Gen.Trojan.Heur.RP.8qZamwgOhcb_6ae990d796

by malwarelabrobot on August 28th, 2015 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.anh (Kaspersky), Gen:Trojan.Heur.RP.8qZ@amwgOhcb (B) (Emsisoft), Gen:Trojan.Heur.RP.8qZ@amwgOhcb (AdAware), Trojan.Win32.Sasfis.FD, GenericEmailWorm.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6ae990d796ff70aade726dd7a1f317a5
SHA1: 9978efc130cc9eea050aa2f907d33ca89d201bcc
SHA256: cfd9f4d718556412b8763dd282ab47eb29da0f16147bcc328074cca18961e47d
SSDeep: 24576:wvZkEp3W8AD/Dhd y4lqJ8QdCYDoDN4H1GAEwmPhlGT:wvZsvD/DX y4onCYDoDa4wQli
Size: 984955 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: VMProtectV1X, PolyEnE001byLennartHedlund, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171, UPolyXv05_v6
Company: StdLib
Created at: 2003-06-16 07:11:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

heng1.exe:1392
%original file name%.exe:464
2s.exe:1988
Srer:956

The Trojan injects its code into the following process(es):

badboy.exe:140
2.exe:1992
IEXPLORE.EXE:380

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process heng1.exe:1392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Srer (1281 bytes)
%WinDir%\Delete.bat (104 bytes)

The process %original file name%.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\2s.exe (3778 bytes)
%System%\heng1.exe (258 bytes)

The process badboy.exe:140 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\ztdll.dll (35 bytes)
%Program Files%\svhost32.exe (24 bytes)

The process 2s.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%System%\2.exe (3732 bytes)
%System%\badboy.exe (24 bytes)

The process 2.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cgi_client_entry[1].htm (879 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\h[1].js (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].js (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\E_4\HtmlView.fne (229 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bg_corner[1].png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\navigation[1].js (863 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bg_page[1].png (392 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\neeao[1].xml (266 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\upfile_2568273_1436523556[1].jpg (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\upfile_1415940_1436968214[1].jpg (7784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\upfile_3165952_1436968159[1].jpg (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\txt_title.ie6[1].png (6 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@qq[1].txt (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\html5[1].js (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\css[1].css (186 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@neeao[1].txt (175 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\logo_baobeihuijia[1].png (3 bytes)
%Documents and Settings%\%current user%\Cookies\[email protected][1].txt (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\data[1].js (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\u-WUoqrET9fUeobQW7jkRfY6323mHUZFJMgTvxaG2iE[1].eot (1386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo_tencentvolunteers[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\h[2].js (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\search_children[1].js (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\upfile_6284563_1436686486[1].jpg (3656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\404style[1].css (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\upfile_4270811_1436692558[1].jpg (10747 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\page[1].js (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\upfile_2835045_1438133394[1].jpg (10286 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\h[1].js (0 bytes)
%Documents and Settings%\%current user%\UserData\2Z89WTQV\www.aaa[1].xml (0 bytes)

Registry activity

The process heng1.exe:1392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 A6 60 47 16 72 BD E1 15 5E 28 AC 65 9F 6E A7"

The process badboy.exe:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows]
"load" = "C:\PROGRA~1\svhost32.exe"

The process Srer:956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 22 31 E9 72 9A E1 2A B2 B0 AD 26 AB 25 66 A8"

The process 2.exe:1992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015082720150828]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015082720150828\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015082720150828]
"CachePrefix" = ":2015082720150828:"
"CacheLimit" = "8192"
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 24 34 F6 1D 25 8E E2 4E 60 52 81 B0 5A FE 7F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015082720150828]
"CacheRepair" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
5119e853bf543fa2ef978d758cfb0819 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\HtmlView.fne
97c8fe752e354b2945e4c593a87e4a8b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\E_4\krnln.fnr
20544c1e7168d1121f5a9ebc9276616d c:\Program Files\svhost32.exe
15c0eeb18c965e25d8446632116d40ac c:\WINDOWS\system32\2.exe
ff96cc48742e27ab6c140032e841a791 c:\WINDOWS\system32\2s.exe
20544c1e7168d1121f5a9ebc9276616d c:\WINDOWS\system32\badboy.exe
5027f34108fca1a876ad66c6f8461e11 c:\WINDOWS\system32\ztdll.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1926 4096 2.36282 364c77e015f4bb4a14327b18bd86398d
.rdata 8192 1320 4096 1.44848 ed6eeea8c74e74b1f5d74036b1d8ff73
.data 12288 180 4096 0.122094 61529ec798ffa7758db07e5d23e43936
.rsrc 16384 3424 4096 1.40325 bdcb84c2a2593ff86b5d8c0b85c02180

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://neeao.com/ 106.186.116.73
hxxp://a1574.b.akamai.net/cgi-bin/cgi_client_entry.cgi?uin=5454443
hxxp://neeao.com/wp-content/themes/twentytwelve/js/html5.js 106.186.116.73
hxxp://a1574.b.akamai.net/404/search_children.js
hxxp://neeao.com/wp-content/themes/twentytwelve/style.css?ver=4.1.7 106.186.116.73
hxxp://neeao.com/wp-content/themes/twentytwelve/css/ie.css?ver=20121010 106.186.116.73
hxxp://googleadapis.l.google.com/css?family=Open Sans:400italic,700italic,400,700&subset=latin,latin-ext
hxxp://gstaticadssl.l.google.com/s/opensans/v13/u-WUoqrET9fUeobQW7jkRfY6323mHUZFJMgTvxaG2iE.eot
hxxp://a1165.b.akamai.net/gy/404/data.js
hxxp://a1165.b.akamai.net/gy/404/page.js
hxxp://a1165.b.akamai.net/gy/404/style/404style.css
hxxp://a1165.b.akamai.net/ac/qzfl/stat.js
hxxp://hm.e.shifen.com/h.js?19c9dab3ab926f7f84b51ac9a3d72f37
hxxp://boss.qzone.qq.com/fcg-bin/fcg_zone_info 112.90.83.43
hxxp://hm.e.shifen.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=954852177&si=19c9dab3ab926f7f84b51ac9a3d72f37&st=1&v=1.1.2&lv=1&tt=Neeao | 信息安全、程序开发、脚本技术
hxxp://a1165.b.akamai.net/gy/404/style/image/bg_page.png
hxxp://a1165.b.akamai.net/gy/upload/upfile_2835045_1438133394.jpg
hxxp://a1165.b.akamai.net/gy/404/style/image/logo_tencentvolunteers.png
hxxp://neeao.com/wp-content/themes/twentytwelve/js/navigation.js?ver=1.0 106.186.116.73
hxxp://a1165.b.akamai.net/gy/404/style/image/logo_baobeihuijia.png
hxxp://a1165.b.akamai.net/gy/upload/upfile_2568273_1436523556.jpg
hxxp://a1165.b.akamai.net/gy/upload/upfile_6284563_1436686486.jpg
hxxp://a1165.b.akamai.net/gy/upload/upfile_4270811_1436692558.jpg
hxxp://a1165.b.akamai.net/gy/upload/upfile_3165952_1436968159.jpg
hxxp://a1165.b.akamai.net/gy/upload/upfile_1415940_1436968214.jpg
hxxp://a1165.b.akamai.net/gy/404/style/image/txt_title.ie6.png
hxxp://a1165.b.akamai.net/gy/404/style/image/bg_corner.png
hxxp://qzone.qq.com/gy/404/style/404style.css 1.105.192.18
hxxp://qzonestyle.gtimg.cn/ac/qzfl/stat.js 188.43.72.42
hxxp://qzone.qq.com/gy/404/data.js 1.105.192.18
hxxp://fonts.googleapis.com/css?family=Open Sans:400italic,700italic,400,700&subset=latin,latin-ext 74.125.143.95
hxxp://qzone.qq.com/gy/upload/upfile_2568273_1436523556.jpg 1.105.192.18
hxxp://qzone.qq.com/gy/404/style/image/txt_title.ie6.png 1.105.192.18
hxxp://qzone.qq.com/gy/upload/upfile_3165952_1436968159.jpg 1.105.192.18
hxxp://qzone.qq.com/gy/404/style/image/logo_baobeihuijia.png 1.105.192.18
hxxp://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=954852177&si=19c9dab3ab926f7f84b51ac9a3d72f37&st=1&v=1.1.2&lv=1&tt=Neeao | 信息安全、程序开发、脚本技术 220.181.7.190
hxxp://qzone.qq.com/gy/upload/upfile_4270811_1436692558.jpg 1.105.192.18
hxxp://qzone.qq.com/gy/404/style/image/bg_page.png 1.105.192.18
hxxp://qzone.qq.com/gy/upload/upfile_1415940_1436968214.jpg 1.105.192.18
hxxp://qzone.qq.com/gy/upload/upfile_6284563_1436686486.jpg 1.105.192.18
hxxp://qzone.qq.com/gy/404/style/image/logo_tencentvolunteers.png 1.105.192.18
hxxp://hm.baidu.com/h.js?19c9dab3ab926f7f84b51ac9a3d72f37 220.181.7.190
hxxp://qzone.qq.com/gy/404/page.js 1.105.192.18
hxxp://qzone.qq.com/gy/404/style/image/bg_corner.png 1.105.192.18
hxxp://fonts.gstatic.com/s/opensans/v13/u-WUoqrET9fUeobQW7jkRfY6323mHUZFJMgTvxaG2iE.eot 173.194.113.223
hxxp://qzone.qq.com/gy/upload/upfile_2835045_1438133394.jpg 1.105.192.18
hxxp://www.qq.com/404/search_children.js 188.43.72.51
hxxp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443 188.43.72.51
pingfore.qq.com 163.177.72.141
30434.q-zone.qq.com 1.1.1.1


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /h.js?19c9dab3ab926f7f84b51ac9a3d72f37 HTTP/1.1
Accept: */*
Referer: hXXp://neeao.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: max-age=0, must-revalidate
Content-Encoding: gzip
Content-Length: 7924
Content-Type: application/javascript
Date: Thu, 27 Aug 2015 00:57:16 GMT
Etag: 00288249d01a7342cdf33311b0c0d3a0
P3p: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Server: apache
Set-Cookie: HMACCOUNT=81DD77E195A915E4; Path=/; Domain=hm.baidu.com; Expires=Sun, 18 Jan 2038 00:00:00 GMT
...............(function(){var h={},mt={},c={id:"19c9dab3ab926f7f84b51
ac9a3d72f37",dm:["neeao.com"],js:"tongji.baidu.com/hm-web/js/",etrk:[]
,icon:'',ctrk:false,align:-1,nv:-1,vdur:1800000,age:31536000000,rec:0,
rp:[],trust:0,vcard:0,qiao:0,lxb:0,conv:0,comm:0,apps:''};.[{w.6.....F
..a..d;.V4.M....I:M...Y..IHb..BR..K.}....$&..n....yq_...f-2k.....OVQ.2
~<p..................{.....N!..N.:.."..U..'3..T...t..g.."....N...Q.
.aG.....D2[..4zUU.MS.e..P.kKS~..2nkY.. D....... .qr?.2qn...o6}.%....8.
.l^`k..(.~..b.w;6....j. ...7'...........c...A\. ..:...%o..D!Y.......gV
.h..Q.....A2.".K8.z][:A..0....%..*..P.....;.S5cA7.X/o.a&sh..".....E.&3
.V..*.[..U&.Vn..#....}&.U.%...=.]..~..(."....;[email protected]:......Z.
S......e....T<.$...{[email protected]...~.f..=...................i i.3.P.@...
R.4...)....%..-..nY.r.l.bb....EK..Lr,..z.?|.")....3..'.......t.n..cob.
.....).....tU(w..o.,.".DrZ..|Q.s;...j.......To..-R y..>..Y.j".....k
....l43.Uw.d...NO......4).............Y.(.?W#..vf'~./#YH.97........-.f
....I..N9v....$,M.,L. ec...D.J.d.Z.j..(...."...[.xr.La.[9..A7..2.p..w.
,../......Z.E]..x.*=.\.4../...O.Z%.~.MU.t.N.C5.v.vV-.O.......\.s..nAX.
...X"...Pe.?.....H.o..$3.../.D..l.P.0..9.... ...5..L=..S..v=..k..W....
.."Z......FC.D.4..t.xX<.j........t.....>..jMj......./8% .7&.....
....`:.i\ ..*...e$|i.w.1s............\....... }R.:.s..}.}.G.3.R....%..
\.>.........j...!.*.kz..h......K..(..=......_F..U,...b...*N...bF..1
|x}[email protected]..............@N...~Xn..qu.d.{2...0..&a.`.....p.#..
Fh..#.t([.4..H..z..(..8Dg...S).rb....|F....d.....|L.d....b...H.bS.
<<< skipped >>>

GET /hm.gif?cc=1&ck=1&cl=32-bit&ds=1276x846&et=0&fl=11.6&ja=1&ln=en-us&lo=0&nv=1&rnd=954852177&si=19c9dab3ab926f7f84b51ac9a3d72f37&st=1&v=1.1.2&lv=1&tt=Neeao | 信息安全、程序开发、脚本技术 HTTP/1.1


Accept: */*
Referer: hXXp://neeao.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hm.baidu.com
Connection: Keep-Alive
Cookie: HMACCOUNT=81DD77E195A915E4


HTTP/1.1 200 OK
Cache-Control: private, max-age=0, no-cache
Content-Length: 43
Content-Type: image/gif
Date: Thu, 27 Aug 2015 00:57:17 GMT
Pragma: no-cache
Server: apache
X-Content-Type-Options: nosniff
GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Cont
rol: private, max-age=0, no-cache..Content-Length: 43..Content-Type: i
mage/gif..Date: Thu, 27 Aug 2015 00:57:17 GMT..Pragma: no-cache..Serve
r: apache..X-Content-Type-Options: nosniff..GIF89a.............!......
.,...........L..;..



GET /gy/404/page.js HTTP/1.1
Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Thu, 11 Jun 2015 09:41:30 GMT
Content-Type: application/x-javascript
ETag: "557957ca-2f05"
Content-Encoding: gzip
Content-Length: 4536
Cache-Control: max-age=600
Date: Thu, 27 Aug 2015 00:57:15 GMT
Connection: keep-alive
Vary: Accept-Encoding
...........:ks.8... .$%......E......V.>f'sWu.W....."e.........S.=.^
mM...F..................(...C.<??..`.."J.^.a .k.n4A...O.0h...!....A
 ..*,....w....;. ~....^......].kks..N...K..n.CZ.......r\.;....X......G
......us8 .....s.u..........P....4.2.....?.*. ..S-.Xc.k.sM."q.|...u...
....V.~?...h#.].L.?y....{j.{.f....Q.....H...<......`.....?Fy!..]...
[email protected]$M$M9..C....\w....`..H...(.....3..}..FcJ.....['.`>
....p[<nE..X.......<W5.X$.".ARi......~.9|0P3.J..~k...(.N.XF.....
.....J...F....OS$j.....?f.8...,...t.......o.......LJ...83W..D. .N."...
H..6K........~.......V.....G.....B.........z....~5W3.......A..L..{j..q
.r..F.K-<?{..0..\.s5.~.....0..._.4...(vY.cF.\ ........./....j].94F.
.....m...C........=[.....b..6........e.......g.....d4b0jv..A`..n6c..^.
s...m.....q-..Mp.ol!1C_.....S..m..b....s `.q@....../..F....ua..[b2.2de
.#..s.........0.&8j:.v'[email protected]_.......&.....NP5..3....N*.Gb.
.....[.....bW.6.........p...vP..)..@!.m..l}.S...Vh.f..)...}[....j..G..
...R....E .....?........jf&P.c..G....WY...Hw....s.Q.[ik...`..Ld..W....
.?3.sYD.f....:...A..Q.%_Z.D.N...5..x.]V.F.Z.Y.G.U...x.......S.C.ox....
........n!@[email protected].$.........Eyd..|..V..)h.{.~c..)...[...&.....&l
t;>.:v..............n....#........`.....L$......D...P.Y....0...CD.K
..?.......^.@..<.[.(,....\.9l...{u..\.)N9C.2.L..cw...0....n........
...../...^...t.m....=..:.`l.I....$......b;7.6...K...C....W8eX......8.V
....x.J...8.3..Pp*.e.>.i......~.#Po..QA.9....3...Xi........3M.5.`..
...4.{y....8..[{RD..*$.Q.8D.M {........Z%./.s.#.....(.....(.R"...e
<<< skipped >>>

GET /gy/404/style/image/bg_page.png HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 31 Dec 2014 12:21:54 GMT
Content-Type: image/png
Content-Length: 14998
ETag: "54a3ea62-3a96"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
[email protected]\4....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:6994F5C37BDB11E4AF49CE
8655D24E0A" xmpMM:DocumentID="xmp.did:6994F5C47BDB11E4AF49CE8655D24E0A
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:6994F5C17BDB11E4
AF49CE8655D24E0A" stRef:documentID="xmp.did:6994F5C27BDB11E4AF49CE8655
D24E0A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>...L....PLTE........................sss..
......................................................................
......................................................................
..............yyy.................................vvv......}}}...|||~~
~...wwwttt...uuuxxxzzz..............$...5.IDATx....{.H.n..0.D"..E.,.ng
{:..3..w........*d. EJ.$..<..I....Po}.*............................
.....................w..A.c$..`....(..._/:.l.........c.hm.R...2..=.'BQ
.$....1R.f.......U.#.gt..ep..`.....kOSlE.M.s.t}......WZ.._Q.f.........
GG13..N&.k.4.........fSy.AP...`...b-....v.A...GS.........~..2>.
<<< skipped >>>

GET /gy/404/style/image/logo_tencentvolunteers.png HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 31 Dec 2014 12:21:54 GMT
Content-Type: image/png
Content-Length: 3588
ETag: "54a3ea62-e04"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
.PNG........IHDR...2...2.....).x.....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:998480E67BD511E4AF49CE
8655D24E0A" xmpMM:DocumentID="xmp.did:998480E77BD511E4AF49CE8655D24E0A
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:998480E47BD511E4
AF49CE8655D24E0A" stRef:documentID="xmp.did:998480E57BD511E4AF49CE8655
D24E0A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>...Z....PLTE.....r.....I........A........
I........=.v...N....................N..h.......x...............`..D...
..9..^.t...P..d..5..Z..R.....2..E.|...i..........z....................
.l..............V.....X.................7.....|.......~......n..'.....
... .|......b..\..,..0....r...:..D...........v..............p..z.z..{.
..T..*........"........K..b.....V..z..................................
.......0...........$..........................:..8...........X..&..T..
$........x..e.."..............3..-.............y......u.._..&..... ...
........!.....!.......................... ..m........~........L...
<<< skipped >>>

GET /gy/404/style/image/logo_baobeihuijia.png HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 31 Dec 2014 12:21:54 GMT
Content-Type: image/png
Content-Length: 3725
ETag: "54a3ea62-e8d"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
.PNG........IHDR...x...2......y......tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:6994F5BB7BDB11E4AF49CE
8655D24E0A" xmpMM:DocumentID="xmp.did:6994F5BC7BDB11E4AF49CE8655D24E0A
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:998480E87BD511E4
AF49CE8655D24E0A" stRef:documentID="xmp.did:6994F5BA7BDB11E4AF49CE8655
D24E0A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>F.......PLTE....VF..............k........
.....=<....B6.......... .....$......D.......... *....[[.......2E.#6
.*=..........zz.......3)..2.Td....CB....bq.z8.......x6.LK.fe.$$..$....
.U.................[.......M^....Zj....SQ.w4..s....si.......54........
...........~>.............m{.............sr.tt.u...................
..........................A.q}................mn..z....@R....|<....
...21....FV..".^l.~~.IE.....*.=N....}.....IZ..........&:.......y.....:
4................%..............9L..,....i[....9J.....(..}.41.{:.`o.hg
.........................`^........N....iW.cR..........ft.).....\j
<<< skipped >>>

GET /gy/upload/upfile_2568273_1436523556.jpg HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Fri, 10 Jul 2015 10:19:16 GMT
Content-Type: image/jpeg
Content-Length: 12912
ETag: "559f9c24-3270"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
......JFIF.....`.`.....0Exif..MM.*.......1..............VVV.meitu.com.
...C..................................................................
..C...................................................................
......................................................................
}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUV
WXYZcdefghijstuvwxyz..................................................
......................................................................
......w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFG
HIJSTUVWXYZcdefghijstuvwxyz...........................................
.........................................?..6.........b..;#...y.wg..i.
p....<..i.:p.....&..F.'.GZ...>.)[email protected]../..
O........G...W<..v....%...~ ../Y.Q..51...WA..'......Q.vA......R.d.e
t..*]..U..s...=......3E.P]...W.!f..c..g....4Y}..[]./...W...<......m
..d...,{ea!.....w...,.2.x... ......../...q.%.9.q...&...X..R(..A...^..T
....rN:[email protected]..\..H.A".V..M.%........gr.21!s.1`z.......
RH.*..I<......L.G.l....G.........q.AN3...[....`.|S>.K......'.{N'
...wG.~.....g3.;/.....5.....<;..O.o...z.....M..Q.\;..Fz.j....;.....
...../.....O..h.....`.9^.JFn.t.X..zw.Cw3q}..#*|...Pk..\..&`..l...u.m..
..Xd.".H.....rF{.V5..r0w.J.t.I..F9.z..1.N...'..wCZ.o3u...7. ..\.q.*..R
e....8..........K.9...S..........S.=.......x.U...Y~..}5r..[#...=...GS.
..i ...H....DH^...q..p..O.n..;3..>.?.x.?`..R....# V.m...6..3.....e.
..9.ADE.....NsR..){.R...%..Tc.&.I...Z...9.G.Vzt.....A..a.|.#4....s
<<< skipped >>>

GET /gy/upload/upfile_6284563_1436686486.jpg HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Sun, 12 Jul 2015 07:34:46 GMT
Content-Type: image/jpeg
Content-Length: 47609
ETag: "55a21896-b9f9"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62),
 quality = 100....C...................................................
.................C....................................................
.....................^..".............................................
...............}........!1A..Qa."q.2....#B...R..$3br........%&'()*4567
89:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...................................
......................................................................
.....................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&
'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
........................................................?..i.....?...j
.U.............K.Uz<..o....\.,Q..~..z...~..z(...........O...^..|e..
~.~e.*.W.........>.......t._..G,.8...\..d.......u..4'.....O..c..Y..
..._..=s..`y?.>'iZ?. ..7.;........|..O....u.........zu. .XWe..v..3.
^#....}?... twj.....{.s....M..x...\.8....x?.>0_^....:..v...........
.>y......?...........k..a...._.....U....l......'.d........u/.j.....
.....{...Zi.......n..V........G....~..x..5...........o..v.4<.......
...[..U..u.o..f.....U........."......Z..E.W..g....Z......1Y......?....
...O...........Pua.?.o_....Ag......\.... B.J...1....?.._....o....?4.e.
.........~=..6.........w]........xW.v..Ko...........| ...b..n;{..@....
xo'....{......4..j........>.....y.........'.lV.6..1...-..K....~.Cy.
........~.`..........~'Ay.x/.?.?.?.9.W.i.*.....O..3^w...........2|....
.....m.._...v........._...?.._...?...bp......./.Vd.i[Ue......b....
<<< skipped >>>

GET /gy/upload/upfile_3165952_1436968159.jpg HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 15 Jul 2015 13:49:19 GMT
Content-Type: image/jpeg
Content-Length: 27181
ETag: "55a664df-6a2d"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
......JFIF.............0Exif..MM.*.......1..............VVV.meitu.com.
...C..................................................................
..C...................................................................
....@.................................................................
}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUV
WXYZcdefghijstuvwxyz..................................................
......................................................................
......w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFG
HIJSTUVWXYZcdefghijstuvwxyz...........................................
.........................................?..$........!..kQ...[.Y.I....
[email protected]/...h.Q.4...d.}..L......5..2....o's.u...2<A..uH~.n.f
_........|.."..".v.F.........p4,.?wYJ$.j..w.t.)D...cq....2.#.uO2.....=
e....G....y..sr.#l.Q..........2;..O.....U.Uk.../....7}............*..q
.y.......vZS......j....4!...5.....m]..P...E...jT....s...M....6t......s
..I\.|;.....#M......@......|.".,4y.IEy....=LD.)E...:....^.s......Mp...
...~...'...>.......Dv.._.<...<..g.......Q....._|..F.i5......1
...$(.8.ZC8.U.. E..e<..N.R...."m1D..{....8....[.h&o.uh:.^O.b..#o*.$
.7....`G.....v.K.z5]... [email protected].`f....Y....n...m...
.h..i..Y..x4....Kg.U.4J7.u....w....:.jmQ...'.\..........ti_w.7.yk...a.
....u...a_.......6.l{bWX...C.....V_.}../.Y.S.u...|./..@...|..h...uj.`.
r.=m..v.OR..z7......n...3Fe.#s|..`;j....bD...7....E......FJ.5.I...(.&.
.'....-.t?..K.J="...[k.q.#~y<g.S....... .=.JP.Qn.u..}....&..k..
<<< skipped >>>

GET /gy/upload/upfile_1415940_1436968214.jpg HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 15 Jul 2015 13:50:14 GMT
Content-Type: image/jpeg
Content-Length: 113765
ETag: "55a66516-1bc65"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62),
 quality = 100....C...................................................
.................C....................................................
...................U....".............................................
...............}........!1A..Qa."q.2....#B...R..$3br........%&'()*4567
89:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...................................
......................................................................
.....................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&
'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
........................................................?..~.,....>
.,....>=h....g..?...Z.........K;_...8.....v.s. v.].....i.......t...
.:.............>..*......O...z..g...=.... ......^.....Z...y..[.g.Y.
......NkF.......}....h.......;.]>..3.......6.....^.....g...Z.~.....
.@...../.o..hY..c.w..=.s...Y....V....w.......=7]....>....Ns.s...^{.
k.*.......^..%.......K...~......2......?.....[...jZ....1.4.7....~?....
U^k...I. ...v...&_.o..~...?....g.._...k...........rC..v...x..J....)...
.b_..?...........Y.sU.:7..o........}]gk..O^...........~#._.,...u......
....Z.G)..k.........>Q...y.j.z....t.S..?..s... ?...A.V....i.....9..
. >...F.T.b..Y.>..'.o.?.W.........Y..x....O{....#......>.../.
>......i)l.~'..._L.;5f.&.....g..?..Eg..?..;g..?..Eg..?..."..G.....}
......j......}z.V......QE....}....u..........`.....Wa.o..h_..?......K.
m..../..>........z.._.5xo..f................_H|d..........9....
<<< skipped >>>

GET /gy/404/style/image/txt_title.ie6.png HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 31 Dec 2014 12:21:54 GMT
Content-Type: image/png
Content-Length: 6502
ETag: "54a3ea62-1966"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:18 GMT
Connection: keep-alive
.PNG........IHDR.......F........'....tEXtSoftware.Adobe ImageReadyq.e&
lt;...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:72A4BF7D7BC911E4AF49CE
8655D24E0A" xmpMM:DocumentID="xmp.did:72A4BF7E7BC911E4AF49CE8655D24E0A
"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:72A4BF7B7BC911E4
AF49CE8655D24E0A" stRef:documentID="xmp.did:72A4BF7C7BC911E4AF49CE8655
D24E0A"/> </rdf:Description> </rdf:RDF> </x:xmpmeta&
gt; <?xpacket end="r"?>R1>....0PLTE^^^............iii........
....sss~~~..............=.....tRNS.................#].....IDATx..].b..
.5;x....k6.E`............!..i...m..<.....%G.......5..$.....}..i....
.;......1.Y,.....i.........'..M _76..Y..._=..-..i.b.%.. ..rq.....8..G.
.Q..=.i...rv6..iz..E....."..=.L...]...q..%_...}....E.r..8.........Co..
$. ^.s.....?....v....x.-.la..>.y.1p....K<.FU....a....Z....z.....
.'..\..DLt.8%h.y..%.7s..r..Z.EmH..u.....h...u..y8..c.HK.............&l
t;.K-......6fWN}$uF..zL....V.MK....h/[email protected]".d.....n!.0"....x...%|.M.
.....}.....Xf...Td/w..........a..>[email protected]?......R,......
<<< skipped >>>


GET /s/opensans/v13/u-WUoqrET9fUeobQW7jkRfY6323mHUZFJMgTvxaG2iE.eot HTTP/1.1
Accept: */*
Referer: hXXp://neeao.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.gstatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: font/eot
Last-Modified: Mon, 27 Apr 2015 23:47:02 GMT
Date: Wed, 26 Aug 2015 20:20:36 GMT
Expires: Thu, 25 Aug 2016 20:20:36 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 28499
X-XSS-Protection: 1; mode=block
Age: 16598
Cache-Control: public, max-age=31536000
......n...t.UP.N..;..;......>hpw.. ......K...............}.......Z.
.........H..........!".#..@...... ...~...&T.)&..[Ep...i.!....W..M.....
._....?..........|...y^.9D......N..................*j...........~\..Z.
.Y....=..p.h.X:[email protected])v.n..F!.a&....Q5=...O.|.)....vz.7
...J......k......!....B"%.9..z.j.k..}..u.~...o.I....UT.JJ..?.t...r ...
!..`*bX<~....:.Gc..zj......eWAZ.....sf....c..H{w..... ..`..P...f...
..0.8.]-Z..,..e!J0...t.c..J9".e&R.q.8.k......... .....K~.....c.9. Q4.{
..r.I|...I:......p5.v..g...v.<PZ]b.~v...6...;..1(....=.]..[....S...
...W`.....QMu...8.G.......[.....Xt.........*sR..B......<^..M.p. AKQ
.Pn].....K..D#D......"/........r.\....:b.Pu.A.W.\..g.l.~..........%.'4
.....(..X...z.F....E%...2....mB.G..].,C...I.y.UI1.s..\v$..i...np.^..R.
.SA:....E`...8.L.8=..T!.6....?r...W5%..........(..M.........i28Sn.....
............0|?......g....&..m...m?...Dw.:.DXU(013..{...L L.p92....z..
iirti..../.i]?.o.......vx....4......}.....tD}S .....l,.....7......Vi..
..<.|..&..;.....9s=#.......y...E.. <..T.YC..O.N.;...O.&g<...,
...'<.p....41.h.:..B....@-..... .?U.O{6.X.p...9.xc{...b..3Y..... D.
....r...2t.G..Z.f]..d`WE.{F1d.H....|.hS..sae..9FA,.#..D...5.....-.....
.]..8G...09.......4..E<FZ..o.....k.....7.....dWS..B7?.....l{!^....3
\..O0g........S0_QwR.4.l..f..t...Y.:y...b.L.N..5..4. .........'..(..G^
U......i?.X......5..i...n...4....;...9..{..k1..T.SU8.z...(0T...!......
..Z..J.%..3]...I.k...:.!.C.../]_}6...BE...H..<.m.0.<w.(.z.......
...".....4.....DL.W9...m....W...l.....eAK$c......9..p.d4....p..
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: neeao.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 00:57:13 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.28
Set-Cookie: PHPSESSID=kmmrh2tflq6od56ce2p5qsr1i1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
X-Pingback: hXXp://neeao.com/xmlrpc.php
61f6..<!DOCTYPE html>.<!--[if IE 7]>.<html class="ie ie
7" lang="zh-CN">.<![endif]-->.<!--[if IE 8]>.<html c
lass="ie ie8" lang="zh-CN">.<![endif]-->.<!--[if !(IE 7) |
 !(IE 8)  ]><!-->.<html lang="zh-CN">.<!--<![endi
f]-->.<head>.<meta charset="UTF-8" />.<meta name="vi
ewport" content="width=device-width" />.<meta name="baidu-site-v
erification" content="ZxfsFzkW7N" /><title>Neeao | ..........
................................</title>.<link rel="profile" 
href="hXXp://gmpg.org/xfn/11" />.<link rel="pingback" href="http
://neeao.com/xmlrpc.php" />.<!--[if lt IE 9]>.<script src=
"hXXp://neeao.com/wp-content/themes/twentytwelve/js/html5.js" type="te
xt/javascript"></script>.<![endif]-->.<link rel="alt
ernate" type="application/rss xml" title="Neeao » Feed" href="ht
tp://neeao.com/feed" />.<link rel="alternate" type="application/
rss xml" title="Neeao » ......Feed" href="hXXp://neeao.com/comme
nts/feed" />.<link rel='stylesheet' id='twentytwelve-fonts-css' 
 href='hXXp://fonts.googleapis.com/css?family=Open Sans:400italic,700i
talic,400,700&subset=latin,latin-ext' type='text/css' media='all'
 />.<link rel='stylesheet' id='twentytwelve-style-css'  href='ht
tp://neeao.com/wp-content/themes/twentytwelve/style.css?ver=4.1.7' typ
e='text/css' media='all' />.<!--[if lt IE 9]>.<link rel='s
tylesheet' id='twentytwelve-ie-css'  href='hXXp://neeao.com/wp-con
<<< skipped >>>

GET /wp-content/themes/twentytwelve/style.css?ver=4.1.7 HTTP/1.1


Accept: */*
Referer: hXXp://neeao.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: neeao.com
Connection: Keep-Alive
Cookie: PHPSESSID=kmmrh2tflq6od56ce2p5qsr1i1


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 00:57:14 GMT
Content-Type: text/css
Content-Length: 35917
Last-Modified: Fri, 06 Dec 2013 02:23:10 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "52a1350e-8c4d"
Expires: Thu, 27 Aug 2015 12:57:14 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*.Theme Name: Twenty Twelve.Theme URI: hXXp://wordpress.org/themes/tw
entytwelve.Author: the WordPress team.Author URI: hXXp://wordpress.org
/.Description: The 2012 theme for WordPress is a fully responsive them
e that looks great on any device. Features include a front page templa
te with its own widgets, an optional display font, styling for post fo
rmats on both index and single views, and an optional no-sidebar page 
template. Make it yours with a custom menu, header image, and backgrou
nd..Version: 1.3.License: GNU General Public License v2 or later.Licen
se URI: hXXp://VVV.gnu.org/licenses/gpl-2.0.html.Tags: light, gray, wh
ite, one-column, two-columns, right-sidebar, fluid-layout, responsive-
layout, custom-background, custom-header, custom-menu, editor-style, f
eatured-images, flexible-header, full-width-template, microformats, po
st-formats, rtl-language-support, sticky-post, theme-options, translat
ion-ready.Text Domain: twentytwelve..This theme, like WordPress, is li
censed under the GPL..Use it to make something cool, have fun, and sha
re what you've learned with others..*/../* =Notes.--------------------
------------------------------------------.This stylesheet uses rem va
lues with a pixel fallback. The rem.values (and line heights) are calc
ulated using two variables:..$rembase:     14;.$line-height: 24;..----
------ Examples..* Use a pixel value with a rem fallback for font-size
, padding, margins, etc...padding: 5px 0;..padding: 0.357142857rem 0; 
(5 / $rembase)..* Set a font-size and then set a line-height based
<<< skipped >>>


GET /fcg-bin/fcg_zone_info HTTP/1.1
Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: boss.qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: close
Server: QZHTTP-2.37.1
Date: Thu, 27 Aug 2015 00:57:16 GMT
Content-Encoding: gzip
Cache-Control: no-cache
Content-Type: application/x-javascript; charset=utf-8
Content-Length: 140
[email protected],IT...VJ.
,......V.WR..04..Q*(./..KNE(*,M.*)J...T...._.Tlbb`fln`lV[..i...x`.....
..



GET /gy/404/data.js HTTP/1.1
Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 26 Aug 2015 06:42:47 GMT
Content-Type: application/x-javascript
ETag: "55dd5fe7-266d"
Content-Encoding: gzip
Content-Length: 2863
Cache-Control: max-age=600
Date: Thu, 27 Aug 2015 00:57:15 GMT
Connection: keep-alive
Vary: Accept-Encoding
...........Z[O.I.. ._.....K.h.m.}..}[."C.......d.Y..1.6....!.CB..c....
....~......%Y.I.6...U..n....wN..g..lv..S............z..>u?r..#..?.w
.q?p..<..i....&:[email protected]..'>.y......x.Yaq
..N.....W9...*.[.c....O..c.<..M?z.....^...|926...........<......
O8QR8.....$r.(J#...l_hz.3F......!.9=...&...G...........^&. ..h.Stz....
.........gjt.;.....1..713.y:.J..I..0;2.{>.y...=.W3...%#.I..j..V....
..k(.F.....U.0....c..~.......yD. .........q&.......dgQk.Ib....I.Av..8.
./...VH...~.V....},..5....=....&.g.~..0.'..i...:..<.2.Vy.0.r.../K..
K..Oz..Ks..p_g.<8...P..}i"..D...i"q. J.M$E...4..8.'.&.B..w.&z(..Sh.
f.R.v.<B.Er.B....sB....qv4...d.....#{.(.... .5'w...<....|A.l.D..
I.Oj.0..9R....~........jI....K:....S:..8.7....$....I.wI..j.]...:$.....
g.....$.8.QX.".....WK......".._.\[email protected].)1d.....50.p....t.q.J.....=
!(.#(u.$...J......m..l.d....A.U.3.T%...~.j....8}id.4.4vhZ.\k.u...P....
;@..m.*<0:...Y....%..t.n.6.;..c?A..t^.[... .F.=...x/..nT"..T.8...Zz
....v.57I..5..A.........@ I.<a...Q....R.E[Jp.2......f...}.....^S...
..9*..K.70.eW.a....!..9.........l.........G...'...(..D.............qnP
DE..UV....$..x.J.....%.t...<...z....?l..:.S.d.6.....1kgj.P.n.....).
........1..8..c.3.A~.a.a.27vL.7k.",02..."..<.../..K......../...m..n
.X8E....C...qDC8.....{4..sZm.E..<...........bk.).L..._D...|D2A|....
..........y.&%(...>,q.Q..%.e.S].-%..2...j...N.....P..{N(.rB.U.....^
bGF.O...r.E...8.....7.i......Q.V..nM..I.\/... [email protected];B...$
e..................;[email protected]..;J?....^d....j...z....s:.
<<< skipped >>>

GET /gy/404/style/404style.css HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Thu, 11 Jun 2015 09:41:30 GMT
Content-Type: text/css
ETag: "557957ca-2d70"
Content-Encoding: gzip
Content-Length: 3441
Cache-Control: max-age=3600
Date: Thu, 27 Aug 2015 00:57:16 GMT
Connection: keep-alive
Vary: Accept-Encoding
...........Z.s.........tbiH..D..'3.C..L...NF..G.b...P.V4#7.%9.G.4.....
;V.ZNSG.eK.g..|.........D9.eP...vo?~............?|..v.Lf.Y..9...].....
..5.0..~.m..L.Jn6..gs91...N...w.?....t...?.......I.........m..........
.}...}.......}..{.e../.{....ro]...-..k.............I@.>..9.E.C.i.de
|.AY...INQ~sn|.j..U&........z.n.mC...h.....dv.V.3'..%'k..4.j..m.=.3.m.
i......s.Z5.\,S]g-..|m....F-f...l9..k...*Lg.2...u.^..>..w....~.....
..po~......F...{wG..t.{....S..Z.p...........r.h:\.\Z.....Kg......k..Y.
.p.3.e.....|.L......Ma......f......ZT....P..V.Tt.z.B.t..i.........42D.
.V...j3..QGe..l.U......mq.`. nPU...n..I.v......"....Zuf....n...u._.B..
.z.G.....O..=X.>;..?~H..k.....;...t...*l......8g>...'P..G.5f.tu.
,t...m..`..XP...p4#3..3.f%..d...]4.&x..}......... .....?..x....w..~.m.
.n.u.....C....w..........oq..P:$.....tn.D..R..&.U.&.J....i.5.,.....5..
...Y.B..eM.K.}.s..6.....d:..A...6R.A.`.!.$...8......}.:...u..t..p7....
......m].l.....].^\.n...0.W........i.h.21L4......[G..'.s.D......].n1..
azR-.Y ....L..W.d.hN!.7.`u.F.G[...=....5......o.....JY..6f..5!z......S
...A....9.8.....5.KE.. Ld...R.d.......<......2.P.*A........."v.E..A
\.L.{.....VeN.b.)...]I.".Y.).h......$.%@..=.....{.?........FF.N"o?.T.%
.G.B}..q.'4...O....v......h..Z.....?.6.p.....G._....@.}.....&s>F7o[
6..e2`e.\j..5s..O.{_~.f.........{.].]..*..njf.mg.a. -D.......$......k.
...iAH....1?.(.....Uf...x{.....e6)&...v..#......yh...R?P<U...y}k...
..F....x.Eu.... .......U.0u.}.(.8....f.....u...A.C.........f..>..;.
,fQ.q. ....~u.]..m...v....oB.A>R :%......Q.@......|........ ...
<<< skipped >>>

GET /gy/upload/upfile_2835045_1438133394.jpg HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 29 Jul 2015 01:29:54 GMT
Content-Type: image/jpeg
Content-Length: 124656
ETag: "55b82c92-1e6f0"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62),
 quality = 100....C...................................................
.................C....................................................
........................".............................................
...............}........!1A..Qa."q.2....#B...R..$3br........%&'()*4567
89:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...................................
......................................................................
.....................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&
'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
........................................................?..........Z..
..T..G......n...cX...}b.G....S\.].........._.z..> hV....n....6.....
:[email protected]]R...G...k..........?.j.wo..N.sK.J...Mm.z....
%..].og...7......,.n.......?....\..}E}.q..sovd.0.M.."....1...........z
..4...~..K.c....E.'._.....}o......y../@.u.\.._.O.....cO.?je.4q.j......
.%[email protected].;j.\...._u.?._..,.A...q.}.M....S;.N...?..%.kF......L..
..... |D..u..<...I.u..}\h:....w..0..}CX..>.>.......G........~
.xO........Sx_.....;._.W~ ........M5O..k..8......9..;Q......}..M...KV.
.4....t.SK...h....J.'..A...5..k.Q....S.H..H...__..=?........o...${_E..
...m{X...O..G.~g.....<UO'.....W*....:U.n..B-5..n.....<...K.5..k.
'..o..Y.~.B........5M..c...$...2.Z. ........xK.._.?..6~.....n.q.......
/X........C.5... ...,~.>4.....;........f.A.y....?....>.#.NpG5.|D
..<Q.......*.S2...O.4.........E......gnF0rA.|G..g..............
<<< skipped >>>

GET /gy/upload/upfile_4270811_1436692558.jpg HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Sun, 12 Jul 2015 09:15:58 GMT
Content-Type: image/jpeg
Content-Length: 146648
ETag: "55a2304e-23cd8"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:17 GMT
Connection: keep-alive
......JFIF.............<CREATOR: gd-jpeg v1.0 (using IJG JPEG v62),
 quality = 100....C...................................................
.................C....................................................
[email protected]..".............................................
...............}........!1A..Qa."q.2....#B...R..$3br........%&'()*4567
89:CDEFGHIJSTUVWXYZcdefghijstuvwxyz...................................
......................................................................
.....................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&
'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz............................
........................................................?........}....
.Uy...f.'....O..r..L2y........S\]..'....3.g.......5..L_.......Z_n.i?}.
..L....\.........C...z..OZ.9...[..O..a..8......Z...z.[......~.....r.e.
...o...X...T"..V......V.'.O......{..a.k.w^w...t........>...I-f..0..
...\...Z...[.-..o..^3..._...?._..J........e...S[}....z.$3Mq4Sc.G<.y
.............=:u.. ..............:.x..^..q......lw0......A....q.5...u.
......#..J.s..'ug.\y.......^....~....C.........W.1.4bh~.....3.li.$...q
.................~..^M...._.r..j......O.;q...>..&.6.........g...N..
qja....X..#4..;x........o.....K.?.c...>....c........._....u.&......
O..~4.r.P......._..~=~..yS}....<z...Z............Og.............v..
...........?..u? ....F3..n.....#...]...H...w=!...3{........B.J].]S....
..........}....}7.....7.y....y..l...66...c.}.>..\.?wo7..........I..
........2G7........#........{.....>\..N=.....|.A....M...?......
<<< skipped >>>

GET /gy/404/style/image/bg_corner.png HTTP/1.1


Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: org-imgcache
Last-Modified: Wed, 31 Dec 2014 12:21:54 GMT
Content-Type: image/png
Content-Length: 2371
ETag: "54a3ea62-943"
Cache-Control: max-age=259200
Date: Thu, 27 Aug 2015 00:57:18 GMT
Connection: keep-alive
.PNG........IHDR...x...<.......~.....tEXtSoftware.Adobe ImageReadyq
.e<...$iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0M
pCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmp
tk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27        ">
; <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"&
gt; <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xa
p/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="htt
p://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Ph
otoshop CS6 (Macintosh)" xmpMM:InstanceID="xmp.iid:58F2A7167BE611E4AF4
9CE8655D24E0A" xmpMM:DocumentID="xmp.did:58F2A7177BE611E4AF49CE8655D24
E0A"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:58F2A7147BE61
1E4AF49CE8655D24E0A" stRef:documentID="xmp.did:58F2A7157BE611E4AF49CE8
655D24E0A"/> </rdf:Description> </rdf:RDF> </x:xmpme
ta> <?xpacket end="r"?>..#.....IDATx...mh[U..O....i7l}.......
..M..2....e.0.a.....~......)~PA..A.........uS6E..8-A....j.M.&....{....
....{N..?B.{.....s.s.s.P.P`.Z.....x.X......`#ha...Y........Y....&...9.
-A.J......l.ZUd...`....Nk!p.].....{.m.}....0Q...B`.....}`m...;....N...
...1......-u".$x....{..~.,.v.<.SQa.....'F.Z..vl'x..)"..x....... .Lf
.N..HH*l.w.].../&h.;v.x..'..I.4.....u.....<..%.....A.7..,...c......
..[A.8..f|<~.<....f.....6.,.J.M..YiP>..F|k...).E{.O=">^.1.
...RL.....]v...>...9..JV.........%..,..H2Wv.....c.......]`.....^...
w..l..Bm...YC..<.?#c..R|..|V#...#.6..IV.]...W...C.W.FQI`.{.!z_.
<<< skipped >>>


GET /ac/qzfl/stat.js HTTP/1.1
Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: qzonestyle.gtimg.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 3521
Last-Modified: Thu, 13 Nov 2014 10:18:36 GMT
Content-Encoding: gzip
ETag: "5464857c-2862"
Server: org-imgcache
Cache-Control: max-age=31104000
Date: Thu, 27 Aug 2015 00:57:16 GMT
Connection: keep-alive
Vary: Accept-Encoding
....|.dT....is.6.........L....4....f'[email protected].}..x.r...Nc.x
..}....K>.....;......`.....qp-bO....n.&...C].....c=(*.o..Tw...P..,.
.n..m..70~...|6.>S..I.-.........p......I.%.c8.i..r.......Bd..|...z.
!{.9EQR%.D..>........`.%..k.).1.H...t......?(p.....d...JWOp..R....t
... F.....s .......pC..Xsb..i........r<..:..Q.4..!L.-.M....g.9..-.m
...\...vb.=.......|N.{.........k..1...l.Q.od....:.~u..'V.C.a..R..~|Oj 
...5.J.... ....7......S..S...RYGR....z"......n....P...=?...p.T../.^..&
lt;.S ..'rhl..V;............n.....l..iH.\..S.l|......k...........]....
......5Ma......."9.i`..il.@.....?.4CC.....u... ./A...@}C..........2.%.
x.sw..].B...Z.;.OR...4....k..UAx..~.f...h...... [email protected].. 
.8....#=P...w.i.`.......8..`.I...A.`5.U.3...k`0...4..Y......8....__|..
.......U..Q7G(..7M.N...`..h..:.P..1.q...,[email protected];|T.:./....."s.V...6D.
m..."U.^I.&.....u.^..QJm9F[..6......%.......Y.=).... 0.m.c...2.=`.4.[.
.[..2.e......H..Y........0.5K.^...O.{q..m.[...`.3..y..0.8..........].[
..e.a.$....$.k....m........;.-\..M..~...83.....m}.........a.?....]....
)8....V...)...3.~.:..............t1w.z...Z~O.t...Y.....4W...d.n.....O/
.]<.|..#A....>~x.}.Ea&. ^......9....J;..|...-\....\......@n.....
...........<.<._<..........@n...}}...)......0...e@`.js.B.R..?
..N...:.LQD. .0c.dy.7....f......p..sV0.T."..d..(j..R.9.L.......l..y..`
U..$R`<......L;..na..J..2>.LY...R.1..o.R,......~..k..o.....o.v..
.f..h....h.z.........E....1n....._..:........[a.._....__.f......S..!.V
#...b.Q.di.<.Z...}0>.J.......l.'Rw.#n*..02].<?R:)......^.
<<< skipped >>>


GET /cgi-bin/cgi_client_entry.cgi?uin=5454443 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: u15.qzone.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: QZHTTP-2.38.18
Content-Encoding: gzip
X-Frame-Options: SAMEORIGIN
X-UA-Compatible: IE=Edge
Last-Modified: Thu, 27 Aug 2015 00:57:13 GMT
Cache-Control: max-age=0, no-transform, proxy-revalidate
Content-Type: text/html; charset=utf-8
Date: Thu, 27 Aug 2015 00:57:14 GMT
Content-Length: 607
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: qzone_check=; EXPIRES=Fri, 02-Jan-1970 00:00:00 GMT; PATH=/; DOMAIN=qq.com
Set-Cookie: _qz_referrer=; expires=Mon, 26 Jul 1997 05:00:00 GMT; PATH=/; DOMAIN=qq.com
[email protected].=....z.....:.Z.X.)(P.bJ..CA....RhG*iB..
b.m......U{j.y;...~.y.....z.........gO.........a$.I}.....dU.$./.....y8
[email protected]..*Rp...&.9$.......>.. ....JQ% ...../k..*.9.j...
.|.m....".{...>...rw>....2.{..y.U.,[.v..6......]t.....5..Uw;..R!
[email protected]}WO......( ..Rk.M.....a..r.K..M.c.D....3
[email protected]...!.KR.{.....F......c..{.e7....z.......7.
........n4..Z...lE]..p..S.cp[{...< ...5g?O..PL.....s..%...f........
.....J.k..b.?..V.k.e..~./1'N~.....0...mm.O@S^[email protected]..=Q\]].^Y.
.cQ.5.."...s9.....:.....".8"...?>.....gx.|.?...........o...HTTP/1.1
 200 OK..Server: QZHTTP-2.38.18..Content-Encoding: gzip..X-Frame-Optio
ns: SAMEORIGIN..X-UA-Compatible: IE=Edge..Last-Modified: Thu, 27 Aug 2
015 00:57:13 GMT..Cache-Control: max-age=0, no-transform, proxy-revali
date..Content-Type: text/html; charset=utf-8..Date: Thu, 27 Aug 2015 0
0:57:14 GMT..Content-Length: 607..Connection: keep-alive..Vary: Accept
-Encoding..Set-Cookie: qzone_check=; EXPIRES=Fri, 02-Jan-1970 00:00:00
 GMT; PATH=/; DOMAIN=qq.com..Set-Cookie: _qz_referrer=; expires=Mon, 2
6 Jul 1997 05:00:00 GMT; PATH=/; [email protected]..
..s....q.=....z.....:.Z.X.)(P.bJ..CA....RhG*iB..b.m......U{j.y;...~.y.
....z.........gO.........a$.I}.....dU.$./[email protected]..*
Rp...&.9$.......>.. ....JQ% ...../k..*.9.j....|.m....".{...>...r
w>....2.{..y.U.,[.v..6......]t.....5..Uw;..R!.tvrs3scd...N....jc...
[email protected]}WO......( [email protected].
<<< skipped >>>


GET /404/search_children.js HTTP/1.1
Accept: */*
Referer: hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.qq.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: squid/3.4.1
Content-Type: application/javascript; charset=GB2312
Vary: Accept-Encoding
Vary: Accept-Encoding
Content-Encoding: gzip
Vary: Accept-Encoding
Cache-Control: max-age=120
Expires: Thu, 27 Aug 2015 00:59:15 GMT
Date: Thu, 27 Aug 2015 00:57:15 GMT
Content-Length: 193
Connection: keep-alive
...............@...^...mV#fV........L4.&....>...v....|....&.. .....
}..J.6u...w.J.....v....^C.4.yt.j...P!.n.'...* .W.......7l.S...&D.Bt\N.
b..;..........d0.x.v.ROk.^.f.R{em.W...V.<. M..._J.Ub'...HTTP/1.1 20
0 OK..Server: squid/3.4.1..Content-Type: application/javascript; chars
et=GB2312..Vary: Accept-Encoding..Vary: Accept-Encoding..Content-Encod
ing: gzip..Vary: Accept-Encoding..Cache-Control: max-age=120..Expires:
 Thu, 27 Aug 2015 00:59:15 GMT..Date: Thu, 27 Aug 2015 00:57:15 GMT..C
ontent-Length: 193..Connection: keep-alive.................@...^...mV#
fV........L4.&....>...v....|....&.. .....}..J.6u...w.J.....v....^C.
4.yt.j...P!.n.'...* .W.......7l.S...&D.Bt\N.b..;..........d0.x.v.ROk.^
.f.R{em.W...V.<. M..._J.Ub'.....



GET /wp-content/themes/twentytwelve/js/html5.js HTTP/1.1
Accept: */*
Referer: hXXp://neeao.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: neeao.com
Connection: Keep-Alive
Cookie: PHPSESSID=kmmrh2tflq6od56ce2p5qsr1i1


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 00:57:13 GMT
Content-Type: application/javascript
Content-Length: 2487
Last-Modified: Fri, 26 Oct 2012 23:25:44 GMT
Connection: keep-alive
ETag: "508b1bf8-9b7"
Expires: Thu, 27 Aug 2015 12:57:13 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*! HTML5 Shiv v3.6 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Lice
nsed */./* Source: hXXps://github.com/aFarkas/html5shiv */.(function(l
,f){function m(){var a=e.elements;return"string"==typeof a?a.split(" "
):a}function i(a){var b=n[a[o]];b||(b={},h  ,a[o]=h,n[h]=b);return b}f
unction p(a,b,c){b||(b=f);if(g)return b.createElement(a);c||(c=i(b));b
=c.cache[a]?c.cache[a].cloneNode():r.test(a)?(c.cache[a]=c.createElem(
a)).cloneNode():c.createElem(a);return b.canHaveChildren&&!s.test(a)?c
.frag.appendChild(b):b}function t(a,b){if(!b.cache)b.cache={},b.create
Elem=a.createElement,b.createFrag=a.createDocumentFragment,b.frag=b.cr
eateFrag();.a.createElement=function(c){return!e.shivMethods?b.createE
lem(c):p(c,a,b)};a.createDocumentFragment=Function("h,f","return funct
ion(){var n=f.cloneNode(),c=n.createElement;h.shivMethods&&(" m().join
().replace(/\w /g,function(a){b.createElem(a);b.frag.createElement(a);
return'c("' a '")'}) ");return n}")(e,b.frag)}function q(a){a||(a=f);v
ar b=i(a);if(e.shivCSS&&!j&&!b.hasCSS){var c,d=a;c=d.createElement("p"
);d=d.getElementsByTagName("head")[0]||d.documentElement;c.innerHTML="
x<style>article,aside,figcaption,figure,footer,header,hgroup,nav
,section{display:block}mark{background:#FF0;color:#000}</style>"
;.c=d.insertBefore(c.lastChild,d.firstChild);b.hasCSS=!!c}g||t(a,b);re
turn a}var k=l.html5||{},s=/^<|^(?:button|map|select|textarea|objec
t|iframe|option|optgroup)$/i,r=/^<|^(?:a|b|button|code|div|fieldset
|form|h1|h2|h3|h4|h5|h6|i|iframe|img|input|label|li|link|ol|option
<<< skipped >>>

GET /wp-content/themes/twentytwelve/css/ie.css?ver=20121010 HTTP/1.1


Accept: */*
Referer: hXXp://neeao.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: neeao.com
Connection: Keep-Alive
Cookie: PHPSESSID=kmmrh2tflq6od56ce2p5qsr1i1


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 00:57:14 GMT
Content-Type: text/css
Content-Length: 4781
Last-Modified: Mon, 07 Oct 2013 16:42:08 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "5252e460-12ad"
Expires: Thu, 27 Aug 2015 12:57:14 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/*.Styles for older IE versions (previous to IE9)..*/..body {..backgro
und-color: #e6e6e6;.}.body.custom-background-empty {..background-color
: #fff;.}.body.custom-background-empty .site,.body.custom-background-w
hite .site {..box-shadow: none;..margin-bottom: 0;..margin-top: 0;..pa
dding: 0;.}..assistive-text,..site .screen-reader-text {..clip: rect(1
px 1px 1px 1px); /* IE7 */.}..full-width .site-content {..float: none;
..width: 100%;.}.img.size-full,.img.size-large,.img.header-image,.img.
wp-post-image,.img[class*="align"],.img[class*="wp-image-"],.img[class
*="attachment-"] {..width: auto; /* Prevent stretching of full-size an
d large-size images with height and width attributes in IE8 */.}..auth
or-avatar {..float: left;..margin-top: 8px;..margin-top: 0.571428571re
m;.}..author-description {..float: right;..width: 80%;.}..site {..box-
shadow: 0 2px 6px rgba(100, 100, 100, 0.3);..margin: 48px auto;..max-w
idth: 960px;..overflow: hidden;..padding: 0 40px;.}..site-content {..f
loat: left;..width: 65.104166667%;.}.body.template-front-page .site-co
ntent,.body.attachment .site-content,.body.full-width .site-content {.
.width: 100%;.}..widget-area {..float: right;..width: 26.041666667%;.}
..site-header h1,..site-header h2 {..text-align: left;.}..site-header 
h1 {..font-size: 26px;..line-height: 1.846153846;.}..main-navigation u
l.nav-menu,..main-navigation div.nav-menu > ul {..border-bottom: 1p
x solid #ededed;..border-top: 1px solid #ededed;..display: inline-bloc
k !important;..text-align: left;..width: 100%;.}..main-navigation 
<<< skipped >>>

GET /wp-content/themes/twentytwelve/js/navigation.js?ver=1.0 HTTP/1.1


Accept: */*
Referer: hXXp://neeao.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: neeao.com
Connection: Keep-Alive
Cookie: PHPSESSID=kmmrh2tflq6od56ce2p5qsr1i1; Hm_lvt_19c9dab3ab926f7f84b51ac9a3d72f37=1440637032; Hm_lpvt_19c9dab3ab926f7f84b51ac9a3d72f37=1440637032


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 27 Aug 2015 00:57:17 GMT
Content-Type: application/javascript
Content-Length: 863
Last-Modified: Wed, 14 Nov 2012 20:21:00 GMT
Connection: keep-alive
ETag: "50a3fd2c-35f"
Expires: Thu, 27 Aug 2015 12:57:17 GMT
Cache-Control: max-age=43200
Accept-Ranges: bytes
/**. * navigation.js. *. * Handles toggling the navigation menu for sm
all screens.. */.( function() {..var nav = document.getElementById( 's
ite-navigation' ), button, menu;..if ( ! nav )...return;..button = nav
.getElementsByTagName( 'h3' )[0];..menu   = nav.getElementsByTagName( 
'ul' )[0];..if ( ! button )...return;...// Hide button if menu is miss
ing or empty...if ( ! menu || ! menu.childNodes.length ) {...button.st
yle.display = 'none';...return;..}...button.onclick = function() {...i
f ( -1 == menu.className.indexOf( 'nav-menu' ) )....menu.className = '
nav-menu';....if ( -1 != button.className.indexOf( 'toggled-on' ) ) {.
...button.className = button.className.replace( ' toggled-on', '' );..
..menu.className = menu.className.replace( ' toggled-on', '' );...} el
se {....button.className  = ' toggled-on';....menu.className  = ' togg
led-on';...}..};.} )();HTTP/1.1 200 OK..Server: nginx..Date: Thu, 27 A
ug 2015 00:57:17 GMT..Content-Type: application/javascript..Content-Le
ngth: 863..Last-Modified: Wed, 14 Nov 2012 20:21:00 GMT..Connection: k
eep-alive..ETag: "50a3fd2c-35f"..Expires: Thu, 27 Aug 2015 12:57:17 GM
T..Cache-Control: max-age=43200..Accept-Ranges: bytes../**. * navigati
on.js. *. * Handles toggling the navigation menu for small screens.. *
/.( function() {..var nav = document.getElementById( 'site-navigation'
 ), button, menu;..if ( ! nav )...return;..button = nav.getElementsByT
agName( 'h3' )[0];..menu   = nav.getElementsByTagName( 'ul' )[0];..if 
( ! button )...return;...// Hide button if menu is missing or empt
<<< skipped >>>


GET /css?family=Open Sans:400italic,700italic,400,700&subset=latin,latin-ext HTTP/1.1
Accept: */*
Referer: hXXp://neeao.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: fonts.googleapis.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
Expires: Thu, 27 Aug 2015 00:57:14 GMT
Date: Thu, 27 Aug 2015 00:57:14 GMT
Cache-Control: private, max-age=86400
Content-Length: 186
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
@font-face {.  font-family: 'Open Sans';.  font-style: normal;.  font-
weight: 400;.  src: url(hXXp://fonts.gstatic.com/s/opensans/v13/u-WUoq
rET9fUeobQW7jkRfY6323mHUZFJMgTvxaG2iE.eot);.}.HTTP/1.1 200 OK..Content
-Type: text/css..Access-Control-Allow-Origin: *..Timing-Allow-Origin: 
*..Expires: Thu, 27 Aug 2015 00:57:14 GMT..Date: Thu, 27 Aug 2015 00:5
7:14 GMT..Cache-Control: private, max-age=86400..Content-Length: 186..
X-Content-Type-Options: nosniff..X-Frame-Options: SAMEORIGIN..X-XSS-Pr
otection: 1; mode=block..Server: GSE..@font-face {.  font-family: 'Ope
n Sans';.  font-style: normal;.  font-weight: 400;.  src: url(hXXp://f
onts.gstatic.com/s/opensans/v13/u-WUoqrET9fUeobQW7jkRfY6323mHUZFJMgTvx
aG2iE.eot);.}...

The Trojan connects to the servers at the folowing location(s):

badboy.exe_140:

KERNEL32.DLL
kernel32.dll
Kernel32.dll
ntdll.dll
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
Ravmon.EXE
Ravmond.EXE
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ite
.idata
.edata
P.reloc
P.rsrc
127.0.0.1
<[email protected]>
Message-Id: <[email protected]>
<[email protected]>
auth LOGIN
HTTP://
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
software\microsoft\windows
zhengtu.dat
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
UnhookWindowsHookEx
SetWindowsHookExA
wsock32.dll
ztDLL.dll
KWindows
USER32.DLL
ADVAPI32.DLL
GetWindowsDirectoryA
.tB4:
H%D\Kx~

badboy.exe_140_rwx_00401000_0001A000:

kernel32.dll
Kernel32.dll
ntdll.dll
EGHOST.EXE
MAILMON.EXE
KAVPFW.EXE
Ravmon.EXE
Ravmond.EXE
........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ite
.idata
.edata
P.reloc
P.rsrc
127.0.0.1
<[email protected]>
Message-Id: <[email protected]>
<[email protected]>
auth LOGIN
HTTP://
HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
software\microsoft\windows
zhengtu.dat
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
UnhookWindowsHookEx
SetWindowsHookExA
wsock32.dll
ztDLL.dll
KWindows
KERNEL32.DLL
USER32.DLL
ADVAPI32.DLL
GetWindowsDirectoryA

2.exe_1992:

.text
`.rdata
@.data
.ecode
.rsrc
user32.dll
KERNEL32.dll
USER32.dll
GetCPInfo
krnln.fne
krnln.fnr
1.1.3
%System%\2.exe
hXXp://30434.q-zone.qq.com
hXXp://neeao.com
hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
hXXp://VVV.kuaigan8.com
hXXp://VVV.pptu8.com
VVV.530mo.com
hXXp://17bs.com/ip.htm8

2.exe_1992_rwx_0040A000_00001000:

hXXp://30434.q-zone.qq.com
hXXp://neeao.com
hXXp://u15.qzone.qq.com/cgi-bin/cgi_client_entry.cgi?uin=5454443
hXXp://VVV.kuaigan8.com
hXXp://VVV.pptu8.com
VVV.530mo.com
hXXp://17bs.com/ip.htm8

IEXPLORE.EXE_380:

`.reloc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
u%CNu
Uh.RA
Uh.WA
%s_%d
EInvalidGraphicOperation
UhwEB
USER32.DLL
comctl32.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
Proportional
MAPI32.DLL
OnKeyDown4 C
OnKeyPress
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
AutoHotkeys
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview|RD
WindowState
OnMouseUp8%C
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
ntdll.dll
advapi32.dll
Port
UDPSockError
TMYNMUDP
MYNMUDP
RemotePort<
LocalPort<
ReportLevel
0.0.0.0
%d.%d.%d.%d
Video.avi
Image.bmp
thread_func()[id=%.8x] - exception "%s"
unaMsAcmDriver
unaMsAcmDeviceHeader
function isn't supported
invalid flag passed
invalid parameter passed
registry key not found
unavclPipeDataEvent
unavclInOutPipe
unavclInOutWavePipe
iphlpapi.dll
20050101
getservbyport
WSAAsyncGetServByPort
WSAJoinLeaf
WS2_32.DLL
TIdSocketListWindows
TIdStackWindowsU
IdStackWindows
1.0.4
HttpSocket
HttpSocketRead
HttpSocketError
HttpSocketDisconnect
HttpSocketConnect
SOFTWARE\Microsoft\Windows\CurrentVersion\Setup
SoftWare\Microsoft\Windows\CurrentVersion\Run
%d-%.2d-%.2d %.2d:%2.d:%.2d
hXXp://
1.1.1.1
2.2.2.2
1.1.1.3
*.dat
!#%$^&!#%!&*!
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
Telnet [ip] [port]
:\Program Files\Internet Explorer\IEXPLORE.EXE
DNSAPI.DLL
NETAPI32.DLL
SVRAPI.DLL
Uh.JH
\SOFTWARE\Microsoft\Windows\CurrentVersion
\SOFTWARE\Microsoft\Windows NT\CurrentVersion
productkey
%s %d.%d (%d.%s)
%f MHz
: IExplore.exe
: Explorer.exe
%d---- -:-:-
PSAPI.DLL
(The key is too long to be read.)
Software\Microsoft\Windows\CurrentVersion\Policies\WinOldApp
Delete.bat
THttpProxy
HttpProxy
GET HTTP://
HTTP/1.0 200 Connected OK
IEXPLORE.EXE
3; #>6.&
', 2/ 07&!4-)1#
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
)%%%$$&&$%&)
)%%%$$&&$''&&
38000=344
>>^%FVl
KWindows
.ScktComp
UrlMon
IdTCPConnection
IdTCPStream
IdTCPClient
IMYNMUDP
\RUNExeMemUnit
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Icon.Data
DeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdInterlockedDecrementInterlockedIncrementVirtualQueryWideCharToMultiByteSetCurrentDirectoryAMultiByteToWideCharlstrlenAlstrcpynALoadLibraryExAGetThreadLocaleGetStartupInfoAGetProcAddressGetModuleHandleAGetModuleFileNameAGetLocaleInfoAGetLastErrorGetCurrentDirectoryAGetCommandLineAFreeLibraryFindFirstFileAFindCloseExitProcessExitThreadCreateThreadWriteFileUnhandledExceptionFilterSetFilePointerSetEndOfFileRtlUnwindReadFileRaiseExceptionGetStdHandleGetFileSizeGetFileTypeCreateFileACloseHandleGetKeyboardTypeLoadStringAMessageBoxACharNextARegQueryValueExARegOpenKeyExARegCloseKeySysFreeStringSysReAllocStringLenSysAllocStringLenTlsSetValueTlsGetValueLocalAllocGetModuleHandleARegSetValueExARegQueryValueExARegQueryInfoKeyARegOpenKeyExARegFlushKeyRegEnumValueARegEnumKeyExARegDeleteValueARegDeleteKeyARegCreateKeyExARegCloseKeyOpenProcessTokenLookupPrivilegeValueAAdjustTokenPrivilegeslstrcpyWlstrcpyAlstrcmpiAWriteProcessMemoryWriteFileWinExecWideCharToMultiByteWaitForSingleObjectVirtualQueryExVirtualQueryVirtualProtectExVirtualAllocExVirtualAllocUnmapViewOfFileTerminateProcessSuspendThreadSleepSizeofResourceSetThreadPrioritySetThreadLocaleSetThreadContextSetPriorityClassSetNamedPipeHandleStateSetFilePointerSetFileAttributesASetEventSetErrorModeSetEndOfFileResumeThreadResetEventRemoveDirectoryAReadProcessMemoryReadFileQueryPerformanceFrequencyQueryPerformanceCounterPeekNamedPipeOutputDebugStringAOpenProcessMulDivMoveFileAMapViewOfFileLockResourceLocalFreeLoadResourceLoadLibraryALeaveCriticalSectionInitializeCriticalSectionGlobalUnlockGlobalReAllocGlobalMemoryStatusGlobalHandleGlobalLockGlobalFreeGlobalFindAtomAGlobalDeleteAtomGlobalAllocGlobalAddAtomAGetWindowsDirectoryAGetVersionExWGetVersionExAGetVersionGetTimeFormatAGetTickCountGetThreadPriorityGetThreadLocaleGetThreadContextGetTempPathAGetSystemTimeGetSystemInfoGetStringTypeExAGetStdHandleGetStartupInfoAGetProcAddressGetPriorityClassGetOverlappedResultGetModuleHandleAGetModuleFileNameAGetLocaleInfoAGetLocalTimeGetLastErrorGetFullPathNameAGetFileSizeGetFileAttributesExAGetFileAttributesAGetExitCodeThreadGetExitCodeProcessGetDriveTypeAGetDiskFreeSpaceAGetDateFormatAGetCurrentThreadIdGetCurrentThreadGetCurrentProcessIdGetCurrentProcessGetComputerNameAGetCommandLineAGetCPInfoGetACPFreeResourceInterlockedIncrementInterlockedExchangeInterlockedDecrementFreeLibraryFormatMessageAFindResourceAFindNextFileAFindFirstFileAFindCloseFileTimeToSystemTimeFileTimeToLocalFileTimeFileTimeToDosDateTimeExpandEnvironmentStringsAExitProcessEnumCalendarInfoAEnterCriticalSectionDeleteFileADeleteCriticalSectionCreateThreadCreateProcessACreatePipeCreateMutexACreateFileACreateEventACreateDirectoryACopyFileACompareStringACloseHandleWNetOpenEnumAWNetGetUserAWNetEnumResourceAWNetCloseEnumVerQueryValueAGetFileVersionInfoSizeAGetFileVersionInfoAUnrealizeObjectStretchBltSetWindowOrgExSetWinMetaFileBitsSetViewportOrgExSetTextColorSetStretchBltModeSetROP2SetPixelSetEnhMetaFileBitsSetDIBColorTableSetBrushOrgExSetBkModeSetBkColorSelectPaletteSelectObjectSaveDCRestoreDCRectangleRectVisibleRealizePalettePolylinePlayEnhMetaFilePatBltMoveToExMaskBltLineToIntersectClipRectGetWindowOrgExGetWinMetaFileBitsGetTextMetricsAGetTextExtentPointAGetTextExtentPoint32AGetSystemPaletteEntriesGetStockObjectGetPixelGetPaletteEntriesGetObjectAGetEnhMetaFilePaletteEntriesGetEnhMetaFileHeaderGetEnhMetaFileBitsGetDeviceCapsGetDIBitsGetDIBColorTableGetDCOrgExGetCurrentPositionExGetClipBoxGetBrushOrgExGetBitmapBitsExcludeClipRectDeleteObjectDeleteEnhMetaFileDeleteDCCreateSolidBrushCreatePenIndirectCreatePaletteCreateHalftonePaletteCreateFontIndirectACreateDIBitmapCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapCreateBrushIndirectCreateBitmapCopyEnhMetaFileABitBltCreateWindowExAmouse_eventkeybd_eventWindowFromPointWinHelpAWaitMessageVkKeyScanAUpdateWindowUnregisterClassAUnhookWindowsHookExTranslateMessageTranslateMDISysAccelTrackPopupMenuSystemParametersInfoAShowWindowShowScrollBarShowOwnedPopupsShowCursorSetWindowsHookExASetWindowPosSetWindowPlacementSetWindowLongASetTimerSetThreadDesktopSetScrollRangeSetScrollPosSetScrollInfoSetRectSetPropASetParentSetMenuItemInfoASetMenuSetForegroundWindowSetFocusSetCursorPosSetCursorSetClipboardDataSetClassLongASetCaptureSetActiveWindowSendMessageAScrollWindowScreenToClientRemovePropARemoveMenuReleaseDCReleaseCaptureRegisterWindowMessageARegisterClipboardFormatARegisterClassARedrawWindowPtInRectPostQuitMessagePostMessageAPeekMessageAOpenInputDesktopOpenDesktopAOpenClipboardOffsetRectOemToCharAMsgWaitForMultipleObjectsMessageBoxAMessageBeepMapWindowPointsMapVirtualKeyALoadStringALoadKeyboardLayoutALoadIconALoadCursorALoadBitmapAKillTimerIsZoomedIsWindowVisibleIsWindowEnabledIsWindowIsRectEmptyIsIconicIsDialogMessageAIsClipboardFormatAvailableIsChildInvalidateRectIntersectRectInsertMenuItemAInsertMenuAInflateRectGetWindowThreadProcessIdGetWindowTextAGetWindowRectGetWindowPlacementGetWindowLongAGetWindowDCGetUserObjectInformationAGetTopWindowGetSystemMetricsGetSystemMenuGetSysColorBrushGetSysColorGetSubMenuGetScrollRangeGetScrollPosGetScrollInfoGetPropAGetParentGetWindowGetMenuStringAGetMenuStateGetMenuItemInfoAGetMenuItemIDGetMenuItemCountGetMenuGetLastActivePopupGetKeyboardStateGetKeyboardLayoutListGetKeyboardLayoutGetKeyStateGetKeyNameTextAGetIconInfoGetForegroundWindowGetFocusGetDesktopWindowGetDCExGetDCGetCursorPosGetCursorGetClipboardDataGetClientRectGetClassNameAGetClassInfoAGetCaptureGetActiveWindowFrameRectFindWindowAFillRectExitWindowsExEqualRectEnumWindowsEnumThreadWindowsEnumClipboardFormatsEndPaintEnableWindowEnableScrollBarEnableMenuItemEmptyClipboardDrawTextADrawMenuBarDrawIconExDrawIconDrawFrameControlDrawEdgeDispatchMessageADestroyWindowDestroyMenuDestroyIconDestroyCursorDeleteMenuDefWindowProcADefMDIChildProcADefFrameProcACreatePopupMenuCreateMenuCreateIconCloseDesktopCloseClipboardClientToScreenCheckMenuItemCallWindowProcACallNextHookExBeginPaintCharNextACharLowerBuffACharLowerACharUpperBuffACharToOemAAdjustWindowRectExActivateKeyboardLayoutSleepSafeArrayPtrOfIndexSafeArrayGetUBoundSafeArrayGetLBoundSafeArrayCreateVariantChangeTypeVariantCopyVariantClearVariantInitImageList_SetIconSizeImageList_GetIconSizeImageList_WriteImageList_ReadImageList_GetDragImageImageList_DragShowNolockImageList_SetDragCursorImageImageList_DragMoveImageList_DragLeaveImageList_DragEnterImageList_EndDragImageList_BeginDragImageList_RemoveImageList_DrawExImageList_DrawImageList_GetBkColorImageList_SetBkColorImageList_ReplaceIconImageList_AddImageList_GetImageCountImageList_DestroyImageList_CreateShell_NotifyIconAShellExecuteAInternetReadFileInternetOpenUrlAInternetOpenAInternetCloseHandleHttpQueryInfoAStartServiceAStartServiceCtrlDispatcherASetServiceStatusRegisterServiceCtrlHandlerAQueryServiceStatusQueryServiceConfigAOpenServiceAOpenSCManagerAGetServiceKeyNameAEnumServicesStatusADeleteServiceCreateServiceAControlServiceCloseServiceHandleChangeServiceConfigAWSACleanupWSAStartupWSAGetLastErrorWSACancelAsyncRequestWSAAsyncGetServByNameWSAAsyncGetHostByNameWSAAsyncSelectgethostnamegetservbynamegethostbynamesocketsetsockoptsendtosendselectrecvfromrecvntohslistenioctlsocketinet_ntoainet_addrhtonsgetsockoptgetsocknamegetpeernameconnectclosesocketbindacceptCheckSumMappedFilewaveOutWritewaveOutUnprepareHeaderwaveOutResetwaveOutPrepareHeaderwaveOutOpenwaveOutGetPositionwaveOutGetErrorTextAwaveOutGetDevCapsWwaveOutGetDevCapsAwaveOutClosewaveInUnprepareHeaderwaveInStopwaveInStartwaveInResetwaveInPrepareHeaderwaveInOpenwaveInGetPositionwaveInGetErrorTextAwaveInGetDevCapsWwaveInGetDevCapsAwaveInClosewaveInAddBufferSendDriverMessageOpenDriverCloseDrivercapCreateCaptureWindowAcapGetDriverDescriptionAacmFormatChooseAacmFormatEnumAacmFormatTagEnumAacmDriverDetailsWacmDriverDetailsAacmDriverMessageacmDriverCloseacmDriverOpenacmDriverEnumacmMetricsacmGetVersionWSAIoctlgethostnamegethostbynameinet_ntoaSetSecurityInfoGetSecurityInfoSetEntriesInAclAcapGetDriverDescriptionA
KERNEL32.DLL
ADVAPI32.DLL
OLEAUT32.DLL
MPR.DLL
VERSION.DLL
GDI32.DLL
COMCTL32.DLL
SHELL32.DLL
WININET.DLL
WSOCK32.DLL
IMAGEHLP.DLL
WINMM.DLL
AVICAP32.DLL
MSACM32.DLL
\O%s?
H?.Sr
_>.WM
g%uX>
.WZ9?
6U.nWp
f%s1|
v'.wN
U%8XU
%XGmX
.Bh[#
4%s@J
ñdI
V.nKPR
W.tKTn
.LN@iP
.uQo4RK
port
remotePort
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Invalid stream operation
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
%s is not a valid service.
Socket Error # %d
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
No help keyword specified. Module doesn't support streaming
Invalid Windows Image#Index exceeds data dictionary count/Unsupported non-integer language ID in resource
Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Thread creation error: %s
Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
%s error %d, %s
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation

IEXPLORE.EXE_380_rwx_00400000_00001000:

`.reloc

IEXPLORE.EXE_380_rwx_0048C000_00061000:

3; #>6.&
', 2/ 07&!4-)1#
deflate 1.0.4 Copyright 1995-1996 Jean-loup Gailly
1.0.4
)%%%$$&&$%&)
)%%%$$&&$''&&
38000=344
>>^%FVl
KWindows
.ScktComp
UrlMon
IdStackWindows
IdTCPConnection
IdTCPStream
IdTCPClient
IMYNMUDP
HttpProxy
\RUNExeMemUnit
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Icon.Data
HttpSocket
Port
HttpSocketConnect
HttpSocketDisconnect
HttpSocketRead
HttpSocketError
DeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetTickCountQueryPerformanceCounterGetVersionGetCurrentThreadIdInterlockedDecrementInterlockedIncrementVirtualQueryWideCharToMultiByteSetCurrentDirectoryAMultiByteToWideCharlstrlenAlstrcpynALoadLibraryExAGetThreadLocaleGetStartupInfoAGetProcAddressGetModuleHandleAGetModuleFileNameAGetLocaleInfoAGetLastErrorGetCurrentDirectoryAGetCommandLineAFreeLibraryFindFirstFileAFindCloseExitProcessExitThreadCreateThreadWriteFileUnhandledExceptionFilterSetFilePointerSetEndOfFileRtlUnwindReadFileRaiseExceptionGetStdHandleGetFileSizeGetFileTypeCreateFileACloseHandleGetKeyboardTypeLoadStringAMessageBoxACharNextARegQueryValueExARegOpenKeyExARegCloseKeySysFreeStringSysReAllocStringLenSysAllocStringLenTlsSetValueTlsGetValueLocalAllocGetModuleHandleARegSetValueExARegQueryValueExARegQueryInfoKeyARegOpenKeyExARegFlushKeyRegEnumValueARegEnumKeyExARegDeleteValueARegDeleteKeyARegCreateKeyExARegCloseKeyOpenProcessTokenLookupPrivilegeValueAAdjustTokenPrivilegeslstrcpyWlstrcpyAlstrcmpiAWriteProcessMemoryWriteFileWinExecWideCharToMultiByteWaitForSingleObjectVirtualQueryExVirtualQueryVirtualProtectExVirtualAllocExVirtualAllocUnmapViewOfFileTerminateProcessSuspendThreadSleepSizeofResourceSetThreadPrioritySetThreadLocaleSetThreadContextSetPriorityClassSetNamedPipeHandleStateSetFilePointerSetFileAttributesASetEventSetErrorModeSetEndOfFileResumeThreadResetEventRemoveDirectoryAReadProcessMemoryReadFileQueryPerformanceFrequencyQueryPerformanceCounterPeekNamedPipeOutputDebugStringAOpenProcessMulDivMoveFileAMapViewOfFileLockResourceLocalFreeLoadResourceLoadLibraryALeaveCriticalSectionInitializeCriticalSectionGlobalUnlockGlobalReAllocGlobalMemoryStatusGlobalHandleGlobalLockGlobalFreeGlobalFindAtomAGlobalDeleteAtomGlobalAllocGlobalAddAtomAGetWindowsDirectoryAGetVersionExWGetVersionExAGetVersionGetTimeFormatAGetTickCountGetThreadPriorityGetThreadLocaleGetThreadContextGetTempPathAGetSystemTimeGetSystemInfoGetStringTypeExAGetStdHandleGetStartupInfoAGetProcAddressGetPriorityClassGetOverlappedResultGetModuleHandleAGetModuleFileNameAGetLocaleInfoAGetLocalTimeGetLastErrorGetFullPathNameAGetFileSizeGetFileAttributesExAGetFileAttributesAGetExitCodeThreadGetExitCodeProcessGetDriveTypeAGetDiskFreeSpaceAGetDateFormatAGetCurrentThreadIdGetCurrentThreadGetCurrentProcessIdGetCurrentProcessGetComputerNameAGetCommandLineAGetCPInfoGetACPFreeResourceInterlockedIncrementInterlockedExchangeInterlockedDecrementFreeLibraryFormatMessageAFindResourceAFindNextFileAFindFirstFileAFindCloseFileTimeToSystemTimeFileTimeToLocalFileTimeFileTimeToDosDateTimeExpandEnvironmentStringsAExitProcessEnumCalendarInfoAEnterCriticalSectionDeleteFileADeleteCriticalSectionCreateThreadCreateProcessACreatePipeCreateMutexACreateFileACreateEventACreateDirectoryACopyFileACompareStringACloseHandleWNetOpenEnumAWNetGetUserAWNetEnumResourceAWNetCloseEnumVerQueryValueAGetFileVersionInfoSizeAGetFileVersionInfoAUnrealizeObjectStretchBltSetWindowOrgExSetWinMetaFileBitsSetViewportOrgExSetTextColorSetStretchBltModeSetROP2SetPixelSetEnhMetaFileBitsSetDIBColorTableSetBrushOrgExSetBkModeSetBkColorSelectPaletteSelectObjectSaveDCRestoreDCRectangleRectVisibleRealizePalettePolylinePlayEnhMetaFilePatBltMoveToExMaskBltLineToIntersectClipRectGetWindowOrgExGetWinMetaFileBitsGetTextMetricsAGetTextExtentPointAGetTextExtentPoint32AGetSystemPaletteEntriesGetStockObjectGetPixelGetPaletteEntriesGetObjectAGetEnhMetaFilePaletteEntriesGetEnhMetaFileHeaderGetEnhMetaFileBitsGetDeviceCapsGetDIBitsGetDIBColorTableGetDCOrgExGetCurrentPositionExGetClipBoxGetBrushOrgExGetBitmapBitsExcludeClipRectDeleteObjectDeleteEnhMetaFileDeleteDCCreateSolidBrushCreatePenIndirectCreatePaletteCreateHalftonePaletteCreateFontIndirectACreateDIBitmapCreateDIBSectionCreateCompatibleDCCreateCompatibleBitmapCreateBrushIndirectCreateBitmapCopyEnhMetaFileABitBltCreateWindowExAmouse_eventkeybd_eventWindowFromPointWinHelpAWaitMessageVkKeyScanAUpdateWindowUnregisterClassAUnhookWindowsHookExTranslateMessageTranslateMDISysAccelTrackPopupMenuSystemParametersInfoAShowWindowShowScrollBarShowOwnedPopupsShowCursorSetWindowsHookExASetWindowPosSetWindowPlacementSetWindowLongASetTimerSetThreadDesktopSetScrollRangeSetScrollPosSetScrollInfoSetRectSetPropASetParentSetMenuItemInfoASetMenuSetForegroundWindowSetFocusSetCursorPosSetCursorSetClipboardDataSetClassLongASetCaptureSetActiveWindowSendMessageAScrollWindowScreenToClientRemovePropARemoveMenuReleaseDCReleaseCaptureRegisterWindowMessageARegisterClipboardFormatARegisterClassARedrawWindowPtInRectPostQuitMessagePostMessageAPeekMessageAOpenInputDesktopOpenDesktopAOpenClipboardOffsetRectOemToCharAMsgWaitForMultipleObjectsMessageBoxAMessageBeepMapWindowPointsMapVirtualKeyALoadStringALoadKeyboardLayoutALoadIconALoadCursorALoadBitmapAKillTimerIsZoomedIsWindowVisibleIsWindowEnabledIsWindowIsRectEmptyIsIconicIsDialogMessageAIsClipboardFormatAvailableIsChildInvalidateRectIntersectRectInsertMenuItemAInsertMenuAInflateRectGetWindowThreadProcessIdGetWindowTextAGetWindowRectGetWindowPlacementGetWindowLongAGetWindowDCGetUserObjectInformationAGetTopWindowGetSystemMetricsGetSystemMenuGetSysColorBrushGetSysColorGetSubMenuGetScrollRangeGetScrollPosGetScrollInfoGetPropAGetParentGetWindowGetMenuStringAGetMenuStateGetMenuItemInfoAGetMenuItemIDGetMenuItemCountGetMenuGetLastActivePopupGetKeyboardStateGetKeyboardLayoutListGetKeyboardLayoutGetKeyStateGetKeyNameTextAGetIconInfoGetForegroundWindowGetFocusGetDesktopWindowGetDCExGetDCGetCursorPosGetCursorGetClipboardDataGetClientRectGetClassNameAGetClassInfoAGetCaptureGetActiveWindowFrameRectFindWindowAFillRectExitWindowsExEqualRectEnumWindowsEnumThreadWindowsEnumClipboardFormatsEndPaintEnableWindowEnableScrollBarEnableMenuItemEmptyClipboardDrawTextADrawMenuBarDrawIconExDrawIconDrawFrameControlDrawEdgeDispatchMessageADestroyWindowDestroyMenuDestroyIconDestroyCursorDeleteMenuDefWindowProcADefMDIChildProcADefFrameProcACreatePopupMenuCreateMenuCreateIconCloseDesktopCloseClipboardClientToScreenCheckMenuItemCallWindowProcACallNextHookExBeginPaintCharNextACharLowerBuffACharLowerACharUpperBuffACharToOemAAdjustWindowRectExActivateKeyboardLayoutSleepSafeArrayPtrOfIndexSafeArrayGetUBoundSafeArrayGetLBoundSafeArrayCreateVariantChangeTypeVariantCopyVariantClearVariantInitImageList_SetIconSizeImageList_GetIconSizeImageList_WriteImageList_ReadImageList_GetDragImageImageList_DragShowNolockImageList_SetDragCursorImageImageList_DragMoveImageList_DragLeaveImageList_DragEnterImageList_EndDragImageList_BeginDragImageList_RemoveImageList_DrawExImageList_DrawImageList_GetBkColorImageList_SetBkColorImageList_ReplaceIconImageList_AddImageList_GetImageCountImageList_DestroyImageList_CreateShell_NotifyIconAShellExecuteAInternetReadFileInternetOpenUrlAInternetOpenAInternetCloseHandleHttpQueryInfoAStartServiceAStartServiceCtrlDispatcherASetServiceStatusRegisterServiceCtrlHandlerAQueryServiceStatusQueryServiceConfigAOpenServiceAOpenSCManagerAGetServiceKeyNameAEnumServicesStatusADeleteServiceCreateServiceAControlServiceCloseServiceHandleChangeServiceConfigAWSACleanupWSAStartupWSAGetLastErrorWSACancelAsyncRequestWSAAsyncGetServByNameWSAAsyncGetHostByNameWSAAsyncSelectgethostnamegetservbynamegethostbynamesocketsetsockoptsendtosendselectrecvfromrecvntohslistenioctlsocketinet_ntoainet_addrhtonsgetsockoptgetsocknamegetpeernameconnectclosesocketbindacceptCheckSumMappedFilewaveOutWritewaveOutUnprepareHeaderwaveOutResetwaveOutPrepareHeaderwaveOutOpenwaveOutGetPositionwaveOutGetErrorTextAwaveOutGetDevCapsWwaveOutGetDevCapsAwaveOutClosewaveInUnprepareHeaderwaveInStopwaveInStartwaveInResetwaveInPrepareHeaderwaveInOpenwaveInGetPositionwaveInGetErrorTextAwaveInGetDevCapsWwaveInGetDevCapsAwaveInClosewaveInAddBufferSendDriverMessageOpenDriverCloseDrivercapCreateCaptureWindowAcapGetDriverDescriptionAacmFormatChooseAacmFormatEnumAacmFormatTagEnumAacmDriverDetailsWacmDriverDetailsAacmDriverMessageacmDriverCloseacmDriverOpenacmDriverEnumacmMetricsacmGetVersionWSAIoctlgethostnamegethostbynameinet_ntoaSetSecurityInfoGetSecurityInfoSetEntriesInAclAcapGetDriverDescriptionA
KERNEL32.DLL
USER32.DLL
ADVAPI32.DLL
OLEAUT32.DLL
MPR.DLL
VERSION.DLL
GDI32.DLL
COMCTL32.DLL
SHELL32.DLL
WININET.DLL
WSOCK32.DLL
IMAGEHLP.DLL
WINMM.DLL
AVICAP32.DLL
MSACM32.DLL
WS2_32.DLL
\O%s?
H?.Sr
_>.WM
g%uX>
.WZ9?
6U.nWp
f%s1|
v'.wN
U%8XU
%XGmX
.Bh[#
4%s@J
ñdI
V.nKPR
W.tKTn
.LN@iP
.uQo4RK
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
Invalid stream operation
Protocol not supported.
Socket type not supported."Operation not supported on socket.
Protocol family not supported.0Address family not supported by protocol family.
%s is not a valid service.
Socket Error # %d
Operation would block.
Operation now in progress.
Operation already in progress.
Socket operation on non-socket.
No help keyword specified. Module doesn't support streaming
Invalid Windows Image#Index exceeds data dictionary count/Unsupported non-integer language ID in resource
Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)
Resolving hostname %s.
Connecting to %s.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Invalid clipboard format Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Thread creation error: %s
Thread Error: %s (%d)*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
%s error %d, %s
List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
External exception %x
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    heng1.exe:1392
    %original file name%.exe:464
    2s.exe:1988
    Srer:956

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Srer (1281 bytes)
    %WinDir%\Delete.bat (104 bytes)
    %System%\2s.exe (3778 bytes)
    %System%\heng1.exe (258 bytes)
    %System%\ztdll.dll (35 bytes)
    %Program Files%\svhost32.exe (24 bytes)
    %System%\2.exe (3732 bytes)
    %System%\badboy.exe (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\cgi_client_entry[1].htm (879 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\h[1].js (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\krnln.fnr (5442 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\stat[1].js (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\E_4\HtmlView.fne (229 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bg_corner[1].png (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\navigation[1].js (863 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\bg_page[1].png (392 bytes)
    %Documents and Settings%\%current user%\UserData\2Z89WTQV\neeao[1].xml (266 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\upfile_2568273_1436523556[1].jpg (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\upfile_1415940_1436968214[1].jpg (7784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\upfile_3165952_1436968159[1].jpg (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\txt_title.ie6[1].png (6 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@qq[1].txt (139 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\html5[1].js (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\css[1].css (186 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@neeao[1].txt (175 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\logo_baobeihuijia[1].png (3 bytes)
    %Documents and Settings%\%current user%\Cookies\[email protected][1].txt (164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\data[1].js (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\u-WUoqrET9fUeobQW7jkRfY6323mHUZFJMgTvxaG2iE[1].eot (1386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\logo_tencentvolunteers[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\h[2].js (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\search_children[1].js (295 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\upfile_6284563_1436686486[1].jpg (3656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\404style[1].css (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\upfile_4270811_1436692558[1].jpg (10747 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (2892 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\page[1].js (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\upfile_2835045_1438133394[1].jpg (10286 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now