="   padding:0; margin:0
; font:14px/1.5 Microsoft Yahei, .....,sans-serif; color:#555;">..&
lt;div style="margin:0 auto;width:980px;">.      <div style="bac
kground: url('hXXp://404.safedog.cn/images/safedogsite/head.png') no-r
epeat;height:300px;">.      .<div style="width:300px;height:300p
x;cursor:pointer;background:#f00;filter: alpha(opacity=0); opacity: 0;
float:left;" onclick="location.href='hXXp://VVV.safedog.cn'">.     
 .</div>.      .<div style="float:right;width:430px;height:10
0px;padding-top:90px;padding-right:90px;font-size:22px;">.      ..&
lt;p id="error_code_p"><a  id="eCode">404</a>....<sp
an style="font-size:16px;padding-left:15px;">(.....................
.......)</span></p>.      ..<p id="eMsg"></p>.
      .<a href="hXXp://bbs.safedog.cn/thread-60693-1-1.html?from=st
at" target="_blank" style="color:#139ff8; font-size:16px; text-decorat
ion:none">..........</a>..      <a href="#" onclick="redir
ectToHost();" style="color:#139ff8; font-size:16px; text-decoration:no
ne;padding-left: 20px;">..........>></a>.      .</di
v>.      </div>..</div>....<div style="width:100
<<< skipped >>>


GET /stat.php?id=1253133024 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: s13.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Content-Type: application/javascript
Content-Length: 10987
Connection: keep-alive
Date: Sat, 22 Apr 2017 01:04:21 GMT
Last-Modified: Sat, 22 Apr 2017 01:04:21 GMT
Cache-Control: max-age=5400,s-maxage=5400
Via: cache6.l2et15[0,200-0,H], cache5.l2et15[12,0], kunlun10.cn74[20,200-0,M], kunlun4.cn74[22,0]
Age: 4377
X-Cache: MISS TCP_REFRESH_MISS dirn:9:581548343
X-Swift-SaveTime: Sat, 22 Apr 2017 02:17:18 GMT
X-Swift-CacheTime: 1023
Timing-Allow-Origin: *
EagleId: deba319d14928274383871055e
(function(){function k(){this.c="1253133024";this.ca="z";this.Z="";thi
s.W="";this.Y="";this.C="1492823061";this.aa="z7.cnzz.com";this.X="";t
his.G="CNZZDATA" this.c;this.F="_CNZZDbridge_" this.c;this.P="_cnzz_CV
" this.c;this.R="CZ_UUID" this.c;this.L="UM_distinctid";this.H="0";thi
s.K={};this.a={};this.Aa()}function g(a,.b){try{var c=[];c.push("sitei
d=1253133024");c.push("name=" f(a.name));c.push("msg=" f(a.message));c
.push("r=" f(h.referrer));c.push("page=" f(e.location.href));c.push("a
gent=" f(e.navigator.userAgent));c.push("ex=" f(b));c.push("rnd=" Math
.floor(2147483648*Math.random()));(new Image).src="hXXp://jserr.cnzz.c
om/log.php?" c.join("&")}catch(d){}}var h=document,e=window,f=encodeUR
IComponent,m=decodeURIComponent,r=unescape;k.prototype={Aa:function(){
try{this.ja(),this.V(),this.wa(),this.T(),this.za(),.this.w(),this.ua(
),this.ta(),this.xa(),this.o(),this.sa(),this.va(),this.ya(),this.qa()
,this.oa(),this.ra(),this.Ea(),e[this.F]=e[this.F]||{},this.pa("_cnzz_
CV")}catch(a){g(a,"i failed")}},Ca:function(){try{var a=this;e._czc={p
ush:function(){return a.M.apply(a,arguments)}}}catch(b){g(b,"oP failed
")}},oa:function(){try{var a=e._czc;if("[object Array]"==={}.toString.
call(a))for(var b=0;b<a.length;b  ){var c=a[b];switch(c[0]){case "_
setAccount":e._cz_account="[object String]"==={}.toString.call(c[1])?.
c[1]:String(c[1]);break;case "_setAutoPageview":"boolean"===typeof c[1
]&&(e._cz_autoPageview=c[1])}}}catch(d){g(d,"cS failed")}},Ea:function
(){try{if("undefined"===typeof e._cz_account||e._cz_account===this
<<< skipped >>>


GET /stat.htm?id=4755173&r=&lg=en-us&ntime=none&cnzz_eid=1166190261-1492823520-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=1516340663 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: hzs4.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 22 Apr 2017 02:17:21 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Thu, 16 Apr 2015 02:22:34 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /9.gif?abc=1&rnd=1755385211 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Date: Sat, 22 Apr 2017 02:17:21 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=MauBEQI1LBMCAcLyYNq7RNhO; expires=Tue, 20-Apr-27 02:17:21 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=8b0df251; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=96616f663da7163641caf31d_1492827441_1; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=MauBEQI1LBMCAcLyYNq7RNhO
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /app.gif?&cna=MKuBEeIFe1MCAcLyYNqtIjRO HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Date: Sat, 22 Apr 2017 02:17:21 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=MKuBEeIFe1MCAcLyYNqtIjRO; expires=Tue, 20-Apr-27 02:17:21 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;..



GET /stat.htm?id=4702665&r=&lg=en-us&ntime=none&cnzz_eid=168756798-1492825623-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=970127262 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: gzs20.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 22 Apr 2017 02:17:20 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Thu, 16 Apr 2015 02:22:35 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET / HTTP/1.1
User-Agent: test
Host: VVV.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Sat, 22 Apr 2017 02:17:17 GMT
Content-Type: text/html
Content-Length: 14613
Last-Modified: Tue, 18 Apr 2017 01:09:00 GMT
Connection: Keep-Alive
Vary: Accept-Encoding
Set-Cookie: BAIDUID=9E9DCC87521361A460A5E39FF8E2EEF7:FG=1; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: BIDUPSID=9E9DCC87521361A460A5E39FF8E2EEF7; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
Set-Cookie: PSTM=1492827437; expires=Thu, 31-Dec-37 23:55:55 GMT; max-age=2147483647; path=/; domain=.baidu.com
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Server: BWS/1.1
X-UA-Compatible: IE=Edge,chrome=1
Pragma: no-cache
Cache-control: no-cache
Accept-Ranges: bytes
<!DOCTYPE html><!--STATUS OK-->..<html>..<head>
;...<meta http-equiv="content-type" content="text/html;charset=utf-
8">...<meta http-equiv="X-UA-Compatible" content="IE=Edge">..
.<link rel="dns-prefetch" href="//s1.bdstatic.com"/>...<link 
rel="dns-prefetch" href="//t1.baidu.com"/>...<link rel="dns-pref
etch" href="//t2.baidu.com"/>...<link rel="dns-prefetch" href="/
/t3.baidu.com"/>...<link rel="dns-prefetch" href="//t10.baidu.co
m"/>...<link rel="dns-prefetch" href="//t11.baidu.com"/>...&l
t;link rel="dns-prefetch" href="//t12.baidu.com"/>...<link rel="
dns-prefetch" href="//b1.bdstatic.com"/>...<title>...........
................</title>...<link href="hXXp://s1.bdstatic.com
/r/www/cache/static/home/css/index.css" rel="stylesheet" type="text/cs
s" />...<!--[if lte IE 8]><style index="index" >#conten
t{height:480px\9}#m{top:260px\9}</style><![endif]-->...<
;!--[if IE 8]><style index="index" >#u1 a.mnav,#u1 a.mnav:vis
ited{font-family:simsun}</style><![endif]-->...<script&
gt;var hashMatch = document.location.href.match(/# (.*wd=[^&]. )/);if 
(hashMatch && hashMatch[0] && hashMatch[1]) {document.location.replace
("hXXp://" location.host "/s?" hashMatch[1]);}var ns_c = function(){};
</script>...<script>function h(obj){obj.style.behavior='ur
l(#default#homepage)';var a = obj.setHomePage('//VVV.baidu.com/');}<
;/script>...<noscript><meta http-equiv="refresh" conte
<<< skipped >>>


GET /stat.htm?id=1253133024&r=&lg=en-us&ntime=none&cnzz_eid=113380915-1492823061-&showp=1276x846&t=Èí¼þʹÓÃͳ¼Æ&umuuid=15b93a9b7d92ce-048aa1e7e1fbf44-44703d1f-1078c8-15b93a9b7da26c&h=1&rnd=277086771 HTTP/1.1
Accept: */*
Referer: hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.html
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: z7.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Sat, 22 Apr 2017 02:17:19 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Thu, 16 Apr 2015 02:22:37 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1976:

.text
.rdata
.data
.rsrc
.aspack
.adata
t$(SSh
|$D.tm
~%UVW
u$SShe
ShellExecuteA
GetAsyncKeyState
{E5000198-4471-40e2-92BC-D0BA075BDBB2}
{86AB1D8A-7995-4D86-AE5F-18710759228B}
hXXp://VVV.yzrja.com/yzsoft/advert/yzmrxgj/title01.txt
hXXp://VVV.yzrja.com/yzsoft/advert/yzmrxgj/link01.txt
hXXp://VVV.yzrja.com/yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browser.txt
hXXp://VVV.yzrja.com/yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browserURL.txt
hXXp://VVV.yzrja.com/yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345browserName.txt
2345Explorer_238853_silence.exe
\download\2345Explorer_silence.zip
WScript.Shell
hXXp://VVV.yzrja.com/yzsoft/PushAdvert/yzmrxgj/yzmrxgj2_0/2345daohang2.txt
hXXp://VVV.2345.com/?8721
anonymous@123.com
.exe|.rar|.zip|.gif|.jpg|.mp3|.rm
(*.txt)|*.txt
.comment {color:green}
hXXp://VVV.yzrja.com/yzsoft/statistics/yzmrxgj2_0_new.htmln
hXXp://VVV.yzrja.com
hXXp://VVV.crsky.com/soft/26807.html
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
WINMM.dll
WS2_32.dll
VERSION.dll
MSVFW32.dll
AVIFIL32.dll
RASAPI32.dll
GetProcessHeap
WinExec
GetWindowsDirectoryA
GetCPInfo
KERNEL32.dll
GetKeyState
RegisterHotKey
UnregisterHotKey
GetKeyboardLayout
VkKeyScanExA
keybd_event
SetWindowsHookExA
UnhookWindowsHookEx
EnumChildWindows
CreateDialogIndirectParamA
USER32.dll
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
GDI32.dll
WINSPOOL.DRV
comdlg32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyExA
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
COMCTL32.dll
oledlg.dll
InternetOpenUrlA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetCrackUrlA
InternetCanonicalizeUrlA
WININET.dll
WLDAP32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
%d%d%d
rundll32.exe shell32.dll,
hXXp://VVV.baidu.com
(*.avi)|*.avi
RICHED32.DLL
RICHED20.DLL
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
operator
keywords
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
<tr><td bgcolor=buttonface>Y</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>X</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Height</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Width</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>RECT</td><td bgcolor=white>(%d, %d)-(%d, %d)</td></tr>
<tr><td bgcolor=buttonface>Styles</td><td bgcolor=white>0xX</td></tr>
<tr><td bgcolor=buttonface>Control ID</td><td bgcolor=white>%d</td></tr>
<tr><td bgcolor=buttonface>Handle</td><td bgcolor=white>0xX</td></tr>
<table><tr><td><icon handle=0x%X></td><td>%s</td></tr></table>
burlywood
\winhlp32.exe
TrayIcon event: %x
(*.htm;*.html)|*.htm;*.html
1.1.3
[%s:%d]
Range: bytes=%s-
[%s:%d]
PASS %s
PASS ******
USER %s
E:\dev\e\static_link\static_libs\source\downlib\mystrlib.cpp
SIZE %s
PORT
User-Agent: %s
Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Host: %s
GET %s HTTP/1.1
HTTP/1.1
hXXp://
Cookie: %s
%d, %s
\\192.168.0.129\TCP\1037
NSPlayer/9.0.0.2980; {%s}; Host: %s
rmff_fix_header: assuming data.size=%i
rmff_fix_header: assuming data.num_packets=%i
rmff_fix_header: assuming prop.num_packets=%i
rmff_fix_header: setting prop.data_offset from %i to %i
rmff_fix_header: correcting prop.num_streams from %i to %i
rmff_fix_header: correcting prop.size from %i to %i
%s %s %s
Session: %s
Cseq: %u
%*s %s
%*s %u
CSeq: %u
rtsp://%s:%i
rtsp://%s:%i/%s
ClientID: Linux_2.4_6.0.9.1235_play32_RN01_EN_586
GUID: 00000000-0000-0000-0000-000000000000
[%s:%d]
User-Agent: RealMedia Player Version 6.0.9.1235 (linux-2.0-libc6-i386-gcc2.95)
Range: npt=%s-
%s/streamid=1
%s/streamid=0
Transport: x-pn-tng/tcp;mode=play,rtp/avp/tcp;unicast;mode=play
If-Match: %s
RealChallenge2: %s, sd=%s
Title: %s
Copyright: %s
Author: %s
real: Content-length for description too big (> %uMB)!
Require: com.real.retain-entity-for-setup
SupportsMaximumASMBandwidth: 1
Bandwidth: %u
Challenge1: %s
hash output: %x %x %x %x
hash input: %x %x %x %x
stream=%u;rule=%u,
Illegal character '%c' in input.
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCOleDispatchException@@
.PAVCArchiveException@@
zcÁ
filedown_238858.exe.net/filedown_238858.zip>
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
kernel32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
winmm.dll
ws2_32.dll
msvfw32.dll
avifil32.dll
rasapi32.dll
gdi32.dll
winspool.drv
advapi32.dll
shell32.dll
oleaut32.dll
comctl32.dll
wininet.dll
wldap32.dll
(*.*)
2.0.0.0
(C)hXXp://VVV.yzrja.com


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1976

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Ó¦ÓÃÅäÖÃ.ini (1273 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\3WIYROR0.txt (103 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\WZUK671P.txt (301 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stat[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\yzmrxgj2_0_new[1].htm (691 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\XJ1SY4A9.txt (94 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\core[1].js (763 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\stat[2].gif (43 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\LOTCKZQQ.txt (94 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\stat[1].js (1321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\core[1].js (763 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\D09L9HMD.txt (379 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\V9Q5P1VU.txt (447 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\N44KR7LG.txt (92 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IJI2X89X.txt (92 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5E0Y784H.txt (133 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\stat[1].js (1321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\core[1].js (762 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\5IQPOJ12.txt (94 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\IN7QKBDK.txt (115 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\TU5QSY09.txt (92 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\stat[1].js (1321 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\9FJS561V.txt (643 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 5 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now