MD5: cee96ea0a0050aed98bc63f2e3c95b43
SHA1: 3129b8d2eb653f288083393cb3f54a1d93774aa2
SHA256: 48c0053122c8fea71b56480a3499dc2fc833ae3b246cf6727b7bea1c036f3d44
SSDeep: 12288:wotgBhZfA1W0W00bCF2MXY0g skR8 vhpV6Y51vYF5z093R:wo0hZ400W00bCF5skRREYGzah
Size: 462848 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: PlusHD Q-9.1V10.01
Created at: 2014-12-11 17:16:45
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

service.exe:1184

The Trojan injects its code into the following process(es):

shanhu_7654_29738.exe:1604

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process shanhu_7654_29738.exe:1604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\7654\7654Bao32.sys (25 bytes)
%Documents and Settings%\All Users\Application Data\7654\7654Bao64.sys (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\HardInfo.dll (7 bytes)
%Documents and Settings%\All Users\Application Data\7654\service.exe (18632 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\NewInfo.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\MD5Util.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\setup_ShanHuSilent.exe (473127 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp (0 bytes)

Registry activity

The process service.exe:1184 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 1F 1D DC 48 85 7F 20 F6 37 D3 42 C5 3A DA 12"

[HKLM\SOFTWARE\7654Soft]
"ServiceDescription" = "7654联盟制定为用户安装软件使用保驾护航"
"ServiceImagePath" = "%Documents and Settings%\All Users\Application Data\7654\service.exe StartService"
"ServiceDisplayName" = "7654软件宝"
"ServiceName" = "7654Bao"

The process shanhu_7654_29738.exe:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 F1 22 66 77 3D 5E 5E EC D7 45 04 07 E2 FF E0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses.
The modified file is 4364 bytes in size. The following strings are added to the hosts file listed below:

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://220.181.132.237/share.php?method=Share.download&cqid=f7f5b494a0d97c4506b8643b5aca300e&dt=55.0db6818ac10cf334c5c004c60ce1c696&e=1421574547&fhash=312756023d6918031cccca761765dc7a6b3b36fe&fname=shanhu_7654_29738.exe&fsize=13166440&nid=14150301296199941&scid=55&st=19e0258d9fc30995931496a9967e984d&xqid=108878932
hxxp://ac7xafabpw.l26.yunpan.cn/lk/csX5gsznjRB7f	111.206.52.79
hxxp://ac7xafabpw.l26.yunpan.cn/share/downloadfile/	111.206.52.79
hxxp://yunpan.cn/csX5gsznjRB7f
hxxp://ac7xafabpw.l26.yunpan.cn/share/verifyPassword?linkpassword=e4a5&shorturl=csX5gsznjRB7f	111.206.52.79

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /share.php?method=Share.download&cqid=f7f5b494a0d97c4506b8643b5aca300e&dt=55.0db6818ac10cf334c5c004c60ce1c696&e=1421574547&fhash=312756023d6918031cccca761765dc7a6b3b36fe&fname=shanhu_7654_29738.exe&fsize=13166440&nid=14150301296199941&scid=55&st=19e0258d9fc30995931496a9967e984d&xqid=108878932 HTTP/1.1

Host: 220.181.132.237

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Content-Type: application/octet-stream

Content-Transfer-Encoding: binary

X-QIHOO-SERVER: extended nginx

cache-control: max-age=2592000

Accept-Ranges: bytes

Date: Fri, 16 Jan 2015 09:49:08 GMT

X-Varnish: 1304394727

Age: 0

Via: 1.1 varnish

Connection: keep-alive

Content-Disposition: attachment; filename="shanhu_7654_29738.exe"

X-Cache: MISS

X-SIP: 10.131.80.27

Content-Length: 13166440
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<.yex..6x
..6x..6_Pz6{..6_Pl6i..6x..6...6q..6s..6q..6y..6q..6y..6Richx..6.......
.........PE..L...l..T.................`...r......H2.......p....@......
...........................t.......................................dw.
.........hO...........................................................
................p...............................text....^.......`.....
............. ..`.rdata..P....p.......d..............@[email protected]...
........z..............@....ndata...................................rs
rc...hO.......P...|..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected]@..e...E..E.P.u...
Pr@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...Hp@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected]@[email protected] [email protected].
u...\r@._^3.[.....L$....C...i......T.....tUVW.q.3.;5..C.sD..i......D..
S.....t.G.....t...O..t .....u...3....3...F.....;5..C.r.[_^...U..QQ
<<< skipped >>>

GET /share/verifyPassword?linkpassword=e4a5&shorturl=csX5gsznjRB7f HTTP/1.1

Referer: hXXp://ac7xafabpw.l26.yunpan.cn/share/verifyPassword?linkpassword=e4a5&shorturl=csX5gsznjRB7f

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: ac7xafabpw.l26.yunpan.cn

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Fri, 16 Jan 2015 09:49:06 GMT

Content-Type: application/x-javascript;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.2.5

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-control: private

Set-Cookie: user_visit_token_csX5gsznjRB7f=ee76f3bae804a6dbfdea152d250beb0d.1421401746; path=/; domain=.yunpan.cn
2f..{"errno":0,"errmsg":"\u64cd\u4f5c\u6210\u529f"}..0......


GET /lk/csX5gsznjRB7f HTTP/1.1

Referer: hXXp://ac7xafabpw.l26.yunpan.cn/lk/csX5gsznjRB7f

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: ac7xafabpw.l26.yunpan.cn

Cache-Control: no-cache

Cookie: user_visit_token_csX5gsznjRB7f=ee76f3bae804a6dbfdea152d250beb0d.1421401746

HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Fri, 16 Jan 2015 09:49:06 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.2.5
1fb5..<!DOCTYPE html>.<html  >.<head>.<meta chars
et="utf-8">.<meta http-equiv="Content-Type" content="text/html; 
charset=utf-8">.<meta name="renderer" content="webkit">.<l
ink rel="icon" href="/favicon-16.ico" sizes="16x16">.<link rel="
icon" href="/favicon-32.ico" sizes="32x32">..    <meta name="Key
words" content="shanhu_7654_29738.exe,............,............,......
.........,............,............,360......,360......">.    <m
eta name="Description" content="shanhu_7654_29738.exe.................
......................................................................
...............360....................................................
..">..<title>360...... - ............</title>.<scrip
t>var G_start_time = new Date;</script>..    <!--[if (lt I
E 8.0)]><link type="text/css" rel="stylesheet" href="hXXp://s6.q
himg.com/static/03eaba63cea1d6d2/pan-share-single.src.css"><![en
dif]--><!--[if (!IE)|(gte IE 8.0)]><!--><link type="
text/css" rel="stylesheet" href="hXXp://s7.qhimg.com/static/ed29b1b297
98edee/pan-share-single.src_datauri.css"><!--<![endif]--> 
   <!--[if (lt IE 8.0)]><link type="text/css" rel="stylesheet
" href="hXXp://s12.qhimg.com/static/7dcc4c465f934d9d/link/share-single
.css"><![endif]--><!--[if (!IE)|(gte IE 8.0)]><!--&g
t;<link type="text/css" rel="stylesheet" href="hXXp://s12.qhimg.com
/static/b69856ba7fa5d152/link/share-single_datauri.css"><!--
<<< skipped >>>

POST /share/downloadfile/ HTTP/1.1

Referer: hXXp://ac7xafabpw.l26.yunpan.cn/share/downloadfile/

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: ac7xafabpw.l26.yunpan.cn

Content-Length: 44

Cache-Control: no-cache

Cookie: user_visit_token_csX5gsznjRB7f=ee76f3bae804a6dbfdea152d250beb0d.1421401746

nid=14150301296199941&shorturl=csX5gsznjRB7f
HTTP/1.1 200 OK

Server: nginx/1.6.2

Date: Fri, 16 Jan 2015 09:49:07 GMT

Content-Type: application/x-javascript;charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

X-Powered-By: PHP/5.2.5

Set-Cookie: e=1421574547; expires=Sun, 18-Jan-2015 09:49:07 GMT; path=/; domain=.yunpan.cn

Set-Cookie: cqid=f7f5b494a0d97c4506b8643b5aca300e; expires=Sun, 18-Jan-2015 09:49:07 GMT; path=/; domain=.yunpan.cn

Set-Cookie: fname=shanhu_7654_29738.exe; expires=Sun, 18-Jan-2015 09:49:07 GMT; path=/; domain=.yunpan.cn
193..{"errno":0,"errmsg":"\u64cd\u4f5c\u6210\u529f","data":{"downloadu
rl":"http:\/\/220.181.132.237\/share.php?method=Share.download&cqid=f7
f5b494a0d97c4506b8643b5aca300e&dt=55.0db6818ac10cf334c5c004c60ce1c696&
e=1421574547&fhash=312756023d6918031cccca761765dc7a6b3b36fe&fname=shan
hu_7654_29738.exe&fsize=13166440&nid=14150301296199941&scid=55&st=19e0
258d9fc30995931496a9967e984d&xqid=108878932","params":[]}}..0..HTTP/1.
1 200 OK..Server: nginx/1.6.2..Date: Fri, 16 Jan 2015 09:49:07 GMT..Co
ntent-Type: application/x-javascript;charset=utf-8..Transfer-Encoding:
 chunked..Connection: keep-alive..Vary: Accept-Encoding..X-Powered-By:
 PHP/5.2.5..Set-Cookie: e=1421574547; expires=Sun, 18-Jan-2015 09:49:0
7 GMT; path=/; domain=.yunpan.cn..Set-Cookie: cqid=f7f5b494a0d97c4506b
8643b5aca300e; expires=Sun, 18-Jan-2015 09:49:07 GMT; path=/; domain=.
yunpan.cn..Set-Cookie: fname=shanhu_7654_29738.exe; expires=Sun, 18-Ja
n-2015 09:49:07 GMT; path=/; domain=.yunpan.cn..193..{"errno":0,"errms
g":"\u64cd\u4f5c\u6210\u529f","data":{"downloadurl":"http:\/\/220.181.
132.237\/share.php?method=Share.download&cqid=f7f5b494a0d97c4506b8643b
5aca300e&dt=55.0db6818ac10cf334c5c004c60ce1c696&e=1421574547&fhash=312
756023d6918031cccca761765dc7a6b3b36fe&fname=shanhu_7654_29738.exe&fsiz
e=13166440&nid=14150301296199941&scid=55&st=19e0258d9fc30995931496a996
7e984d&xqid=108878932","params":[]}}..0..
<<< skipped >>>

GET /csX5gsznjRB7f HTTP/1.1

Referer: hXXp://yunpan.cn/csX5gsznjRB7f

Accept: */*

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

Host: yunpan.cn

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Server: nginx/1.6.2

Date: Fri, 16 Jan 2015 09:49:04 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/5.2.5

Location: hXXp://ac7xafabpw.l26.yunpan.cn/lk/csX5gsznjRB7f
0..HTTP/1.1 301 Moved Permanently..Server: nginx/1.6.2..Date: Fri, 16 
Jan 2015 09:49:04 GMT..Content-Type: text/html; charset=utf-8..Transfe
r-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.2.5..
Location: hXXp://ac7xafabpw.l26.yunpan.cn/lk/csX5gsznjRB7f..0..

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

f9z.vk

CCmdTarget

CNotSupportedException

commctrl_DragListMsg

COMCTL32.DLL

ole32.dll

__MSVCRT_HEAP_SELECT

user32.dll

WinExec

GetProcessHeap

KERNEL32.dll

SetWindowsHookExA

MsgWaitForMultipleObjects

EnumWindows

GetAsyncKeyState

RegisterHotKey

UnregisterHotKey

USER32.dll

RegOpenKeyExA

RegCreateKeyExA

RegCloseKey

RegCreateKeyA

RegOpenKeyA

RegEnumKeyA

RegFlushKey

RegDeleteKeyA

ADVAPI32.dll

SHELL32.dll

SHLWAPI.dll

GDI32.dll

HttpOpenRequestA

HttpSendRequestA

HttpQueryInfoA

InternetOpenUrlA

WININET.dll

ATL.DLL

oledlg.dll

OLEPRO32.DLL

OLEAUT32.dll

GetWindowsDirectoryA

GetCPInfo

GetKeyState

UnhookWindowsHookEx

CreateDialogIndirectParamA

WINMM.dll

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

comdlg32.dll

WINSPOOL.DRV

COMCTL32.dll

%System%\taskmgr.exe

127.0.0.1 VVV.360.cn

127.0.0.1 bbs.360.cn

127.0.0.1 360.cn

127.0.0.1 bbs.janmeng.com

127.0.0.1 bbs.ikaka.com

127.0.0.1 VVV.shadu007.com

127.0.0.1 bbs.sd.keniu.com

127.0.0.1 bbs.kafan.cn

127.0.0.1 bbs.vc52.cn

127.0.0.1 bbs.sanfans.com

127.0.0.1 VVV.kpfans.com

127.0.0.1 bbs.shadu007.com

127.0.0.1 club.alimama.com

127.0.0.1 VVV.alimama.com

127.0.0.1 taoke.alimama.com

127.0.0.1 VVV.virscan.org

127.0.0.1 bbs.duba.net

127.0.0.1 lt.ijinshan.com

127.0.0.1 VVV.kafan.cn

127.0.0.1 VVV.ijinshan.com

127.0.0.1 cd001.VVV.duba.net

127.0.0.1 bbs.taobao.com

127.0.0.1 forum.taobao.com

219.235.1.101 VVV.taobao-mo.com

219.235.1.101 VVV.pg8.cn

219.235.1.101 VVV.hl-sms.cn

219.235.1.101 mall.yi85.com

219.235.1.101 VVV.ywaili.com

219.235.1.101 VVV.77taoba.com

219.235.1.101 VVV.nongyecn.com

219.235.1.101 cpro.baidu.com

219.235.1.101 shouji.tbw.net.cn

219.235.1.101 VVV.sjxun.com

219.235.1.101 VVV.taobao-shouji.com

219.235.1.101 VVV.sugouwu.com

219.235.1.101 VVV.shopnokia.info

219.235.1.101 VVV.949528.cn

219.235.1.101 VVV.mbbw.info

219.235.1.101 diannao.nav123.com

219.235.1.101 VVV.qiangdiannao.cn

219.235.1.101 VVV.66taoke.com

219.235.1.101 VVV.haixitaoke.com

219.235.1.101 VVV.ttcome.cn

219.235.1.101 VVV.taoke.info

219.235.1.101 VVV.taoke.la

219.235.1.101 VVV.cntorg.com

219.235.1.101 VVV.taokw.com

219.235.1.101 tbwwsgwdn.tao132.cn

219.235.1.101 VVV.lizhishu.com

219.235.1.101 517xky.webnode.cn

219.235.1.101 bijibendiannao.blog.china.com

219.235.1.101 VVV.taok.cc

219.235.1.101 VVV.mvptaoke.com

219.235.1.101 VVV.taobao.com

219.235.1.101 VVV.mbaobao.com

219.235.1.101 VVV.91kd.cn

127.0.0.1 VVV.shadu007.co%System%\drivers\etc\hosts

%Program Files%\BlueBox\BlueBox.exe

BlueBox.exe

%Program Files%\BlueBox

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL

scripting.FileSystemObject

hXXp://VVV.hao123.com/?tn=90507050_hao_pg

BaiduSdTray.exe

\uninst.exe

\BaiduSdUpdate.exe

BaiduAnTray.exe

\BaiduAnUpdate.exe

HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN

HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduProtect\LockIEStartPage

%Program Files%\Common Files\Baidu\BaiduProtect\1.2.16.49\BDSGBugRpt.exe

%Program Files%\Common Files\Baidu\BaiduProtect\1.2.16.49\BaiduProtect.exe

%Program Files%\Common Files\Baidu\BaiduProtect1.3\1.3.1.567\BDSGBugRpt.exe

%Program Files%\Common Files\Baidu\BaiduProtect1.3\1.3.1.567\BaiduProtect.exe

%Program Files%\SogouExplorer\SogouExplorer.exe

%Documents and Settings%\All Users\

C:\user\All Users\

Google Chrome.lnk

Google Chrome

6.lnk

kernel32.dll

advapi32.dll

RegDisableReflectionKey

RegEnableReflectionKey

wshom.ocx

taskmgr.exe

BarsPlayer.exe

SMeans.exe

TMeans.exe

%WinDir%\system\shanhu.txt

%Program Files%\Common Files\shanhu_7654_29738.exe

hXXp://yunpan.cn/csX5gsznjRB7f

%Program Files%\Common Files\shanhu_7654_29738.jpg

hXXp://d3.freep.cn/3tb_141207133829733i542852.jpg

%Program Files%\Common Files\gswb_1454_7654_356.exe

%Program Files%\Common Files\gswb_1454_7654_356.jpg

_7654_356.exe

%Program Files%\Common Files\

_7654_5943.exe

%Program Files%\Common Files\shanhu_7654_356.exe

%WinDir%\system\UC.txt

%Program Files%\Common Files\uc.exe

hXXp://yunpan.cn/csrCIshBv8IrN

hXXp://pan.baidu.com/s/1eQ4CzEq

%Program Files%\Common Files\ucbrowser_7654_31551.exe

%Program Files%\Common Files\BlueInstaller_bsljpc_55849_.exe

%Program Files%\Common Files\BlueResource.bpk

%WinDir%\system\baishu.txt

%Program Files%\Common Files\BaiduPinyinSetup_sw-0000025962.exe

hXXp://dlsw.br.baidu.com/ditui/zujian/BaiduPinyinSetup_sw-0000025962.exe

hXXp://yunpan.cn/cAwI52HEWZvJu

%Program Files%\Common Files\Microsoft Shared\2345.txt

%Program Files%\2345Pic

%Program Files%\2345Explorer

%Program Files%\HaoZip

hXXp://jifendownload.2345.cn/jifen_2345/p3_kbaidu888888_jg04Ow1mITKSiasIh2vPk_v14.11.1.exe

%Program Files%\Common Files\Microsoft Shared\p3_kbaidu888888_jg04Ow1mITKSiasIh2vPk_v14.11.1.exe

%Program Files%\p3_kbaidu888888_jg04Ow1mITKSiasIh2vPk_v14.11.1.exe

Chrome=0

%Program Files%\Common Files\Microsoft Shared\2345pack.ini

p3_kbaidu888888_jg04Ow1mITKSiasIh2vPk_v14.11.1.exe

%Program Files%\p3_kbaidu888888_jg04OunlF483lZatm6Ir5_v14.7.1.exe

%WinDir%\system\QQKG.txt

%Program Files%\Common Files\QQkg.exe

hXXp://yunpan.cn/csqqAnAunxwCu

hXXp://pan.baidu.com/s/1mgzG2Sw

%WinDir%\system\baiduse.txt

%Program Files%\Common Files\bdBrowserSetup-5953-ftn_1000025962.exe

hXXp://dlsw.br.baidu.com/ditui/zujian/bdBrowserSetup-5953-ftn_1000025962.exe

hXXp://pan.baidu.com/s/1jGvaRR4

%Program Files%\Common Files\bdbrowser_7654_31551.exe

%Program Files%\Common Files\Microsoft Shared\acbbb.txt

%Program Files%\Common Files\asdqw_3104-48740.exe

hXXp://yunpan.cn/csQ8cCiUdPLcy

%Program Files%\Common Files\jpg

hXXp://cdn.pcbeta.attachment.inimc.com/data/attachment/forum/201412/07/144230vgqqz6k2xs331mk1.jpg

@svchost.exe

&qqpassword=

hXXp://

&shorturl=

/share/verifyPassword?linkpassword=

ownloadurl":"

Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)

http=

https

HTTP/1.1

Content-Type: application/x-www-form-urlencoded

hXXps://

%WinDir%\system\baidusd2.txt

%Program Files%\Common Files\bdsd_1454_7654_29738.exe

hXXp://yunpan.cn/cskL8I4SnhdTT

%Program Files%\Common Files\bdsd_1454_7654_29738.jpg

hXXp://d2.freep.cn/3tb_1412071334014e4j542852.jpg

_Hide.exe

BlueSoftSetup_bsugqr.exe

%Documents and Settings%\Administrator\Local Settings\Temp\bluefiles

C:\users\Administrator\Local Settings\Temp\bluefiles

%Program Files%\Common Files\Tiandi_6733.exe

%Program Files%\Common Files\bdsd_1454_7654_356.exe

%Program Files%\Common Files\baidu.exe

%Program Files%\Common Files\td1.exe

%Program Files%\Common Files\bdsd.exe

%Program Files%\Common Files\BlueInstaller_bsfjuq_57574_.exe

%Program Files%\Common Files\BlueResource.bpk.exe

%Program Files%\Common Files\Baidusd.Setup.2.1.0.3086.youqian_1000025962.exe

%Program Files%\Common Files\bdsd_1454_7654_31551.exe

%Program Files%\Common Files\bdsd_1454_7654_5943.exe

%WinDir%\system\baiduws.txt

%Program Files%\Common Files\bdws_1454_7654_29738.exe

hXXp://yunpan.cn/cskLU5n6RLxjX

%Program Files%\Common Files\bdws_1454_7654_29738.jpg

hXXp://d3.freep.cn/3tb_141207133733cgqn542852.jpg

%Program Files%\Common Files\bdws_1454_7654_31551.exe

%Program Files%\Common Files\bdsd.jpg

%Program Files%\Common Files\BaiduAn.Setup.youqian.3.0.0.3971_1000025962.exe

%Program Files%\Common Files\bdws_1454_7654_5943.exe

pan.baidu.com

.init("

&bdstoken=&channel=chunlei&clienttype=0&web=1&app_id=

hXXp://pan.baidu.com/api/sharedownload?sign=

hXXp://pan.baidu.com/api/getcaptcha?prod=share&bdstoken=&channel=chunlei&clienttype=0&web=1&app_id=

hXXp://vcode.baidu.com/genimage?

Adodb.Stream

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

%Program Files%\kingsoft\kingsoft antivirus\uni0nst.exe

C:\bdkv_install.log

C:\BlueSoftSetup.log

%Program Files%\Common Files

%Program Files%\BLDBaseService

C:\Windows\system\APP

%Program Files%\Baidu\BaiduSd\1.8.0.1196\BaiduSdUpdate.exe

C:\Windows\system\APPP

%Program Files%\Baidu\BaiduAn\2.1.0.1154\BaiduAnUpdate.exe

QQPCTray.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UCBrowserSvc

%Documents and Settings%\Administrator\

C:\users\Administrator\

%Documents and Settings%\Administrator\Local Settings\Application Data\Kingsoft\WPS Office\9.1.0.4463\utility\uninst.exe

C:\users\Administrator\Local Settings\Application Data\Kingsoft\WPS Office\9.1.0.4463\utility\uninst.exe

%Program Files%\GSInput\3.0.1.0512\uninst.exe

%Program Files%\BLDBaseService\uninst.exe

%Documents and Settings%\%current user%inistrator\

C:\users\administrator\

C:\Users\Administrator\Desktop\2345

C:\Users\All Users\Desktop\

C:\Users\Administrator\Desktop\7157

C:\Users\Administrator\Desktop\

C:\Users\Administrator\Desktop\Internet ExpIorer.lnk

\Internet ExpIorer.lnk

C:\Users\Administrator\Desktop\QQ

%Program Files%\Baofeng\StormPlayer\Uninst.exe

Daemon.exe

C:\users\All Users\Desktop\

5.lnk

C:\users\All Users\Desktop\ Intener Hao123.lnk

C:\users\Administrator\Desktop\

C:\users\Administrator\Desktop\Internet Explrer.lnk

C:\users\Administrator\Desktop\Internet Explorer.lnk

C:\users\Administrator\Desktop\Internet Explorer.lnk

D:\Program Files\MK20141014\BarsPlayer.exe

D:\Program Files\MK20141014\SMeans.exe

D:\Program Files\MK20141014\TMeans.exe

C:\users\All Users\

%Program Files%\JSBrowser\JSBrowser.exe

\ Intener Hao123.lnk

\MusicFM.lnk

C:\Users\Administrator\Desktop\1.76

C:\Users\Administrator\Desktop\Internet Exploror.lnk

\Internet Exploror.lnk

C:\Users\Administrator\Desktop\Internet Exploror.url

\Internet Exploror.url

%Program Files%\ainqngz4.7\uninstall.exe

%Program Files%\yyfm0529\201407051412\Unins.exe

%Program Files%\ShanHuInput\1.0.1.0930\SHUninst.exe

D:\Program Files\Tencent\QQPCMgr\8.12.11701.227\Uninst.exe

ADSafe3.lnk

Internet Explorer.lnk

Internet Explorer.lnk

.4.7.lnk

%Program Files%\UCBrowser\Uninstall.exe

%Program Files%\JJ

%Program Files%\91yGame\unins000.exe

%Program Files%\ADSafe3\uninst.exe

%Documents and Settings%\Administrator\Application Data\360se6\Application\6.3.1.153\installer\setup.exe

C:\users\Administrator\Application Data\360se6\Application\6.3.1.153\installer\setup.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

%Program Files%\gssoft\gswb\2.8.1.1120\uninst.exe

C:\DuDu\uninstall.exe

%Program Files%\ainqngz3.9\uninstall.exe

D:\Program Files\Tencent\QQPCMgr\8.8.10756.232\Uninst.exe

%Program Files%\Tencent\QQPCMgr\8.8.10756.232\Uninst.exe

%Program Files%\Doyo\DyUninstall.exe

%Program Files%\PPStream\unpps.exe

%Program Files%\iQIYI\QiyiInstaller.exe

%Program Files%\BlueBox\uninst.exe

%Program Files%\2345Pic\Uninstall.exe

%Program Files%\2345Explorer\Uninstall.exe

%Program Files%\HaoZip\Uninstall.exe

%WinDir%\system\qi

D:\IQIYI Video\LStyle\QyClient.exe

D:\IQIYI Video\LStyle\QyClient.exe desktoprun

%WinDir%\system\jizhi

C:\Users\Administrator\AppData\Roaming\hao123JuziBrowser\hao123Juzi.exe

%Program Files%\hao123JuziBrowser\hao123Juzi.exe

%WinDir%\system\qw

%Program Files%\kuwo\KWMUSIC2013\kuwomusic\KwMusic.exe

%WinDir%\system\uc

%Program Files%\UCBrowser\UCBrowser.exe

%Program Files%\UCBrowser\UCBrowser.exe --wow-launch-from=desktop

%Program Files%\UCBrowser\Application\UCBrowser.exe

%WinDir%\system\360se

%Documents and Settings%\Administrator\Application Data\360se6\Application\360se.exe

C:\Users\Administrator\AppData\Roaming\360se6\Application\360se.exe

%WinDir%\system\ADSafe

%Program Files%\ADSafe3\ADSafe.exe

%WinDir%\system\leibao

%Program Files%\liebao\liebao.exe

%WinDir%\system\baiduse

%Program Files%\baidu\BaiduBrowser\baidubrowser.exe

%Program Files%\baidu\BaiduBrowser\baidubrowser.exe --bar=1015

%WinDir%\system\uc1

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

atl.dll

NTDLL.DLL

Advapi32.dll

Kernel32.dll

shell32.dll

wininet.dll

ntdll.dll

User32.dll

gdi32.dll

program internal error number is %d.

:"%s"

:"%s".

.?AVCCmdTarget@@

.PAVCException@@

.?AVCCmdUI@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCUserException@@

.PAVCMemoryException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

zcÁ

%System%\svchost.exe

shanhu_7654_29738.exe_1604:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

verifying installer: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

.DEFAULT\Control Panel\International

RegDeleteKeyExA

Software\Microsoft\Windows\CurrentVersion

*?|<>/":

%s=%s

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegDeleteKeyA

RegCloseKey

RegEnumKeyA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp\setup_7654_29738.exe

vice.exe" InstallService

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp\setup_ShanHuSilent.exe->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp\setup_7654_29738.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp\setup_ShanHuSilent.exe

k/-q}

#:.zx

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Microsoft.Windows.Silent" type="win32"></assemblyIdentity><description>

</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2" xmlns="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><requestedPrivileges>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

%Uz2&

y.HDy

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp

nsq2.tmp

e->C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp\setup_7654_29738.exe

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp

setup_7654_29738.exe

1421401843

6610000

00000000000000000001

"%Program Files%\Common Files\shanhu_7654_29738.exe"

%Documents and Settings%\All Users\Application Data\7654

%Program Files%\Common Files

shanhu_7654_29738.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

%Program Files%\Common Files\shanhu_7654_29738.exe

1546696

62474D56-EE98-04CA-7FCD-1C75D00DDD4A

20130211141439

76487-341-6719426-22526

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

WebGame(&A)...

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

VVV.shanhusrf.com

1, 0, 1, 0

shsrf.exe

1.0.0.0

(C) hXXp://VVV.7654.com/

shanhu_7654_29738.exe_1604_rwx_003C4000_00001000:

callback%d

service.exe_1184:

.text

`.rdata

@.data

.rsrc

CSSSh

PSShH

aSSSh

.VVVVVSRSSj

FTPjK

FtPj;

C.PjRV

PP P!"PP#$PPPP%&'PPP(P)*P PPP,-.PP/0123PPPPPP4PPPPPPP5PPPPPP6789:;PPPPPPPP<PPP=>?@ABCDPPPPEPPPPFPPPPPPGPPHIPPPPPJKPPPLLPPMPPPPPPPPPNPPOY

!"DDD#D$DÝ&D'()DDDDDDDDDDDDD*DDDDDDDDDDDD DD,-DDDDDDDDDDD.D/DDDDDDDDDDDDDD01DD234DD56789DDDDDDDD:;DD<=>DD?DDDDD@ABDDDDDCV

>%u Wj%

_u.Ph

tX9.uT

FLu$

%s-%s-%d

%s-%s

hXXp://tj.7654.com/zj7654_active_

QID,%s,SoftID,%s,SoftVer,%s

UID,%s|

hXXp://tj.7654.com/zj7654_online_

%s-%s-%s

%s-%s-%s-%s

?456789:;<=

!"#$%&'()* ,-./0123

hhctrl.ocx

f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

CCmdTarget

CNotSupportedException

f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

mscoree.dll

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

KERNEL32.DLL

portuguese-brazilian

GetProcessWindowStation

USER32.DLL

operator

.jpeg

.html

--%s--

couldn't open file "%s"

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

Could not resolve %s: %s; %s

getaddrinfo() failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

%s:%d

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

<url> malformed

:]://%[^

[^:]:%[^

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%hu%s%s%s

;type=%c

[%*45[0123456789abcdefABCDEF:.]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

User-Agent: %s

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Problem (%d) in the Chunked-Encoded data

HTTP server doesn't seem to support byte ranges. Cannot resume.

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Rewinding stream by : %zd bytes on url %s (zero-length body)

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Added %s:%d:%s to DNS cache

Resolve %s found illegal!

%5[^:]:%d:%5s

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %lld

#HttpOnly_

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

httponly

23[^;

=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

WARNING: failed to save cookies in %s

[%s %s %s]

Send failure: %s

Recv failure: %s

bind failed with errno %d: %s

Local port: %hu

getsockname() failed with errno %d: %s

Bind to local port %hu failed, trying next

Couldn't bind to '%s'

Name '%s' family %i resolved to '%s' family %i

Local Interface %s is ip %s using address family %i

ssloc inet_ntop() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

getpeername() failed with errno %d: %s

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

sa_addr inet_ntop() failed with errno %d: %s

Unable to parse FTP file list

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized or bad HTTP Content or Transfer-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with given CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH remote key was not OK

An unknown option was passed in to libcurl

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: The server did not accept the PRET command.

FTP: weird server reply

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Internal error removing splay node = %d

Internal error clearing splay node = %d

%d.%d.%d.%d

%s%s%s%s%s%s

Session: %s

%s %s RTSP/1.0

Range: %s

Referer: %s

Accept-Encoding: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Transport: %s

Transport:

Refusing to issue an RTSP request [%s] without a session ID.

Got RTSP Session ID Line [%s], but wanted ID [%s]

Unable to read the CSeq header: [%s]

SMTP

LOGIN

EHLO %s

HELO %s

AUTH %s

No known auth mechanisms supported!

AUTH %s %s

Access denied: %d

%s xxxxxxxxxxxxxxxx

Authentication failed: %d

MAIL FROM:%s SIZE=%s

MAIL FROM:%s

RCPT TO:<%s>

RCPT TO:%s

SMTPS not supported!

STARTTLS denied. %c

Got unexpected smtp-server response: %d

USER %s

PASS %s

Access denied. %c

Invalid message. %c

RETR %s

LIST %s

POP3S not supported!

%s LOGIN %s %s

%s SELECT %s

%s FETCH 1 BODY[TEXT]

%s LOGOUT

IMAPS not supported!

%s STARTTLS

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

invalid tsize -:%s:- value in OACK packet

%s (%ld)

blksize is smaller than min supported

%s (%d)

blksize is larger than max supported

%s (%d) %s (%d)

got option=(%s) value=(%s)

tftp_rx: internal error

Timeout waiting for block %d ACK. Retries = %d

Received unexpected DATA packet block %d, expecting block %d

tftp_tx: internal error, event: %i

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

TFTP response timeout

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%hu

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.23.1

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

PORT

FTP response aborted due to select/poll error: %d

FTP response timeout

Failure sending PORT command: %s

%s %s

,%d,%d

Failure sending EPRT command: %s

%s |%d|%s|%hu|

bind() failed, we ran out of ports!

bind(port=%hu) failed: %s

bind(port=%hu) on non-local address failed: %s

socket failure: %s

failed to resolve the address provided to PORT: %s

getsockname() failed: %s

Connect data stream passively

PRET RETR %s

PRET STOR %s

PRET %s

REST %d

SIZE %s

STOR %s

APPE %s

Failed to do PORT

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload: 

RETR response: d

PBSZ %d

Access denied: d

ACCT %s

ACCT rejected by server: d

TYPE %c

Connecting to %s (%s) port %d

Failure sending QUIT command: %s

Uploading to a URL without a file name!

FTPS not supported!

MDTM %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%hu

Can't resolve proxy host %s:%hu

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

QUOT string not accepted: %s

Wildcard - "%s" skipped by user

Wildcard - START of "%s"

CWD %s

PRET command not accepted: d

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

Got a d ftp-server response when 220 was expected

server did not report OK, got %d

Failure sending ABOR command: %s

Remembering we are in dir "%s"

%sAuthorization: Basic %s

%s:%s

%s auth using %s with user '%s'

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

%s%s=%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

PTF://%s:%s@%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

PTF://

Host: %s%s%s:%hu

Host: %s%s%s

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

RTSP/%d.%d =

HTTP =

HTTP/%d.%d =

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

SOCKS4%s request granted.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

@password

login

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%.*s

%s:%s:%s

d:d

d:d:d

%c%c==

%c%c%c=

Received HTTP code %d from proxy after CONNECT

HTTP/1.%d %d

CONNECT %s:%hu HTTP/%s

%s%s%s%s

Host: %s

%s:%hu

Establish HTTP proxy tunnel to %s:%hu

0123456789-

OLEACC.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

g:\Company\PCProject\7654\Temp\pdb\Tool.pdb

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

CreateDialogIndirectParamW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegOpenKeyW

RegEnumKeyW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

WLDAP32.dll

iphlpapi.dll

WS2_32.dll

PeekNamedPipe

.?AVCCmdTarget@@

.?AVCStartServiceCmd@@

.?AVCInstallServiceCmd@@

.?AVCUninstallServiceCmd@@

.?AVCNullCmd@@

.?AVCHttpPageRequest@@

.?AVCHttpPageResponse@@

.?AVCHttpPageClient@@

.PAVCMemoryException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

version="1.0.0.0"

name="Microsoft.Windows.Tool"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

r%s%s.dmp

DBGHELP.DLL

gadvapi32.dll

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Run:%s|%d

%s.bak%d

7654Bao.sys

%s service

cmd.exe

/c del %s%s*.sys /q && del %s%s*.sys /q

\\.\%s

7654Bao64.sys

7654Bao32.sys

service.exe

@XX

wnsoft.ini

\\.\Smartvsd

\\.\PhysicalDrive%d

%slog.txt

%sxxxx.log

@MSWHEEL_ROLLMSG

@comctl32.dll

@comdlg32.dll

accKeyboardShortcut

%s (%s:%d)

commctrl_DragListMsg

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s.dll

mfcm80u.dll

@.INI

user32.dll

%Documents and Settings%\All Users\Application Data\7654\service.exe

1, 0, 1, 0

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

#Unable to load mail system support.

service.exe_1884:

.text

`.rdata

@.data

.rsrc

CSSSh

PSShH

aSSSh

.VVVVVSRSSj

FTPjK

FtPj;

C.PjRV

PP P!"PP#$PPPP%&'PPP(P)*P PPP,-.PP/0123PPPPPP4PPPPPPP5PPPPPP6789:;PPPPPPPP<PPP=>?@ABCDPPPPEPPPPFPPPPPPGPPHIPPPPPJKPPPLLPPMPPPPPPPPPNPPOY

!"DDD#D$DÝ&D'()DDDDDDDDDDDDD*DDDDDDDDDDDD DD,-DDDDDDDDDDD.D/DDDDDDDDDDDDDD01DD234DD56789DDDDDDDD:;DD<=>DD?DDDDD@ABDDDDDCV

>%u Wj%

_u.Ph

tX9.uT

FLu$

%s-%s-%d

%s-%s

hXXp://tj.7654.com/zj7654_active_

QID,%s,SoftID,%s,SoftVer,%s

UID,%s|

hXXp://tj.7654.com/zj7654_online_

%s-%s-%s

%s-%s-%s-%s

?456789:;<=

!"#$%&'()* ,-./0123

hhctrl.ocx

f:\rtm\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

CCmdTarget

CNotSupportedException

f:\rtm\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

mscoree.dll

kernel32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

KERNEL32.DLL

portuguese-brazilian

GetProcessWindowStation

USER32.DLL

operator

.jpeg

.html

--%s--

couldn't open file "%s"

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

Could not resolve %s: %s; %s

getaddrinfo() failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

%s:%d

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

<url> malformed

:]://%[^

[^:]:%[^

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%hu%s%s%s

;type=%c

[%*45[0123456789abcdefABCDEF:.]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

User-Agent: %s

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Problem (%d) in the Chunked-Encoded data

HTTP server doesn't seem to support byte ranges. Cannot resume.

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Rewinding stream by : %zd bytes on url %s (zero-length body)

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Added %s:%d:%s to DNS cache

Resolve %s found illegal!

%5[^:]:%d:%5s

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %lld

#HttpOnly_

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

httponly

23[^;

=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

WARNING: failed to save cookies in %s

[%s %s %s]

Send failure: %s

Recv failure: %s

bind failed with errno %d: %s

Local port: %hu

getsockname() failed with errno %d: %s

Bind to local port %hu failed, trying next

Couldn't bind to '%s'

Name '%s' family %i resolved to '%s' family %i

Local Interface %s is ip %s using address family %i

ssloc inet_ntop() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

getpeername() failed with errno %d: %s

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

sa_addr inet_ntop() failed with errno %d: %s

Unable to parse FTP file list

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized or bad HTTP Content or Transfer-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with given CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH remote key was not OK

An unknown option was passed in to libcurl

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: The server did not accept the PRET command.

FTP: weird server reply

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Internal error removing splay node = %d

Internal error clearing splay node = %d

%d.%d.%d.%d

%s%s%s%s%s%s

Session: %s

%s %s RTSP/1.0

Range: %s

Referer: %s

Accept-Encoding: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Transport: %s

Transport:

Refusing to issue an RTSP request [%s] without a session ID.

Got RTSP Session ID Line [%s], but wanted ID [%s]

Unable to read the CSeq header: [%s]

SMTP

LOGIN

EHLO %s

HELO %s

AUTH %s

No known auth mechanisms supported!

AUTH %s %s

Access denied: %d

%s xxxxxxxxxxxxxxxx

Authentication failed: %d

MAIL FROM:%s SIZE=%s

MAIL FROM:%s

RCPT TO:<%s>

RCPT TO:%s

SMTPS not supported!

STARTTLS denied. %c

Got unexpected smtp-server response: %d

USER %s

PASS %s

Access denied. %c

Invalid message. %c

RETR %s

LIST %s

POP3S not supported!

%s LOGIN %s %s

%s SELECT %s

%s FETCH 1 BODY[TEXT]

%s LOGOUT

IMAPS not supported!

%s STARTTLS

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

invalid tsize -:%s:- value in OACK packet

%s (%ld)

blksize is smaller than min supported

%s (%d)

blksize is larger than max supported

%s (%d) %s (%d)

got option=(%s) value=(%s)

tftp_rx: internal error

Timeout waiting for block %d ACK. Retries = %d

Received unexpected DATA packet block %d, expecting block %d

tftp_tx: internal error, event: %i

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

TFTP response timeout

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%hu

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.23.1

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

PORT

FTP response aborted due to select/poll error: %d

FTP response timeout

Failure sending PORT command: %s

%s %s

,%d,%d

Failure sending EPRT command: %s

%s |%d|%s|%hu|

bind() failed, we ran out of ports!

bind(port=%hu) failed: %s

bind(port=%hu) on non-local address failed: %s

socket failure: %s

failed to resolve the address provided to PORT: %s

getsockname() failed: %s

Connect data stream passively

PRET RETR %s

PRET STOR %s

PRET %s

REST %d

SIZE %s

STOR %s

APPE %s

Failed to do PORT

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload: 

RETR response: d

PBSZ %d

Access denied: d

ACCT %s

ACCT rejected by server: d

TYPE %c

Connecting to %s (%s) port %d

Failure sending QUIT command: %s

Uploading to a URL without a file name!

FTPS not supported!

MDTM %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%hu

Can't resolve proxy host %s:%hu

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

QUOT string not accepted: %s

Wildcard - "%s" skipped by user

Wildcard - START of "%s"

CWD %s

PRET command not accepted: d

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

Got a d ftp-server response when 220 was expected

server did not report OK, got %d

Failure sending ABOR command: %s

Remembering we are in dir "%s"

%sAuthorization: Basic %s

%s:%s

%s auth using %s with user '%s'

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

%s%s=%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

PTF://%s:%s@%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

PTF://

Host: %s%s%s:%hu

Host: %s%s%s

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

RTSP/%d.%d =

HTTP =

HTTP/%d.%d =

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

SOCKS4%s request granted.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

@password

login

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%.*s

%s:%s:%s

d:d

d:d:d

%c%c==

%c%c%c=

Received HTTP code %d from proxy after CONNECT

HTTP/1.%d %d

CONNECT %s:%hu HTTP/%s

%s%s%s%s

Host: %s

%s:%hu

Establish HTTP proxy tunnel to %s:%hu

0123456789-

OLEACC.dll

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

g:\Company\PCProject\7654\Temp\pdb\Tool.pdb

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

KERNEL32.dll

GetKeyState

UnhookWindowsHookEx

SetWindowsHookExW

CreateDialogIndirectParamW

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GDI32.dll

comdlg32.dll

WINSPOOL.DRV

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegOpenKeyW

RegEnumKeyW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

oledlg.dll

ole32.dll

OLEAUT32.dll

WLDAP32.dll

iphlpapi.dll

WS2_32.dll

PeekNamedPipe

.?AVCCmdTarget@@

.?AVCStartServiceCmd@@

.?AVCInstallServiceCmd@@

.?AVCUninstallServiceCmd@@

.?AVCNullCmd@@

.?AVCHttpPageRequest@@

.?AVCHttpPageResponse@@

.?AVCHttpPageClient@@

.PAVCMemoryException@@

.?AVCTestCmdUI@@

.?AVCCmdUI@@

.PAVCUserException@@

.PAVCException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

version="1.0.0.0"

name="Microsoft.Windows.Tool"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

r%s%s.dmp

DBGHELP.DLL

gadvapi32.dll

SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

Run:%s|%d

%s.bak%d

7654Bao.sys

%s service

cmd.exe

/c del %s%s*.sys /q && del %s%s*.sys /q

\\.\%s

7654Bao64.sys

7654Bao32.sys

service.exe

@XX

wnsoft.ini

\\.\Smartvsd

\\.\PhysicalDrive%d

%slog.txt

%sxxxx.log

@MSWHEEL_ROLLMSG

@comctl32.dll

@comdlg32.dll

accKeyboardShortcut

%s (%s:%d)

commctrl_DragListMsg

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

%s.dll

mfcm80u.dll

@.INI

user32.dll

%Documents and Settings%\All Users\Application Data\7654\service.exe

1, 0, 1, 0

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

#Unable to load mail system support.

setup_7654_29738.exe_228:

.text

`.rdata

@.data

.rsrc

L$.UQf

j.ht{E

aSSSh

.VVVVVSRSSj

FTPjK

FtPj;

C.PjRV

PP P!"PP#$PPPP%&'PPP(P)*P PPP,-.PP/0123PPPPPP4PPPPPPP5PPPPPP6789:;PPPPPPPP<PPP=>?@ABCDPPPPEPPPPFPPPPPPGPPHIPPPPPJKPPPLLPPMPPPPPPPPPNPPOI

!"DDD#D$DÝ&D'()DDDDDDDDDDDDD*DDDDDDDDDDDD DD,-DDDDDDDDDDD.D/DDDDDDDDDDDDDD01DD234DD56789DDDDDDDD:;DD<=>DD?DDDDD@ABDDDDDCF!C

>%u Wj%

_u.Ph

tX9.uT

FLu$

ERROR: %s

hXXp://tj.sgshurufa.com/server_time

%d%.2d%.2d

mscoree.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

KERNEL32.DLL

portuguese-brazilian

kernel32.dll

GetProcessWindowStation

USER32.DLL

operator

.jpeg

.html

--%s--

couldn't open file "%s"

Content-Type: %s

; filename="%s"

Content-Disposition: attachment; filename="%s"

Content-Type: multipart/mixed, boundary=%s

%s; boundary=%s

Could not resolve %s: %s; %s

getaddrinfo() failed for %s:%d; %s

init_resolve_thread() failed for %s; %s

%s:%d

About to connect() to %s%s port %ld (#%ld)

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol %s not supported or disabled in libcurl

<url> malformed

:]://%[^

[^:]:%[^

http_proxy

%5[^:@]:%5[^@]

:%5[^@]

Port number too large: %lu

%s://%s%s%s:%hu%s%s%s

;type=%c

[%*45[0123456789abcdefABCDEF:.]%c

Couldn't find host %s in the _netrc file; using defaults

[email protected]

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

User-Agent: %s

Re-using existing connection! (#%ld) with host %s

%s://%s

Connection #%ld to host %s left intact

operation aborted by callback

ioctl callback returned error %d

the ioctl callback returned %d

seek callback returned error %d

Problem (%d) in the Chunked-Encoded data

HTTP server doesn't seem to support byte ranges. Cannot resume.

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

Excess found in a non pipelined read: excess = %zu, size = %lld, maxdownload = %lld, bytecount = %lld

Rewinding stream by : %zu bytes on url %s (size = %lld, maxdownload = %lld, bytecount = %lld, nread = %zd)

Rewinding stream by : %zd bytes on url %s (zero-length body)

Operation timed out after %ld milliseconds with %lld bytes received

Operation timed out after %ld milliseconds with %lld out of %lld bytes received

Added %s:%d:%s to DNS cache

Resolve %s found illegal!

%5[^:]:%d:%5s

No URL set!

[^?&/:]://%c

Violate RFC 2616/10.3.2 and switch from POST to GET

Violate RFC 2616/10.3.3 and switch from POST to GET

Disables POST, goes with %s

Issue another request to this URL: '%s'

unspecified error %d

%s cookie %s="%s" for domain %s, path %s, expire %lld

#HttpOnly_

skipped cookie with bad tailmatch domain: %s

skipped cookie with illegal dotcount domain: %s

httponly

23[^;

=]=I99[^;

%s%s%s

# Fatal libcurl error

# Netscape HTTP Cookie File

# hXXp://curl.haxx.se/rfc/cookie_spec.html

# This file was generated by libcurl! Edit at your own risk.

WARNING: failed to save cookies in %s

[%s %s %s]

Send failure: %s

Recv failure: %s

bind failed with errno %d: %s

Local port: %hu

getsockname() failed with errno %d: %s

Bind to local port %hu failed, trying next

Couldn't bind to '%s'

Name '%s' family %i resolved to '%s' family %i

Local Interface %s is ip %s using address family %i

ssloc inet_ntop() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

getpeername() failed with errno %d: %s

TCP_NODELAY set

Could not set TCP_NODELAY: %s

Failed to connect to %s: %s

Trying %s...

sa_addr inet_ntop() failed with errno %d: %s

Unable to parse FTP file list

Error in the SSH layer

Caller must register CURLOPT_CONV_ callback options

TFTP: No such user

TFTP: Unknown transfer ID

TFTP: Illegal operation

TFTP: Access Violation

TFTP: File Not Found

Login denied

Issuer check against peer certificate failed

Invalid LDAP URL

Unrecognized or bad HTTP Content or Transfer-Encoding

Problem with the SSL CA cert (path? access rights?)

Peer certificate cannot be authenticated with given CA certificates

Problem with the local SSL certificate

SSL peer certificate or SSH remote key was not OK

An unknown option was passed in to libcurl

A libcurl function was given a bad argument

Operation was aborted by an application callback

FTP: command REST failed

FTP: command PORT failed

HTTP response code said error

FTP: couldn't retrieve (RETR failed) the specified file

FTP: couldn't set file type

FTP: can't figure out the host in the PASV response

FTP: unknown 227 response format

FTP: unknown PASV reply

FTP: unknown PASS reply

FTP: The server did not accept the PRET command.

FTP: weird server reply

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

URL using bad/illegal format or missing URL

Unsupported protocol

Winsock version not supported

Protocol family not supported

Address family not supported

Operation not supported

Socket is unsupported

Protocol is unsupported

Protocol option is unsupported

Unknown error %d (%#x)

Internal error removing splay node = %d

Internal error clearing splay node = %d

%d.%d.%d.%d

%s%s%s%s%s%s

Session: %s

%s %s RTSP/1.0

Range: %s

Referer: %s

Accept-Encoding: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Transport: %s

Transport:

Refusing to issue an RTSP request [%s] without a session ID.

Got RTSP Session ID Line [%s], but wanted ID [%s]

Unable to read the CSeq header: [%s]

SMTP

LOGIN

EHLO %s

HELO %s

AUTH %s

No known auth mechanisms supported!

AUTH %s %s

Access denied: %d

%s xxxxxxxxxxxxxxxx

Authentication failed: %d

MAIL FROM:%s SIZE=%s

MAIL FROM:%s

RCPT TO:<%s>

RCPT TO:%s

SMTPS not supported!

STARTTLS denied. %c

Got unexpected smtp-server response: %d

USER %s

PASS %s

Access denied. %c

Invalid message. %c

RETR %s

LIST %s

POP3S not supported!

%s LOGIN %s %s

%s SELECT %s

%s FETCH 1 BODY[TEXT]

%s LOGOUT

IMAPS not supported!

%s STARTTLS

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

invalid tsize -:%s:- value in OACK packet

%s (%ld)

blksize is smaller than min supported

%s (%d)

blksize is larger than max supported

%s (%d) %s (%d)

got option=(%s) value=(%s)

tftp_rx: internal error

Timeout waiting for block %d ACK. Retries = %d

Received unexpected DATA packet block %d, expecting block %d

tftp_tx: internal error, event: %i

tftp_tx: giving up waiting for block %d ack

Received ACK for block %d, expecting %d

bind() failed; %s

tftp_send_first: internal error

%s%c%s%c

TFTP finished

TFTP response timeout

Can't get the size of %s

Can't open %s for writing

Last-Modified: %s, d %s M d:d:d GMT

Couldn't open file %s

There are more than %d entries

LDAP remote: %s

LDAP local: ldap_simple_bind_s %s

LDAP local: Cannot connect to %s:%hu

LDAP local: trying to establish %s connection

LDAP local: %s

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

CLIENT libcurl 7.23.1

MATCH %s %s %s

DEFINE %s %s

insufficient winsock version to support telnet

WSAStartup failed (%d)

%s %d %d

%s %s %d

%s %s %s

%s IAC %d

%s IAC %s

Sending data failed (%d)

%d (unknown)

%s (unsupported)

%s IAC SB

Syntax error in telnet option: %s

Unknown telnet option %s

7[^= ]%*[ =]%5s

USER,%s

%c%c%c%c%s%c%c

%c%s%c%s

7[^,],7s

%c%c%c%c

FreeLibrary(wsock2) failed (%d)

WSACloseEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACreateEvent failed (%d)

failed to find WSAEnumNetworkEvents function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSACreateEvent function (%d)

failed to load WS2_32.DLL (%d)

WS2_32.DLL

PORT

FTP response aborted due to select/poll error: %d

FTP response timeout

Failure sending PORT command: %s

%s %s

,%d,%d

Failure sending EPRT command: %s

%s |%d|%s|%hu|

bind() failed, we ran out of ports!

bind(port=%hu) failed: %s

bind(port=%hu) on non-local address failed: %s

socket failure: %s

failed to resolve the address provided to PORT: %s

getsockname() failed: %s

Connect data stream passively

PRET RETR %s

PRET STOR %s

PRET %s

REST %d

SIZE %s

STOR %s

APPE %s

Failed to do PORT

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload: 

RETR response: d

PBSZ %d

Access denied: d

ACCT %s

ACCT rejected by server: d

TYPE %c

Connecting to %s (%s) port %d

Failure sending QUIT command: %s

Uploading to a URL without a file name!

FTPS not supported!

MDTM %s

Bad PASV/EPSV response: d

Can't resolve new host %s:%hu

Can't resolve proxy host %s:%hu

Skips %d.%d.%d.%d for data connection, uses %s instead

%d,%d,%d,%d,%d,%d

%c%c%c%u%c

ddd d:d:d GMT

dddddd

unsupported MDTM reply format

QUOT string not accepted: %s

Wildcard - "%s" skipped by user

Wildcard - START of "%s"

CWD %s

PRET command not accepted: d

Failed to MKD dir: d

MKD %s

QUOT command failed with d

Entry path is '%s'

PROT %c

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

Got a d ftp-server response when 220 was expected

server did not report OK, got %d

Failure sending ABOR command: %s

Remembering we are in dir "%s"

%sAuthorization: Basic %s

%s:%s

%s auth using %s with user '%s'

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %d

If-Unmodified-Since: %s

Last-Modified: %s

If-Modified-Since: %s

%s, d %s M d:d:d GMT

Failed sending HTTP POST request

Content-Type: application/x-www-form-urlencoded

Internal HTTP POST error!

Failed sending HTTP request

%s%s=%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

PTF://%s:%s@%s

Content-Range: bytes %s/%lld

Content-Range: bytes %s%lld/%lld

Range: bytes=%s

PTF://

Host: %s%s%s:%hu

Host: %s%s%s

Chunky upload is not supported by HTTP 1.0

HTTP error before end of send, stop sending

HTTP/1.0 connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 proxy connection set to keep alive!

HTTP 1.0, assume close after body

RTSP/%d.%d =

HTTP =

HTTP/%d.%d =

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

SOCKS4%s request granted.

Failed to resolve "%s" for SOCKS4 connect.

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 GSSAPI per-message authentication is not supported.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Failed to resolve "%s" for SOCKS5 connect.

User was rejected by the SOCKS5 server (%d %d).

--:--:--

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s

@password

login

Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

%s, algorithm="%s"

%s, opaque="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", response="%s"

%sAuthorization: Digest username="%s", realm="%s", nonce="%s", uri="%s", cnonce="%s", nc=x, qop="%s", response="%s"

%s:%s:x:%s:%s:%s

%s:%.*s

%s:%s:%s

d:d

d:d:d

%c%c==

%c%c%c=

Received HTTP code %d from proxy after CONNECT

HTTP/1.%d %d

CONNECT %s:%hu HTTP/%s

%s%s%s%s

Host: %s

%s:%hu

Establish HTTP proxy tunnel to %s:%hu

0123456789-

Visual C   CRT: Not enough memory to complete call to strerror.

Broken pipe

Inappropriate I/O control operation

Operation not permitted

g:\Company\PCProject\Common\Temp\Release\InstallSilent.pdb

SHLWAPI.dll

KERNEL32.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

ADVAPI32.dll

ShellExecuteW

SHELL32.dll

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

PeekNamedPipe

WS2_32.dll

WLDAP32.dll

.?AVCHttpPageRequest@@

.?AVCHttpPageResponse@@

.?AVCHttpPageClient@@

zcÁ

Ua.KKo;[[

}%'r%x.:

=3-%s

xAH.lTh{

.mp9KS

%XxVt/

d.zG#

`.cuvK

@[email protected]@

<Q.OXE

%Cu1zx

OO.gsdYQ(

 %SaO

dP.qk

x6(`%x

p.ae[j

.pcBW$

>[(p.iK{

b%X6*

&z.SP

B%c*j*

F0.jS

7b%XY

Rnb.yu]

i&R-S}|

?W(hO

J]%sD

2.mIx

-r/,%dr

.Zfl/]N

,V%x_

.QG<7

S1.vRFTM

g%1u(

.n}.Qo

ü~[

.MT=&

>/kr%s

Ui.PL

mUdPHD

%f_h}n

NY.uL

3}.KW@

g.AL'

,.vZk?

%x1~=

?3w&.iz

!.bNr

.OEbk

JSZl%f

*.GdA

Lg.HL

%XtQ^

~b-

.yl;I

*{E.dE2[

.okge

.Is~46MV

Wyg<%SB

;LP%d

%xw)/

Fh.WN

.WkP)

W.WVh

.jzwr

õhC

uI.FJO,

.kXm]5

.ebn"

.Qp v

%xtYr6\d/r

hO.nL

|7<.xM?u

~K.Gl

`W.xU

]N\%C:1LcW

.jjA!

.oECPm

1.oo>

.REoi

0i.Cq

%U=~a

A%xfH

%s>%4

xmC.Be

.UOby

s{.cE

/!S%C

8U?Crt

Y~.vw

o.rH>

q.zX~

nKÝ

9(.Fc

[r,%uG2

N%fJ5

.Dsh%

B.fPh

"n%u`

%cP':

5h%xnX

U\}f.fG,

.kT}E;

h6.kIO

M9%uj

3%c"4

|x4.tE

-%5ST

ho.keGT

>c6a%x

pfTp

6XA.bv

v=_%xS

.apkc

R%FWS

gT%S;M

Nl.rlX

'@nF.AZ

ssHW$

%C~u(jEcb

V>Y%C

E .EK

L.qt$f

hxP2b %sd

.xNJq

%UcjI&

nq\%D

Z%XG&

eþ2

OjV%f

P9B.fPkXx

.Un>3

92.Lex

r.PN]pR

@%FJ,HQL

S%UdU%

*%F`-_

F-A}2

q.Luu

P%x/g^

)8c?<.Qv

.lEyP I

ÏpV

FWPt4.Vn/

&\- @ -?

.JlL)E

r!%dO

C%cGr

S%Su> P6LI

f`T,]%D_1.

iP2X%9x

%x lF

~I.KX

b..mS?

/%]r-X}

te[%U

(.vq;C

M.LW-_G

.kb4o

.%f$@

Q:\yad

w(.Dn

.mu#-0/

W.Hs7:

.aGA2&

u.WN.

I:%S|r

G-\).cg

.XSJd0

2%f-E

.Xpz`

fQ.Sd

$ cz{%F

%f^gj

U.HNC~

/inJ;.ro

!a.cOe

O.lbRv`$FvE

6.EqM

l-K}v

\A`K%F

0%s7P

).sNc

suu%xs

cI.gI

fURL

.xQoA

.iJ@)lwl1

0Ý)TPh

%Dz5K

-g}w{

>FTP`

YN9E%S

.cN&-

"K.fG|'

%.C?n

gO,%X

|,%u&

 D%x8w

&.YP%ICx6

cg%CO

u.QOM

.gLzH

zW1y%F

.lOtj{

\b.BU

.TGn,_

.KsrTJ`

)|I~cMd

Q.pFs

!J%f\

;7œ,

d%XP5

w_.MJ)!

?/%s/

|S%X,.

-I}tD|

*PJnc%d

u;%%s

uz|%UM

Bu-#.Pd

%Fxeh

.MS%`I

j60%UC

X;j.%c

^H%cQ-

DVh%s

>.Tj_B

.BR0a

d.fFlac!

5.OuB

`w%Uz#

WD.SC

up%XT4

Uj}%4X

e%DMt@<

(pYR$d`.gG

Pa.eep

.jM6U

F].akD

*aweBZ

%x- u

MTVk%c

o7%xF

WEBM

CXR.kDE

ls.jBXe

.gm#$

y2[%C,

?%U;j

X.id;

.XXU)l

%cv']

R&g.CO

.ne#l

.Qv2Pofbg,

V`.WG$

7.Mt-Sb

%xH9]

C%xre

%vE*%s

b'f>%S

.Az"[

5%X^(

@.OkA

@A4%X

`.JUC

&Cz"T%xv

wRUJA%S

mT%s5

.%c;/

^WE"y.LRZ

fe.eI

r2N.IVLK]

$.gPC!

u%X7t

jd<%Cn

\.TJp

{5ÉL

.Un?J

 .RI^L

i(.%d

xTCP

8.oA6

rj%dg

[1#/.hPS

l.LDL

`<(|)![>

r;.tcyB

-.Qgik

6e@%f

zao.bk

?%s_@

ctq%x~p

cSf.av

I.CZ}

^.IH2

.kHdw

vIc

Jm.MX2x

.kkB%/

gE.uGoXgZ

t.dXZ

9[ %x

$G.rCu])

.Il;^-

 .mBF

.zE)H

a.ohv;

O:0~a.WE 

B%UmJc

y*.xU

7H.mh

9.h;%s

s5&-1vl}

%_.WzF|

.MQ.Y

[.GVO

`3.VL

.mgYA

Rm.cdO}

.Gh,K

.CGZ6U

=fÉ

D).Cz

.KA0y

7t

BUrLE1

%c ^?

<`0%d#W7

%DVW {

nmi%c

ib.Flx0$b

.IckF

.ezo#

.Bm&0m"

os#.AQ%)u8

k5;HhD.Ti

4A$~)Z%Uv3p

n!V%u

.qu{q

J>.lr

4.jsJ

0O>]y.Yu

!%fG`

w.vXQ

!}a

%sv8My

.Gj%:7

?O.KfF

A.JFm=

.GgyE$

Ue%D?/

%SFN?

(u%sj

.Fo'f

?/.NS(\1oN

J~.aM\#

{.ULI

eh.Kx

j} .NK

@.eQK

s.kHn

`%X@}^

<>.TG!

%C~U,

.yN8x

IYT%x

3P.cr

0U`V%fH

TJ.Cf

.ubKli5-

.bW4Pa

sM,%S

;iHCfTP

p%XH<(

23.En

.IQ0Cg

.yCO^_V*

s'.Uk

%Srg5J

rC.lV

}z.ZN

$.fU]

@ Y,&%F

}.lJq)

"ik%s

)j[%D

=.KiaO

dZ.ATF

*.yzO=

%Xn/l

wl.YI

ZO/S.Dlv

wS.ah

t.pkn

h.Nf;b

;.tvM

ø17n

l9.Wi

e.%x$

N%xc9

bOa~4d4.lV

zz9G%C

Y.sM8`D

T.yMN

w%dQ#ejSw

.wlP8E

m.vTJ{ye

).oSrG

1.jA;

j.tTV~

D%fOb

UDpl

.OmE>D

.DLo3

it%DM/

G%di,F

Q);%X

p7B%u=

..Bty

<_5

%Cm\H

ß\|

FK9%u

%x,R@

-lD%D

U.lYJD

.DT9W

M%X|0J

_3%F]

g.UzK

-9J}&o

dC.nt

&.AK9

O-U}0v

r%fn!

L:.bv(

W %xIt

;.ec79

.uO}@W

bH.PUkX!

WY&].PQH

5.Cl s

GEK.rj

_X%sw

>.zVn

x-5a%d

a J.OzVH

gzÞ

JE%fmn

eG%S2{X|_

[email protected]

@.nDZ

%4x~Ap

d.MB"|!

.Boi!wn

û)SKF

G&.IA

q},/ OF.XsJ

Gab%X

np.xA

|.xyt

.hQ>Anl

bO.Mv8g/0

9Bd'4%X

h`.zPZ~

ai1:.Kg

CY

M7b%x

v.Plt`

.Tj-,

K.cFThW

%drg0

Su.hWZ$aR

`.xDztc&

$ssQl

>t.qC

-A.Rl

K.Tj{

-%s)<K

`f.mZ

Q9.bf

@.wS4

'aw.vK

S.zo'<]

.uRrz

.HcmEjh

.PKk"

E.HzZ

d2F.Wr

T\.Iii

}k.YTCu

m.Pg^jKu

-7}k|

L{.ag

.rr3R

pX|.Jlb

3L%S}

@.iY8

Z#%X^

x!.JDd

%4XlVX

ruDp.

.vWxK

2%CK'

0E

J.Yp{

!.FAX

\.VRz

 7.aWOSu

*pb.VT

a#.lG

.bIuf

C.kF>

'd.wa

q.Bq3

V.rW_

-QLQG}

inJ%X

mdL.hL

oLPJ.jgnY|B$

60F-%.X

sV.qE

j.Su)q

.RBaR

,.pHN

.id,l

\.aV`

ZsQl

q'%C$Q;~t

iN.sA

x{%d$

"Yû

x)%uA

%U 0?

>z %c

bsh.uqI

xJ.mz

[email protected]

.vXPB

#Bn9%f

e%.of@G

"#.HQ

.aH<guk(

O%sTI

;H[%Cs

@.SDe

5%C~u

tW3aoJ\

@3M.Ss

\J.KW

g%sN(

.tv:?

.bK_[

X:\d9

R%U7@X

Pg#`l%u

 &%sz|;

KC.cT

%Uq  

.NCcK

.PGg|

%X7"z2G

oO".tH@X

t{.WO

uqFRn\!E.nFKM

vs.Nh

.Ld gg

[F$1.xx

x4d%C

u8w%F

[email protected]

N#%U~

:C%U)

.EnD)Du

.GVBQ

%XGFzLT

5R!%d

).ux^

1b.oj

tv%sp

.hI"F

2%S,emt&"v

6.WZ?S

]a.cK

z{.JYC:

E%d G

%8s<C

CrTB#J

&nd%FyuW

OO].jo

T;E9ù

3.VWp,

.pgGD

Y,.tw

.uh/JG

n.mE]

<.ypyZ

}t%U=L

s>%stF

U:\ ^

.seyN~

X%%SpB

\"%sm

.aqcS

8L9

"/Ú

sl.ar?/_

}.RD *M6

[%Xh?9ldh

:}J.AP

.Fe%H

0%UYI9HxW

`IM.WV

x%xU,

.pilda

t.vs>8

y%Svp

N%FgMh

.cY"(

36.JPs

.Da_U

Nz#)4*%X(

ö!6{

%s&2:

.Eb^\W

).TYb

[K.QX

33%ug

5!T.CA

$.tc#

.Xx-/h

S6.eb

FtpT$)

8.AHS

{i]%u

Uj.HC!

RH`%D

}G.qo

/0.pq

8&.LsB

k.LQD

@F%Dw

.uqos

.aDHL1

.baN&]

J2%d#

 cUu%u

op.id\)W-

z@%DO

.rM&`

.Cc}3

[.IQ5

.Me-O

.wvl4

hx .Vk

#$Q%F

2T.oKZ

=XJ%fQeE.

)X.AS

U.GT/N

F}fK6.DIj

.Oc.M

pk.Gb

.Uh$q

7%S9*

-N}q6

(`X.Hh

.ku2:]Sp

.kt8{*

F.tI"^

%s'sl

c}%SK

~.mTG}

u[<%s,

j.VQd

`!%s2P

.ICLs#

:.MsMS

B`.EJ

a.puo

~.Lv-

.zGk#

T.sOB

/.AQS!l

).FSy

'.dF 

}%Fgb

.nU#a"c

_.or=\d

~.cjNC

.ymK(-,w{

2>1%5x

.LwNz

.Dv3t

b2%c-

.fu#C

0o.FZ

Bh%s}

ec.NS9

.ghQ}

8.YK)em

&]%SU

R.jCu'h~

[email protected]

i%fM8b

iX.Rg

CRTZ

\=.IC6

H.lKS

`m%s;

.RMV;U>

W.iXF

'F%UoD

o).RmRu

X%s#Y

*2.xOD

%FSo3Y

.VLq=

Q%Cwv

&R%CH

.wILu

.Itza?

WD^%s

.sQZC

`L %S

b-%xK

byh0),.Nj

p,%d]i

<%Szx

.fcYp

.Xe8|

EO.scH

MFx%s

w.NVk

.fZ3/A

webVF

U.Sy@

w`"%F@

hs.XXa|

(1.ie

$.Rw)

'h

xU]l%x`

%8X2y

>.bm/

o3Sd.oHL

3-d8l.xb

P%N

kfG-i}

Udv7.FJ

.XBUS

W%UtJqY

KL.hs

.je`--

^w.qaV

!%DhMy4

J-Iq}

4l%uR

^d$.vq

psrY{û

In.YL

/aQ.Jf

FK.jxwJ

Rw.eE

]%1U.]

@.jtTY

]@iH_.NFd

2IPl

.zPH~

?t%X2

'[.GQm

2"I%S

UV.Es

h0#.uX

V'.xz

rY.xU

A\#%u

`U.dUk

%u0_v

ÃzS

.wmJa

%FxZM[X

%cz@pm

4.JJ9

, .BE

.qFhu6z

l ,:B.zj]`

.aoR>

Mu.rQ"E

V.EHN

.UCl7

EmK/.dz,

1%d&y

RMsg

[.qjE

.VdFb

t.gep

*Y

Da%D=

.UCzf

g.LIQS1E

k=,%U

%xJzA

/%d*0

.ng(y

.sK3"T

{v-.jF

D.kBF

O.ASb0

t%U,7

z%C^;^

.qei;

.xnwXO0

u.MNP

BsqL

f*O-j1}H

"i%S(

[tzIfO%d

K9kaPurlz

.llti

d.KU!

.MCy\

.HhbJ

|.FvO

.ac(vd

H>Z^%D

DX6.DC]

.NoD 8

7q%FY

a?.nB

T\f#_1€U

.xxmx

'i[7X%U

%D}Dp

%5uPb

.HgGt

%C$x,&yOY

Y:%dM

%x16_

{i_%X#

l.Er|

XÝp

@fj.Drr>^

"[}%c

='%S)

cMD).H

q?.xkr

.adUJw

.weI&

.F.SC

M.kK"

A.XM]r

`>}.my 

F@:,%S|

}%2UR

F\)&v.gfFZ|

$g.URL

>^.vq

$.dHk

z.xPg

[Y%fv9

~%F ;

Pq)]Rh%c

.uk%S

.NU]*[E

.Ye/'

.Dw_:

.SD3o

u.kP]Ed

j%sN0

;hY.Scl,

[.jd"

UCu~0.Jy8

.qVG}

,.BZP

UCa%f}

FD.rd

Bl.LZG

vjOin

w.0.JV

t7I.OX*b

%u"5J

xak%UAD

.nwm_%)

Bo>%Xp<

7bi.xk$y

R#%X7

R"ve#.Cs

%f)rIx

DF7%C

@V..qslU

%UO&_

Y.Hf<j

`Un%c

3%f_y

w3W%s

*.Kj&`g

W9t.Qtp

6)C.JAI

.Gk#3X

:%U7k

HFS.eS

U5%D'^

CB%u9

D.zALv

6%dZd4

P}}O~

uxK$u%dN>

.IP6FyY

%~'M%x

:%X8;;A_

S;ñ

o.eef

.KVqG

.SyS?

':.CJ

%S-&]

8lxL

dWp.ul?XC

]nG.bq

z.Kjx

|%UbL`

[f[.GE

1xF%S

Q'.Gk

~.yLZa

Ma%dqp

$3.pR

.gop}k

Q%.c1

/.mk$

%DuI=

_Yp.ED

,sQl?0k

>..tM

?s.Ok

S..BP

cMDG

GtX%u

v
Oe_4

Q%FHuD

I45.Jd

kP%0x

z.vfd

)$Ÿ

;.rvd

U%cTH"`

.JBI|

|20

M=B/

M`F

%C"L\g

{\.SV

&v.hbQ

3q%d:{

s"o\%c

%x{}g

F.Sa_

(w.rk

h-G}" I

.dr(#

.Fo@B

.fzVWs

~"É9z

h%SI=

.HKYW5

yc.Dj

].mc=

.HdPH

elw5Q.PHT

g%Dht

AÝ1%

Tg.IEP

t.ls1.85

a*%SN

,f.VG

^N.sB

/%S$ _

G%1SC

L7]`%cG]&

F{.OX

Xc!%S

:r%uM

%CJJa

QW.iW

>2cm%D

.ybg^\

y.QvV

.pCHj

[email protected]?)

k7.oC

d -S.Tw

.AG49

0^.Bk

,J%xB

.gA}p

.hCsK

j<%f;

u%CJ%u

-yO}}

X%Xq4>

WiMU

Ch.QFjNO

=w.hV8~

.ilt;

v 4%e%S6F

?K.jE

`/H.yM

i%DoNQ

%X))s

V.zlK

c:\=MjZ

~MmT%C

t.dD7a

GFO%f

%S$2 5

M.EJ=_)@4

2".Tr

_a%sR:B

C.Yg8

`O8.tK

9.ga.

h.EOu(

|Y.Nt6u=;GC

,j.Rkz

sl.Oub=

.zCuvC~o

.znb].

9.Hgp

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Microsoft.Windows.Silent" type="win32"></assemblyIdentity><description>

</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><ms_asmv2:trustInfo xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2" xmlns="urn:schemas-microsoft-com:asm.v2"><ms_asmv2:security xmlns:ms_asmv2="urn:schemas-microsoft-com:asm.v2"><requestedPrivileges>

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>

%s%s\%s

ShanHuInfo.ini

%s*.*

advapi32.dll

okernel32.dll

" RunByWindowsStart

SHMoniter.exe

%s %s,%s

InstallSpreadOperate

SHCore.exe

1.0.1.0930

%s.del%d

%s.del

%s%s.del%d

%s%s.del

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2.tmp\setup_7654_29738.exe

WebGame(&A)...

All Files (*.*)

No error message is available.'An unsupported operation was attempted.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else..An unexpected error occurred while reading %1..An unexpected error occurred while writing %1.

#Unable to load mail system support.

Access to %1 was denied..An invalid file handle was associated with %1.<%1 could not be removed because it is the current directory.6%1 could not be created because the directory is full.

Seek failed on A hardware I/O error was reported while accessing %1.0A sharing violation occurred while accessing %1.0A locking violation occurred while accessing %1.

Disk full while accessing %1..An attempt was made to access %1 past its end.

No error occurred.-An unknown error occurred while accessing %1./An attempt was made to write to the reading %1..An attempt was made to access %1 past its end.0An attempt was made to read from the writing %1.

VVV.shanhusrf.com

1, 0, 1, 0

shsrf.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   service.exe:1184
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\All Users\Application Data\7654\7654Bao32.sys (25 bytes)
   %Documents and Settings%\All Users\Application Data\7654\7654Bao64.sys (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\HardInfo.dll (7 bytes)
   %Documents and Settings%\All Users\Application Data\7654\service.exe (18632 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\NewInfo.dll (25 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\System.dll (11 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\MD5Util.dll (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\nsq2.tmp\setup_ShanHuSilent.exe (473127 bytes)

4. Restore the original content of the HOSTS file (%System%\drivers\etc\hosts):
   127.0.0.1 localhost
   
5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.