Gen.Variant.Graftor.175590_1e17b2e9f0

by malwarelabrobot on April 16th, 2015 in Malware Descriptions.

Gen:Variant.Graftor.175590 (B) (Emsisoft), Gen:Variant.Graftor.175590 (AdAware), TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1e17b2e9f0ae5777b274bd60bad96829
SHA1: df7595b50c0b251d30977013c1b9c7baaadcdd6b
SHA256: d10706b8ea9f0b07725d2b84ede7eb3d3b9300dee60fbc0add90c7a6eb5ed6d2
SSDeep: 49152:PuGHK7RZUbQhvUT5hC9i PAGPLBEHpgkT ch5x/aMEX:1ShsT5hki AGPLBEHphT/h5Mb
Size: 1692160 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-03-22 08:57:50
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

yybox.exe:1304
%original file name%.exe:636

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process yybox.exe:1304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3879[1] (567 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loading[1].swf (9541 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yy[2].txt (334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\loading[1].swf (430 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].bmp (154233 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yystatic[1].txt (189 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].htm (260 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yystatic[2].txt (361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\main[1].swf (388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3879[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3879[1].swf&_=46553400 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\main[1].swf (1967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[2].htm (260 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (4240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3879[1].swf&_=46553400 (693 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yy[1].txt (179 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3879[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410\index.dat (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yystatic[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014040920140410 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3879[1].swf&_=46553400 (0 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@yy[1].txt (0 bytes)

The process %original file name%.exe:636 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\1e17b2e9f0_881.exe (10815 bytes)
%WinDir%\yybox.exe (1751 bytes)
C:\SkinH_EL.dll (88 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1127734\TemporaryFile (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1127734\TemporaryFile\TemporaryFile (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1127734 (0 bytes)

Registry activity

The process yybox.exe:1304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015041520150416]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015041520150416]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015041520150416\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015041520150416]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015041520150416]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 12 39 A8 AC 79 A3 1E 47 00 53 24 04 05 AB CA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015041520150416]
"CachePrefix" = ":2015041520150416:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"yybox" = "%WinDir%\yybox.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014040920140410]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:636 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Multimedia\DrawDib]
"vga.drv 1916x902x32(BGR 0)" = "31,31,31,31"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 3C AF 05 D8 19 51 04 DD 39 32 AD 7A 24 97 C0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
147127382e001f495d1842ee7a9e7912 c:\SkinH_EL.dll
2c319004ef54d46c26bc7256d2fb8d36 c:\WINDOWS\yybox.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 1253376 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 1257472 1687552 1683968 5.41964 3cce881bc5f973217e9387262e2f5ace
.rsrc 2945024 8192 7168 3.6519 6d38bd4929c28a9a7c3258a054798fe5

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://hi.n.shifen.com/sqresxyrqmbmsyd/item/fabb7dc1cb1cc23e0ad93ac4
hxxp://tming.ys168.com/ 222.73.47.229
hxxp://yy.com/s/3879/2344444135/main.swf 183.61.179.207
hxxp://cc00077.h.cnc.ccgslb.com.cn/r/rc/main/main/1/53/main.swf?type=mini&topSid=3879&subSid=2344444135
hxxp://cc00077.h.cnc.ccgslb.com.cn/r/rc/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&referer=http://yy.com/s/3879/2344444135/main.swf
hxxp://yy.com/crossdomain.xml 183.61.179.207
hxxp://yy.com//get-data/3879?subSid=2344444135&type=main&referer=hxxp://yy.com/s/3879/2344444135/main.swf&_=46553400 183.61.179.207
hxxp://weblbs.yystatic.com/crossdomain.xml 115.238.59.218
hxxp://weblbs.yystatic.com//get-data/3879?subSid=2344444135&type=mini&_=1651379 115.238.59.218
hxxp://cc00077.h.cnc.ccgslb.com.cn/r/rc/main/loading/1/7/loading.swf
hxxp://cc00077.h.cnc.ccgslb.com.cn/r/rc/main/core/1/449/core.bmp
hxxp://weblbs2.yystatic.com/crossdomain.xml 219.153.55.90
hxxp://cc00077.h.cnc.ccgslb.com.cn/r/rc/mini/loading/1/17/loading.swf
hxxp://vr.duowan.com/crossdomain.xml 121.11.67.95
hxxp://vr.duowan.com/mainstat.html?s=101&topSid=3879&subSid=2344444135&type=mini&tuna=115.238.59.218&res=24&getT=1954&qva=0 121.11.67.95
hxxp://hi.baidu.com/sqresxyrqmbmsyd/item/fabb7dc1cb1cc23e0ad93ac4 180.76.2.41
hxxp://c1.web.yystatic.com/r/rc/mini/loading/1/17/loading.swf 112.84.133.10
hxxp://c1.web.yy.com/r/rc/main/loading/1/7/loading.swf 222.163.198.21
hxxp://c1.web.yy.com/r/rc/main/main/1/53/main.swf?type=mini&topSid=3879&subSid=2344444135 222.163.198.21
hxxp://c1.web.yy.com/r/rc/main/core/1/449/core.bmp 222.163.198.21
hxxp://c1.web.yy.com/r/rc/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&referer=http://yy.com/s/3879/2344444135/main.swf 222.163.198.21
hxxp://tming1.ys168.com/ 222.73.47.229


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY Outdated Windows Flash Version IE

Traffic

GET /r/rc/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&referer=http://yy.com/s/3879/2344444135/main.swf HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Apr 2015 19:17:23 GMT
Content-Type: application/x-shockwave-flash;charset=UTF-8
Content-Length: 10735
Last-Modified: Wed, 20 Nov 2013 02:27:55 GMT
Expires: Wed, 15 Apr 2015 19:17:23 GMT
Cache-Control: max-age=86400
Age: 22889
Powered-By-ChinaCache: HIT from CNC-YG-2-3gA.12
CWS.QG..x..<.t[..w.{zWO.-......$&N..d!..!.....`;d."..%.%.I..RL...-4
.........[..oi..&...B..F........}O^...o<...s....3s.>s....c3.....
.q.c..........k;...mC.h.....C..pmu...[..............5.../........w[e41
.|.`..H....d8.u....F.....\...L.G...r._......d.zQ."d4.....C.....p$.....
[email protected]$..n ..8...6.Rg..|1Z.B..&.]1EM/...........?..
DVb..).bx...'B........V}..^..........>.G.....``ES..M.BFo2..#.......
h....^X}...........|!k.2..F..;."(...L..r.;Q.;.5..7.eo.].....wF>.^b.
~.!........._|w....?:.j._.\}.z...R.....N/|`......g.>......yv={k{[1.
...,...........d.....n.p.3..PjsW.......Cm//e.,..ji.`.=.......Vo.".V...
)..(J`....f...Kes..J.....i.....)a=w..\.k.8.-......E......R..F_...o.z.=
.i.........=.;.. ...^......:?..Jy...#U...oI.......6...=...U.[y...T....
$...XA. .v..9C_$...G.......S0..{.....U....~...266:..:z...w..........#.
$ *7k.k._~.#>[email protected]..,...@\4..d....V}.H2.Ih.....x
..=wM<6..$.bpN..)...3.....x8.}.K.G..>....Qe....Dg=.N.G..M]I.6 &g
t;.#:[...,.O..#[email protected]]............]..*d3.k.W...m..6.iC.....J4..
.v..}8@o......<.5.a@{..,.P...hm......,&.4.Q...H...0.6.$.9.H...V.y:.
..6.Rk.m...".a%..'U...".. .M..f.@~<0.N$...D.7..y....C...Y......z...
.fb...[...f...fl_....,F'.m.E.bC.....D.".-.H..Y....MQ.$..0...2....t.e.y
4jm..kB...."\.A.i.aF..N[..........n.y..@....`.k.gt..D;J.....N..\...I(.
............jE....R7l ..u:...iÜ...5...{..af.......cj.c...)...G8O....
...cO.}.[6.,.%......<k......R,eIy1.3YT.....k......'M[.k.$E.zh<w"
..3.~-....}y....G.6......(....h.1.w...d..}80.3....!!e.....%.(.m...
<<< skipped >>>

GET /r/rc/main/core/1/449/core.bmp HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&referer=http://yy.com/s/3879/234444413
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive
Cookie: __wyy=6b7173887cf74a93b533e7156ed7bb85; hiido_ui=0.7859214506520492; JSESSIONID=yf51tqgtpwbg6uvo1ul0sksg6743s.yf5


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Apr 2015 18:21:26 GMT
Content-Length: 467365
Last-Modified: Fri, 10 Oct 2014 07:34:33 GMT
Expires: Wed, 15 Apr 2015 18:21:26 GMT
Cache-Control: max-age=86400
Age: 26251
Powered-By-ChinaCache: HIT from CNC-YG-2-3gA.12
....u.-}!.[!g..{..eW.7.....Z.....V...Y.).....ALZFC....0..{.'..1.p..|f.
.cAl..B.X.=..E....Z....y.>...".kd..."}.lk.dy;.E. ...JU.... ..m.....
..."..$.7.:LZ....y;Z..H.p.:{.............9S.....XxW...So.e...A.....w..
.\.D....Vr..|.....'J.q.;.2EW..M..G&#?K./>7..j........A...../....6)B
K......".....&.>.BO.t.r.9A..`......C..|TT.X..........K. Qj#;:..C...
O.c.......).&.:...d.`[email protected]..`Ew.fb..r...=.\{i.c.?.Rw.....p
.c.u5...3.s...A.s.$v....!....:..IW.w]..TBW......>.f....<..!/k.9!
34..#'e.H..B.....~S."..Nc [email protected]~.....X.......Q.!...Z.K.....s._...g.
?...aT.XU...!.}.........&..1..'..&..F..gq.A.X4*u.y.`.$K.:3X.M%}u_..7%W
.....V...`!.#.....r;......`,......7b.A..#...j.%E .q..7...b.g-....j0...
....xu..9~.....2......... ...........Hp.u.A...,[email protected]..{nE...l
c.u.....{...=.G.....T'..#;.w..b!...........i7..p........e.B..l......e.
..nALP.gH[.K/\....7Q.K.F:W.5cZ`...k.wR......C.. F.p.......t..&Rr..OM.I
....$...~/.W..D5E.0.F.3j.1.....=_I....,....9I1.T..p)B...)..l....l=..1.
$...I..B.i..`...s...7t.i([email protected]}.f....j..<..d.......G..";
a.^R..0.z...G...../VP.......n.;.L........h..i..u.;.k..{h`4....Z..9....
.f7.2..A.....3//du,...g..ev...Es%.....*.J....H[AkXm.......P.;....9e.A*
[.C.........{..<w.......a..h...@..)n..G..........&7..O`.FV.Az....4H
.\..*V]Z.R..>...Z.........-..W..N...w._.....M......:9.e...m........
.......ZZ..b..........kUU...........Pc.....s..[BB..(C.*._. RR4o...4..9
z..?.LI....5....73....wT_..1....D.j..#0.t...p..R.t.V:...4I...z.eA.}wR-
..R.f.(.m......;...X....Y....8.;....A.na3[~.................x{q..H
<<< skipped >>>


GET /r/rc/main/main/1/53/main.swf?type=mini&topSid=3879&subSid=2344444135 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Apr 2015 18:21:17 GMT
Content-Type: application/x-shockwave-flash;charset=UTF-8
Content-Length: 11268
Last-Modified: Tue, 16 Dec 2014 07:37:43 GMT
Expires: Wed, 15 Apr 2015 18:21:17 GMT
Cache-Control: max-age=86400
Age: 26255
Powered-By-ChinaCache: HIT from CNC-YG-2-3gA.12
CWS..L..x..|.`[.....V....s8..8.Ql..@ ....;..l...e..,.,.I..B1....p.C...
...M..";$iii...'_.. =...}O...~.~.yo.........6....c..16.X.}.c..1o.c'%:C
KZj].M..Xr.bKg.S..%...7n....".......'TV-.\.`.J.Kn..|....3f.,.....D.'..
...............!.=...P....F...X*Y9.b>*..,..........h$.#u...%.....}.
..BQ_2|R.. .IER.....q.....79.9....i]..;.'zr.2}.."....I.;{.8.....s....^
.4....'.....7.C.SI&...R...Y....XW.. xr]....b..T....*..W1.....I....Q.6(
.}'.Z.W.I.F.d2gXd._.A.v.....?.-....[.}..{.mE"..?....%..../...~..%..\8.
.9....-......m_.[..o/.:W;o.Wi....7....nx...d...H.{Q:..._......s......R
.#o\..G...,._...7E.....]...c.bQCW..h..>._.[.S..."..Ne...{....e..g..
....m.?......u...u....M......=f.X..sb.\.#.R.....o...I~....}.......i7H.
.{..o.....k/e.7..)...^..Y..{[email protected]...}YY.W....._..o&..........X.2....l
2..i.{%.eG..U...0X.QY.....n.t.7tD...H...T.g.y.c...;8..X..|...r..L!.t.C
o.C.5r_....f...o.....{..n.A........O.7..p.....!.....[..@.... ..].H....
.E..zSkM%p:0K...RV.co*.M..oN.........xW".L..E..@o"..<../...A_L..u%.
[email protected].[...bc..y.>t.Y.x....nn....)d8......;
".H..o....j})..N.Jq.R.....SA.hX<.X".5.D0.:FP.....ul..&.mDF0a.W....k
Z.....-M.....#1....O...ZG.....AI..3i.......q.....H.&...:R.C........;..
.yb...0.%.t4.....9S2.ZM.*d0-.l.. ..$[.m..L.....9..8.J.!.L.>....Z."N
.........G...m.|....,[email protected]@Rk.Gt.....1..Z#.......dM......oF
...F.g.........1&........!..xO.S...{....-...QA..[GN9.h..D.......W./...
..Ld.5....2K.2VRV...q..G./G.B.=...az.0..m.bd.u<..2_OPG.}.6YVA\Dd..c
.......-.}.)u...9E.......^.TA7...R.V@..._.Z...q..p..LR.=V..3.N.~9.
<<< skipped >>>

GET /r/rc/main/loading/1/7/loading.swf HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&referer=http://yy.com/s/3879/234444413
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yy.com
Connection: Keep-Alive
Cookie: __wyy=6b7173887cf74a93b533e7156ed7bb85; hiido_ui=0.7859214506520492; JSESSIONID=yf51tqgtpwbg6uvo1ul0sksg6743s.yf5


HTTP/1.1 200 OK
Server: nginx
Date: Tue, 14 Apr 2015 18:21:26 GMT
Content-Type: application/x-shockwave-flash;charset=UTF-8
Content-Length: 24647
Last-Modified: Tue, 14 May 2013 03:29:59 GMT
Expires: Wed, 15 Apr 2015 18:21:26 GMT
Cache-Control: max-age=86400
Age: 26249
Powered-By-ChinaCache: HIT from CNC-YG-2-3gA.12
CWS.....x...wX.O./...W.(("EA..Dz.R.....J.I....E.tAA...H...;%tEQ.,..**b
...! <..}....u...........3....N\..k.."...F...b.....(.tI..:.&f..a...
[email protected].!P.....:9=............I...%FP...1
...-... ..E..).Bqa8.............IaX..6<<...E.)G ...~!Q.H.b@(....
....C.SBqz..D_..Y(.Zr.....t.y......zK..EF .....ID..?.S..E..t.""<.7.
O....".!.b.............s,....XB`.6..gjG.........l.1....%[email protected].
.:P....a......9..&.a....r..._..u..A.Op.uz..xG.|.[...'&y....N!x......#.
[email protected] .m..t.>E.:......3.....4.....w..... Y...y]G.x...4l;
".-).wL~W../.1YyZ.6,Zm...r..%>z.....{L..3.j...L.5...`......;z.m....
..o...B..L.b%7..U..trA.]..;T....V...\[..z..P..,,(....P..~&...:..."..o.
.`?{.b..8.0>...5..4H..57o)...E.$6..H.*....H..........n...0)I2>..
T..$...D.V.u....~8).P...#9.c.....R*J*...d..D..T..F/..;vu.R...9...u..).
C.....n.)f 6..4}1'X.Q..-[.u.n.Bw..........M..:`.....z.....$..,v...?...
.._I&w..........0...2...<....Y......G;uQ..[_..5,*;...m.l......H..B.
.......d...x..y.\n.u..I s..7.V}W.O-.].z.>..|.p..E....t-..~...U.f.$.
3ah..Hw.67@#=.|..*@...w.2]......................RvU.p.,.]...g...%*zv..
.......}..c........~.....2.s.EG....Q....y.G.p..pt.....Hg .D..V..-..7.9
P ..vW....aO......[...^b>...}...SfVY...T.}.....G8........|..U......
..J2...G.5..:&}>....Q....b>.......5....C0dQ....9..`.....z(..Ht..
....z....[:...R.T...7.......\q$....y...D.s.....sWD.N.q.d.......`2?.o.H
R.k.`..B.XdQ....3.DS. .g..-7.......TnD.3...K.i..F.i.!..i..&.........N.
....%.......&.Op.(...2f..at...}<......N~^.H.o2.@./..Y".\"...Wx.
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: weblbs2.yystatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 260
Content-type: text/html
Last-Modified: Tue,14-Oct-14 13:38:57 GMT
...<?xml version="1.0"?>.<cross-domain-policy>..<site-c
ontrol permitted-cross-domain-policies="all"/>..<allow-http-requ
est-headers-from domain="*" headers="*" secure="false"/>..<allow
-access-from domain="*" secure="false" to-ports="*" />.</cross-d
omain-policy>HTTP/1.1 200 OK..Connection: keep-alive..Content-Lengt
h: 260..Content-type: text/html..Last-Modified: Tue,14-Oct-14 13:38:57
 GMT.....<?xml version="1.0"?>.<cross-domain-policy>..<
site-control permitted-cross-domain-policies="all"/>..<allow-htt
p-request-headers-from domain="*" headers="*" secure="false"/>..<
;allow-access-from domain="*" secure="false" to-ports="*" />.</c
ross-domain-policy>..



GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: tming.ys168.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 12114
Content-Type: text/html; charset=gb2312
Expires: -1
Set-Cookie: ASP.NET_SessionId=kd1t2hu5kduqvoxqxxezo0hg; path=/; HttpOnly
Server: IIS
X-AspNet-Version: 0
X-Powered-By: WAF/2.0
Date: Wed, 15 Apr 2015 01:37:47 GMT
..<html>..<head>..<meta http-equiv="Content-Language" c
ontent="zh-cn" />..<meta http-equiv="Content-Type" content="text
/html; charset=gb2312" />..<title>...........................
...............</title>..<link rel="Stylesheet" href="hXXp://
zy.ys168.com/js/st_2.aspx?fg=5&tp=hXXp://zy.ys168.com/tp" type="text/c
ss" />..<script type="text/javascript">..    document.domain 
= qdhost();xdwjsl=60;ddlmc='tming';duser=3998094;dxkbt=false;dxkly=0;d
xksc=false;dffpd=false;dxkjl=false;dfgxz='5';dxken=false;Qsjk=5;Nfs=fa
lse;..    var jzpd = 0; var owPd = 0; var wjscjs = 1;var isFir=false; 
 var isIE = false;var isIE10 = false;..    var Qcxzt=false;var PD_gzgg
="0";var Qzdqbh = -1; ffOK = false; ccOK = false;..    var FFGQPD = "0
";var Qzydz = "hXXp://zy.ys168.com";var Qccym = "c3.ys168.com";..    w
indow.onload = function () {..        var bbx = navigator.userAgent.to
LowerCase();..        if (bbx.indexOf("firefox") > 0) isFir = true;
..        if (bbx.indexOf("msie") > 0 || bbx.indexOf("trident")>
0) isIE = true..        if (isIE) {..            if (navigator.appVers
ion.match(/10./i) == '10.' || bbx.indexOf("trident") > 0) isIE10 = 
true;..        }..        jcgd();..        $("scmore").checked = false
; ..        Q.f_ly = 'tming.ys168.com';..        ..        if (Qcxzt) 
{ ysdy();} ffOK = true;..    }..    window.onresize = function() { jcg
d(); }...function $(rid) {return document.getElementById(rid);}...func
tion ysdy() { if (ccOK) return; ccOK = true; frxcx.zx();}...functi
<<< skipped >>>


GET /r/rc/mini/loading/1/17/loading.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/53/main.swf?type=mini&topSid=3879&subSid=2344444135
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c1.web.yystatic.com
Connection: Keep-Alive
Cookie: wyy=067963e65c3947d6beb354e4af8274f5; hiido_ui=0.105668953203442


HTTP/1.1 200 OK
Content-Type: application/x-shockwave-flash;charset=UTF-8
Content-Length: 13707
Server: nginx
Date: Tue, 14 Apr 2015 18:09:29 GMT
Last-Modified: Mon, 29 Dec 2014 09:49:20 GMT
Expires: Wed, 15 Apr 2015 18:09:29 GMT
Cache-Control: max-age=86400
Age: 26969
Powered-By-ChinaCache: HIT from CNC-TI-2-3gF.7
CWS..S..x....\S..(|NVH ,&...P.-.V.." .*.C@..$BH...-...PDA\.*..([.jD..T
ED.\X.VE.v....L.....{....~.....sf..y.e.!..n.A(...."n.3...r.9.A........
...q.I..j....d...EZZ.y...(q......-.V.VV...HZ...Ig.'...$.....K.....x=x.
..R....?1k.ojRqJb.|.(..?./..''YX.[...x...D!'..#...x.8.E:#)F..M.....q..
.G.7.pL. 9...$J........l..../[email protected].:.E&..6.....DQT........~{..B....$
....R.c.Ei.%..B.^"..,z.b....q...p.......M].q.$.....6.K ..B......o..h..
sB....:"...._...@......... .._......P.z...i|.8.9.`...q"NT@. ~..8...A..
.."....x=../M.D#........".(........k.....6....Y.X.QH./F.,.R..........D
iI.`.....v....l..2...L.. .D..0.....X..l....*VP.$b'..Q.j...qD.-.......x
...>..v|.[.N....1-..O...^,?Y.._#._l.C.).=A.b..[_.....#..4.....@....
.Q..8.9.;...B~2gB.....'w.....@[email protected]_?=WQ"_........-Xhnikicoi...am
......\q`.t....x....i....K.....j`0I.P<5.{ye.......-.........S.I....
.C'....-..I..D...............&9.~.{....>.......ll......E........N..
..{.. ...[l ..3.X ...............=.....s. ....B.%.l....ZZ..q.wq._.bk..
jk......&..@)L..z3...c.> F.....(.D.PO.....q..0...Q.....c-.2.pvzo..8
..=p1e..x`...6_?E(r.#QR....C.F.3........8.......@$*...ee.IYY.....b.8.2
...JV&..Q.KMM.7qPQS......PB...XT..h.X...Y. @......Dpx,.."D%e...hc.....
k..S....08...._.$....!x}M.% ..8...T..eDZ......#.t....Y..]m.....%u....q
.......3WG..mP&i...s...... #..c?..v.'~JvQy.......9..-]...e...5i.v.i...
.W{.....%.m=...4^..&X.ew...n>.... |...=..........,....... ..h`q.c.J
.1!!s.UY.3....9.4.n.s..6.Y......c......n....P....[.=?*9h..C........q..
.wQv.~...q.........M....%. i....j2.4P.....E....\.o.L.[D..$...U..?.
<<< skipped >>>


GET /s/3879/2344444135/main.swf HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: nginx
Date: Wed, 15 Apr 2015 01:38:51 GMT
Content-Type: FLASH;charset=UTF-8
Content-Length: 0
Connection: keep-alive
Content-Language: zh-CN
Location: hXXp://c1.web.yy.com/r/rc/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&referer=http://yy.com/s/3879/2344444135/main.swf
HTTP/1.1 302 Found..Server: nginx..Date: Wed, 15 Apr 2015 01:38:51 GMT
..Content-Type: FLASH;charset=UTF-8..Content-Length: 0..Connection: ke
ep-alive..Content-Language: zh-CN..Location: hXXp://c1.web.yy.com/r/rc
/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&refer
er=http://yy.com/s/3879/2344444135/main.swf......


GET /s/3879/2344444135/main.swf HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://yy.com/s/3879/2344444135/main.swf
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive


HTTP/1.1 302 Found
Server: nginx
Date: Wed, 15 Apr 2015 01:38:53 GMT
Content-Type: FLASH;charset=UTF-8
Content-Length: 0
Connection: keep-alive
Content-Language: zh-CN
Location: hXXp://c1.web.yy.com/r/rc/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&referer=http://yy.com/s/3879/2344444135/main.swf
HTTP/1.1 302 Found..Server: nginx..Date: Wed, 15 Apr 2015 01:38:53 GMT
..Content-Type: FLASH;charset=UTF-8..Content-Length: 0..Connection: ke
ep-alive..Content-Language: zh-CN..Location: hXXp://c1.web.yy.com/r/rc
/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&refer
er=http://yy.com/s/3879/2344444135/main.swf......


GET /crossdomain.xml HTTP/1.1


Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 15 Apr 2015 01:38:54 GMT
Content-Type: application/xml
Transfer-Encoding: chunked
Connection: keep-alive
Last-Modified: Thu, 20 Feb 2014 07:37:13 GMT
Content-Encoding: gzip
a..............a4..m.K..0.D. q.(K$S.'.,Q...........H\.....n4.7.../S.ST
W.....t8.........J..0P..Q... ..z....9..l`...V..u5qE..:..2^Fd..]S.B.)..
.z....4..3Z.....r.#..%....,s..7...>Q$.O......0......


GET //get-data/3879?subSid=2344444135&type=main&referer=hXXp://yy.com/s/3879/2344444135/main.swf&_=46553400 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/43/main.swf?type=main&topSid=3879&subSid=2344444135&referer=http://yy.com/s/3879/234444413
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: yy.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 15 Apr 2015 01:38:55 GMT
Content-Type: text/plain;charset=UTF-8
Content-Length: 693
Connection: keep-alive
Set-Cookie: __wyy=6b7173887cf74a93b533e7156ed7bb85;Path=/;Domain=.yy.com;Expires=Thu, 14-Apr-2016 01:38:54 GMT
Set-Cookie: hiido_ui=0.7859214506520492;Path=/;Domain=.yy.com;Expires=Wed, 22-Apr-2015 01:38:54 GMT
Set-Cookie: JSESSIONID=yf51tqgtpwbg6uvo1ul0sksg6743s.yf5;Path=/
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Accept-Charset: big5, big5-hkscs, compound_text, euc-jp, euc-kr, gb18030, gb2312, gbk, ibm-thai, ibm00858, ibm01140, ibm01141, ibm01142, ibm01143, ibm01144, ibm01145, ibm01146, ibm01147, ibm01148, ibm01149, ibm037, ibm1026, ibm1047, ibm273, ibm277, ibm278, ibm280, ibm284, ibm285, ibm297, ibm420, ibm424, ibm437, ibm500, ibm775, ibm850, ibm852, ibm855, ibm857, ibm860, ibm861, ibm862, ibm863, ibm864, ibm865, ibm866, ibm868, ibm869, ibm870, ibm871, ibm918, iso-2022-cn, iso-2022-jp, iso-2022-jp-2, iso-2022-kr, iso-8859-1, iso-8859-13, iso-8859-15, iso-8859-2, iso-8859-3, iso-8859-4, iso-8859-5, iso-8859-6, iso-8859-7, iso-8859-8, iso-8859-9, jis_x0201, jis_x0212-1990, koi8-r, koi8-u, shift_jis, tis-620, us-ascii, utf-16, utf-16be, utf-16le, utf-32, utf-32be, utf-32le, utf-8, windows-1250, windows-1251, windows-1252, windows-1253, windows-1254, windows-1255, windows-1256, windows-1257, windows-1258, windows-31j, x-big5-hkscs-2001, x-big5-solaris, x-euc-jp-linux, x-euc-tw, x-eucjp-open, x-ibm1006, x-ibm1025, x-ibm1046, x-ibm1097, x-ibm1098, x-ibm1112, x-ibm1122, x-ibm1123, x-ibm1124, x-ibm1364, x-ibm1381, x-ibm1383, x-ibm33722, x-ibm737, x-ibm833, x-ibm834, x-ibm856, x-ibm874, x-ibm875, x-ibm921, x-ibm922, x-ibm930, x-ibm933, x-ibm935, x-ibm937, x-ibm939, x-ibm942, x-ibm942c, x-ibm943, x-ibm943c, x-ibm948, x-ibm949, x-ibm949c, x-ibm950, x-ibm964, x-ibm970, x-iscii91, x-iso-2022-cn-cns, x-iso-2022-cn-gb, x-iso-8859-11, x-jis0208, x-jisautodetect, x-johab, x-macarabic, x-maccentraleurope, x-maccroatian, x-maccyrillic, x-macdingbat, x-macgreek, x-machebrew, x-maciceland, x-macroman, x-macromania, x-macsymbol, x-macthai, x-macturkish, x-macukraine, x-ms932_0213, x-ms950-hkscs, x-ms950-hkscs-xp, x-mswin-936, x-pck, x-sjis_0213, x-utf-16le-bom, x-utf-32be-bom, x-utf-32le-bom, x-windows-50220, x-windows-50221, x-windows-874, x-windows-949, x-windows-950, x-windows-iso2022jp
Content-Encoding: gzip
............oO.0...._.7v....je..i.$.4M(..."..8.t..........V.O.<.K..
'.Mk.2................v.s....:..SUM=xJ.....,.......... ..m.U.e...u. ..
...|....D:Ik.|.].O.......|.^...|.vZ...D.......%gi.fQ.JN.X.<.D..57..
JWhF&....Vh..bA~.]... .........rv...}>..R\...:6'..s.Rv^.X...oS.r.Z 
.y-S4.v......j..mW.J.B......E.P.. .h...........J.J.]v.....n....2.n.J..
...7.`@...IH1|)C......=...`.....$e8.0..Gb....=H)..S.r......~D....b.4..
.....I....=..... ... .[...k..(nT!u......>.{[email protected]'a..T.W
]...I...i..b...c.^....].[U....=.....'.....>Pg..&.....hCz.aV.-i.....
of....C.U.v......9....(...........X........q...qY.c.......m.<v'..G.
..w$..C.ky%K.Zo..... ]m.....j..Z.hFC...FnB.],.<..\.#.u.3.KvK.....m.
B..=...GF.......
<<< skipped >>>


GET /sqresxyrqmbmsyd/item/fabb7dc1cb1cc23e0ad93ac4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: hi.baidu.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Set-Cookie: BAIDUID=A5C453D587B1ADA43087DF2518CAE1E9:FG=1; max-age=31536000; expires=Thu, 14-Apr-16 01:38:50 GMT; domain=.baidu.com; path=/; version=1
P3P: CP=" OTI DSP COR IVA OUR IND COM "
Content-type: text/html
Transfer-Encoding: chunked
Connection: close
Date: Wed, 15 Apr 2015 01:38:51 GMT
Server: apache
100f..               <!DOCTYPE html><html  id="customDoc">
<!--STATUS OK--> <head> <meta http-equiv=Content-Type c
ontent="text/html; charset=utf-8"> <title> ............_.....
....c........._............</title> <link rel="shortcut icon"
 href="hXXp://hi.bdimg.com/static/qbase/img/mod/16_favicon.ico?v=116ba
471.ico" type=image/x-icon>   <meta name=keywords content=".....
.......,"> <meta name=description content=",............"><
;script>window.wpo={start:new Date*1,pid:109,page:'qing'}</scrip
t><!--[if IE]><script type="text/javascript">(function(
){var e="abbr,article,aside,audio,canvas,datalist,details,dialog,event
source,figure,footer,header,hgroup,mark,menu,meter,nav,output,progress
,section,time,video".split(","),t=e.length;while(t--)document.createEl
ement(e[t])})();</script><![endif]--><script>window.
qDomain={"qing":"hXXp://hi.baidu.com","static":"hXXp://hi.bdimg.com","
passport":"hXXps://passport.baidu.com","portrait":"hXXp://tx.bdimg.com
","hiup":"hXXp://hi.baidu.com","photo":"hXXp://hiphotos.baidu.com","me
ssage":"hXXp://msg.baidu.com","friend":"hXXp://frd.baidu.com","mp3":"h
ttp://mp3.baidu.com","ting":"hXXp://ting.baidu.com","image":"hXXp://im
g.baidu.com","qup":"hXXp://upload.hi.baidu.com","www":"hXXp://VVV.baid
u.com"};window.qUserInfo={"userName":".........c","nickname":"........
.c","portrait":"bed17371726573787972716d626d7379642c36","qingUrl":"\/s
qresxyrqmbmsyd","spaceName":".........c.........","right":"0","ava
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: weblbs.yystatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 260
Content-type: text/html
Last-Modified: Tue,14-Oct-14 13:38:55 GMT
...<?xml version="1.0"?>.<cross-domain-policy>..<site-c
ontrol permitted-cross-domain-policies="all"/>..<allow-http-requ
est-headers-from domain="*" headers="*" secure="false"/>..<allow
-access-from domain="*" secure="false" to-ports="*" />.</cross-d
omain-policy>....


GET //get-data/3879?subSid=2344444135&type=mini&_=1651379 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/53/main.swf?type=mini&topSid=3879&subSid=2344444135
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: weblbs.yystatic.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: keep-alive
Content-Encoding: gzip
Content-Length: 567
Content-type: text/html
Set-Cookie: wyy=067963e65c3947d6beb354e4af8274f5;Path=/;Domain=yystatic.com;Expires=Thu,14-Apr-16 01:38:55 GMT
Set-Cookie: hiido_ui=0.105668953203442;Path=/;Domain=yystatic.com;Expires=Thu,14-Apr-16 01:38:55 GMT
............M..0.....>.)r..8H..R{...=V...)V!.b........5.j....8..x.c
...y.U.M.;.B[..U....u.O'.rgJ\6....2...._.1.y.b{......K....2...}.4..q.q
._.Ks..W.]..E../..@...!0I.L9<l....*.T...9...L2...i"B%.J....`JA..f.#
&......0e$T.;f.&...G$.....]5.S5Y...*.N.m..B[.............=...'....&.=@
L.....[c..Wo..U$BJ........k.....$......I..../n...?p}.a4...07..........
]x....'......X&...k.bg..M..f....P.nf.{vw..................... .......G
.....O.zd*..l_.1...........V.G.....M.,>.0....Z?/........;T..O.D.R-Z
.r!...V$D..Na.aJ.8..w.........q....K..O.%.n..E"t<....i&...d.O Y....
y.Q4.......5B.._...HTTP/1.1 200 OK..Connection: keep-alive..Content-En
coding: gzip..Content-Length: 567..Content-type: text/html..Set-Cookie
: wyy=067963e65c3947d6beb354e4af8274f5;Path=/;Domain=yystatic.com;Expi
res=Thu,14-Apr-16 01:38:55 GMT..Set-Cookie: hiido_ui=0.105668953203442
;Path=/;Domain=yystatic.com;Expires=Thu,14-Apr-16 01:38:55 GMT........
......M..0.....>.)r..8H..R{...=V...)V!.b........5.j....8..x.c...y.U
.M.;.B[..U....u.O'.rgJ\6....2...._.1.y.b{......K....2...}.4..q.q._.Ks.
.W.]..E../..@...!0I.L9<l....*.T...9...L2...i"B%.J....`JA..f.#&.....
.0e$T.;f.&...G$.....]5.S5Y...*.N.m..B[.............=...'....&.=@L.....
[c..Wo..U$BJ........k.....$......I..../n...?p}.a4...07..........]x....
'......X&...k.bg..M..f....P.nf.{vw..................... .......G.....O
.zd*..l_.1...........V.G.....M.,>.0....Z?/........;T..O.D.R-Z.r!...
V$D..Na.aJ.8..w.........q....K..O.%.n..E"t<....i&...d.O Y....y.Q4..
.....5B.._.....
<<< skipped >>>


GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: tming1.ys168.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 11996
Content-Type: text/html; charset=gb2312
Expires: -1
Set-Cookie: ASP.NET_SessionId=1sm1zqq3pzqkfb5kfadn5nqt; path=/; HttpOnly
Server: IIS
X-AspNet-Version: 0
X-Powered-By: WAF/2.0
Date: Wed, 15 Apr 2015 01:37:49 GMT
..<html>..<head>..<meta http-equiv="Content-Language" c
ontent="zh-cn" />..<meta http-equiv="Content-Type" content="text
/html; charset=gb2312" />..<title>...........................
...............</title>..<link rel="Stylesheet" href="hXXp://
zy1.ys168.com/js/st_2.aspx?fg=5&tp=hXXp://zy1.ys168.com/tp" type="text
/css" />..<script type="text/javascript">..    document.domai
n = qdhost();xdwjsl=60;ddlmc='tming1';duser=4000568;dxkbt=false;dxkly=
0;dxksc=false;dffpd=false;dxkjl=false;dfgxz='5';dxken=false;Qsjk=5;Nfs
=false;..    var jzpd = 0; var owPd = 0; var wjscjs = 1;var isFir=fals
e;  var isIE = false;var isIE10 = false;..    var Qcxzt=false;var PD_g
zgg="0";var Qzdqbh = -1; ffOK = false; ccOK = false;..    var FFGQPD =
 "0";var Qzydz = "hXXp://zy1.ys168.com";var Qccym = "c5.ys168.com";.. 
   window.onload = function () {..        var bbx = navigator.userAgen
t.toLowerCase();..        if (bbx.indexOf("firefox") > 0) isFir = t
rue;..        if (bbx.indexOf("msie") > 0 || bbx.indexOf("trident")
>0) isIE = true..        if (isIE) {..            if (navigator.app
Version.match(/10./i) == '10.' || bbx.indexOf("trident") > 0) isIE1
0 = true;..        }..        jcgd();..        $("scmore").checked = f
alse; ..        Q.f_ly = 'tming1.ys168.com';..        ..        if (Qc
xzt) { ysdy();} ffOK = true;..    }..    window.onresize = function() 
{ jcgd(); }...function $(rid) {return document.getElementById(rid);}..
.function ysdy() { if (ccOK) return; ccOK = true; frxcx.zx();}...f
<<< skipped >>>


GET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vr.duowan.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 15 Apr 2015 01:38:59 GMT
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 09 Apr 2015 06:55:07 GMT
Connection: keep-alive
ETag: "5526224b-102"
Accept-Ranges: bytes
<?xml version="1.0"?>.<cross-domain-policy>..<site-cont
rol permitted-cross-domain-policies="all"/>..<allow-http-request
-headers-from domain="*" headers="*" secure="false"/>..<allow-ac
cess-from domain="*" secure="false" to-ports="*" />.</cross-doma
in-policy>.....


GET /mainstat.html?s=101&topSid=3879&subSid=2344444135&type=mini&tuna=115.238.59.218&res=24&getT=1954&qva=0 HTTP/1.1


Accept: */*
Accept-Language: en-US
Referer: hXXp://c1.web.yy.com/r/rc/main/main/1/53/main.swf?type=mini&topSid=3879&subSid=2344444135
x-flash-version: 11,6,602,168
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: vr.duowan.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 15 Apr 2015 01:38:59 GMT
Content-Type: text/html
Content-Length: 0
Last-Modified: Thu, 09 Apr 2015 06:55:07 GMT
Connection: keep-alive
ETag: "5526224b-0"
Accept-Ranges: bytes
HTTP/1.1 200 OK..Server: nginx..Date: Wed, 15 Apr 2015 01:38:59 GMT..C
ontent-Type: text/html..Content-Length: 0..Last-Modified: Thu, 09 Apr 
2015 06:55:07 GMT..Connection: keep-alive..ETag: "5526224b-0"..Accept-
Ranges: bytes..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_636:

`.rsrc
t$(SSh
|$D.tm
~%UVW
u.hXtf
u$SShe
SkinH_EL.dll
fmifs.dll
kernel32.dll
user32.dll
ntdll.dll
EnumWindows
UnhookWindowsHookEx
GetAsyncKeyState
MsgWaitForMultipleObjects
EnumChildWindows
MapVirtualKeyA
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
b\SkinH_EL.dll
.rsrc
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
yybox.exe
\yybox.exe
lpi%S
| %4S2%SH\p%S2%
%SHK-
hŒQ
\UWSSHh
hx%x7p
*%1s4V
.Swls:I
\_|.TPD
T?%xF@_
@.BeM
h.YJ@kW
IK.sUQ
%d\,-;
@h`3-X}
C|fDR%D
%d"6_
H Î
.IY\p,
A.tCD8&
B.Rx4
%S``3
2>.Zx
WsX$/Ÿg
*.xnt2,#
?`A.Zd(
GzC.kwF
aT.Aga
Ð`D
.mlView
n.ntV
hXXp://
.com/s/3879/
.swZ0
O.OPP
CNotSupportedExcept
COMLZ.DLL
CmdT"
'.INIv.HLP
MSVCRTg
O(1'S{%S
b(%s,
(&07-034/)7
*w.AE
V2.ZI
7%s:%d
y.JZn~
zcÁ
!Gl.chs\S@
.lV,@
*G~P.Dx
 Gt!.Ex
.Nv=-Cw
7Itn.Ey
*Eys.Ey
 Eys.Ey
'G|M.Ey
6Lus.Dx
%CuK-Ey
*Fyt.Ey
 G{y.Ey
 I}z.Ey
,J~~.Ey
%Fx8 Fy
%D~&$E
(G~ .Gn
ADVAPI32.dll
comdlg32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
RegCloseKey
ShellExecuteA
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
C:\A7.ini
[email protected]
"! 778200
!! 778200
! 678200
&$$667100
'&f7100
!!!778210
!!!788210
""!788210
! !678200
$##677100
)'&567100
! 667100
! 778200
#!!667100
*(&567100
""!677100
!!!778200
"!!677100
#"!667100
('f7100
%$#677100
! !677200
"!!788210
&%$667100
"! 788210
"! 788211
-,  *)*)()('('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('%('%('%('%'&%'&%(&%'&%'&%'&%'&%'&%'&%(&%(&%('%''%'&%'&%'&%('%('&('&('&('&(&&(&%'&%'&%'&%('%('%('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('%('%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('%('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&
('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&((')(( *)
(('>=;&%%'&%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%(&%'&%'&%'&%'&%'&%('%('&('&('&('%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('&('&('&('&('&('&('&('&)('))(''&
/.-:98&&%'&%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('%('%('%('%'&%'&%(&%'&%'&%'&%'&%'&%'&%(&%(&%('%''%'&%'&%'&%('%('&('&('&('&(&&(&%'&%'&%'&%('%('%('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('%('%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('%('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&
('&)('*))
 **.-,  *))((('('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&''%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%'&%'&%'&%'&%''%''%('&('&('&'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&
('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&)('*)(-, 
)((?>='&&'&&('&('&('&('&('&('&('&('&('&('&('&('&('&('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%('&('&('&('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%('&('&('&('&('&('&('&)('**))('
0/.<;:'&&'&&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&''%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%'&%'&%'&%'&%''%''%('&('&('&'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&
(('))(, *
0.->;:?<;>;:>:9>;:@=;643
1/.ga_
GEDwsqb^\`\[a][a][a][a][a][a][a][a][a][a][`\Z`\Y`\ZqliysqLHG
&&%USR
0.-310%$$
*)(643&%%
454,, (('* *..-
--,`_^>=<
..-..-((')*)010
%%&?=><;;
110}|{::9
""!555)))
'''999987>>=998554>>=
&&&tsshgg
//.tsq
666///"""
C:\yy3879.bmp
%dw5a`9
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
explorer.exe
777b274bd60bad96829.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetWindowsDirectoryA
WinExec
GetProcessHeap
RegCreateKeyA
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
SetWindowsHookExA
CreateDialogIndirectParamA
ExitWindowsEx
keybd_event
VkKeyScanExA
GetKeyboardLayout
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
.text
`.rdata
@.data
&[.aH
-W %Z(8{Cou.NKkx
keybd_
%Http
AVIFIL32.dll
RASAPI32.dll
WININET.dll
1, 0, 6, 6

%original file name%.exe_636_rwx_00401000_002CC000:

t$(SSh
|$D.tm
~%UVW
u.hXtf
u$SShe
SkinH_EL.dll
fmifs.dll
kernel32.dll
user32.dll
ntdll.dll
EnumWindows
UnhookWindowsHookEx
GetAsyncKeyState
MsgWaitForMultipleObjects
EnumChildWindows
MapVirtualKeyA
fJ.WM_
CX%xm
Õ6m*
n.BjCw
%s;7*
0%x@w
%C^L:
%s T5
]E4%F(
.Funr
k%UPp
fg.VG
%C',@
>Ùd
0'.Ll
[I(3/#N0.bd
j"%u=w
q%Xn`
@|H.NI
.wdd!
S|%u4
*.Ea]S
Q.CGo
fTpe
.LLbX
-.Mdl
\-A}=3K
Y:.akpS
$.Zcqn
.WE= T!N
#?%s(C(
u.Jck~
zx/%FN[
%s=\RI
}j%c%Y)
Rx.GR
4o#.dM
IeS`%C
[n 4\.UY 
,4.qO,
gQ'.Io
%cLur?
s%DHB
]I%%X
5r.US
:mD].tB
f%fUZ
.fOuV12
*_.dC
&-N}<
({?.cQm
.Cqx~c
.`.Qw
**.dU
!n]%x
%X,Cr
&.PFy{xh
.um ZZE7L
/^p%u$
I.NoQY
zu.ew
D/.nT
b\SkinH_EL.dll
.rsrc
C$%cmb
.ppM|
 aZ.mO
%-^
.hk;~
KERNEL32.DLL
COMCTL32.dll
GDI32.dll
MSIMG32.dll
MSVCRT.dll
MSVFW32.dll
USER32.dll
yybox.exe
\yybox.exe
lpi%S
| %4S2%SH\p%S2%
%SHK-
hŒQ
\UWSSHh
hx%x7p
*%1s4V
.Swls:I
\_|.TPD
T?%xF@_
@.BeM
h.YJ@kW
IK.sUQ
%d\,-;
@h`3-X}
C|fDR%D
%d"6_
H Î
.IY\p,
A.tCD8&
B.Rx4
%S``3
2>.Zx
WsX$/Ÿg
*.xnt2,#
?`A.Zd(
GzC.kwF
aT.Aga
Ð`D
.mlView
n.ntV
hXXp://
.com/s/3879/
.swZ0
O.OPP
CNotSupportedExcept
COMLZ.DLL
CmdT"
'.INIv.HLP
MSVCRTg
O(1'S{%S
b(%s,
(&07-034/)7
*w.AE
V2.ZI
7%s:%d
y.JZn~
zcÁ
!Gl.chs\S@
.lV,@
*G~P.Dx
 Gt!.Ex
.Nv=-Cw
7Itn.Ey
*Eys.Ey
 Eys.Ey
'G|M.Ey
6Lus.Dx
%CuK-Ey
*Fyt.Ey
 G{y.Ey
 I}z.Ey
,J~~.Ey
%Fx8 Fy
%D~&$E
(G~ .Gn
ADVAPI32.dll
comdlg32.dll
ole32.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll
RegCloseKey
ShellExecuteA
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost
C:\A7.ini
[email protected]
"! 778200
!! 778200
! 678200
&$$667100
'&f7100
!!!778210
!!!788210
""!788210
! !678200
$##677100
)'&567100
! 667100
! 778200
#!!667100
*(&567100
""!677100
!!!778200
"!!677100
#"!667100
('f7100
%$#677100
! !677200
"!!788210
&%$667100
"! 788210
"! 788211
-,  *)*)()('('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('%('%('%('%'&%'&%(&%'&%'&%'&%'&%'&%'&%(&%(&%('%''%'&%'&%'&%('%('&('&('&('&(&&(&%'&%'&%'&%('%('%('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('%('%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('%('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&
('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&((')(( *)
(('>=;&%%'&%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%(&%'&%'&%'&%'&%'&%('%('&('&('&('%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('&('&('&('&('&('&('&('&)('))(''&
/.-:98&&%'&%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('%('%('%('%'&%'&%(&%'&%'&%'&%'&%'&%'&%(&%(&%('%''%'&%'&%'&%('%('&('&('&('&(&&(&%'&%'&%'&%('%('%('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('%('%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('%('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%('%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&
('&)('*))
 **.-,  *))((('('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&''%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%'&%'&%'&%'&%''%''%('&('&('&'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&
('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&)('*)(-, 
)((?>='&&'&&('&('&('&('&('&('&('&('&('&('&('&('&('&('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%('&('&('&('%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%('&('&('&('&('&('&('&)('**))('
0/.<;:'&&'&&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&''%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%'&%'&%'&%'&%''%''%('&('&('&'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%''%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%'&%''%('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&('&
(('))(, *
0.->;:?<;>;:>:9>;:@=;643
1/.ga_
GEDwsqb^\`\[a][a][a][a][a][a][a][a][a][a][`\Z`\Y`\ZqliysqLHG
&&%USR
0.-310%$$
*)(643&%%
454,, (('* *..-
--,`_^>=<
..-..-((')*)010
%%&?=><;;
110}|{::9
""!555)))
'''999987>>=998554>>=
&&&tsshgg
//.tsq
666///"""
C:\yy3879.bmp
%dw5a`9
1.2.18
inflate 1.1.3 Copyright 1995-1998 Mark Adler
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WSOCK32.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP/1.0
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
1.1.3
;3 #>6.&
'2, / 0&7!4-)1#
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
explorer.exe
777b274bd60bad96829.exe
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
GetWindowsDirectoryA
WinExec
GetProcessHeap
RegCreateKeyA
RegOpenKeyExA
RegCreateKeyExA
GetViewportOrgEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportExtEx
SetWindowsHookExA
CreateDialogIndirectParamA
ExitWindowsEx
keybd_event
VkKeyScanExA
GetKeyboardLayout
GetKeyState
InternetCanonicalizeUrlA
InternetCrackUrlA
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
.text
`.rdata
@.data
1, 0, 6, 6

%original file name%.exe_636_rwx_10001000_00039000:

L$(h%f
SSh0j
msctls_hotkey32
TVCLHotKey
THotKey
\skinh.she
}uo,x6l5k%x-l h
9p%s m)t4`#b
e"m?c&y1`Ð<
SetViewportOrgEx
SetViewportExtEx
SetWindowsHookExA
UnhookWindowsHookEx
EnumThreadWindows
EnumChildWindows
`c%US.4/
!#$<#$#=
.text
`.rdata
@.data
.rsrc
@.UPX0
`.UPX1
`.reloc

yybox.exe_1304:

`.rsrc
t$(SSh
~%UVW
u$SShe
software\microsoft\windows\CurrentVersion\Run\yybox
hXXp://yy.com/s/3879/2344444135/main.swft
hXXp://c1.web.yy.com/r/rc/main/main/1/53/main.swf?type=mini&topSid=3879&subSid=2344444135
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
%WinDir%\yybox.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
ShellExecuteA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
.lV,@
*G~P.Dx
 Gt!.Ex
.Nv=-Cw
7Itn.Ey
*Eys.Ey
 Eys.Ey
'G|M.Ey
6Lus.Dx
%CuK-Ey
*Fyt.Ey
 G{y.Ey
 I}z.Ey
,J~~.Ey
%Fx8 Fy
%D~&$E
(G~ .Gn
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
comdlg32.dll
GDI32.dll
OLEAUT32.dll
oledlg.dll
SHELL32.dll
USER32.dll
WINMM.dll
WINSPOOL.DRV
WS2_32.dll

yybox.exe_1304_rwx_00401000_000E8000:

t$(SSh
~%UVW
u$SShe
software\microsoft\windows\CurrentVersion\Run\yybox
hXXp://yy.com/s/3879/2344444135/main.swft
hXXp://c1.web.yy.com/r/rc/main/main/1/53/main.swf?type=mini&topSid=3879&subSid=2344444135
F%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
ole32.dll
__MSVCRT_HEAP_SELECT
user32.dll
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
WININET.dll
.PAVCException@@
.PAVCNotSupportedException@@
.PAVCFileException@@
(*.prn)|*.prn|
(*.*)|*.*||
Shell32.dll
Mpr.dll
Advapi32.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
: %d]
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
out.prn
%d.%d
%d / %d
%d/%d
Bogus message code %d
(%d-%d):
%ld%c
(*.htm;*.html)|*.htm;*.html
.PAVCOleException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
.PAVCOleDispatchException@@
zcÁ
%WinDir%\yybox.exe
#include "l.chs\afxres.rc" // Standard components
GetCPInfo
WinExec
GetProcessHeap
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegCreateKeyExA
GetViewportExtEx
GetViewportOrgEx
ScaleViewportExtEx
SetViewportExtEx
OffsetViewportOrgEx
SetViewportOrgEx
ShellExecuteA
GetKeyState
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetWindowsHookExA
.text
`.rdata
@.data
.rsrc
.lV,@


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3879[1] (567 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loading[1].swf (9541 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yy[2].txt (334 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\loading[1].swf (430 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\crossdomain[1].xml (432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\core[1].bmp (154233 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yystatic[1].txt (189 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].xml (265 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[1].htm (260 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yystatic[2].txt (361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\main[1].swf (388 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3879[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\3879[1].swf&_=46553400 (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\main[1].swf (1967 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\crossdomain[2].htm (260 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (4240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\3879[1].swf&_=46553400 (693 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@yy[1].txt (179 bytes)
    C:\1e17b2e9f0_881.exe (10815 bytes)
    %WinDir%\yybox.exe (1751 bytes)
    C:\SkinH_EL.dll (88 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@baidu[1].txt (198 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "yybox" = "%WinDir%\yybox.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now